Documentation Library for System Center 2012 Configuration Manager

Microsoft Corporation Published: February 1, 2013

Copyright
This document is provided "as-is". Information and views expressed in this document, including URL and other Internet website references, may change without notice. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes. 2013 Microsoft Corporation. All rights reserved. Microsoft, Access, Active Directory, ActiveSync, ActiveX, Authenticode, Bing, BitLocker, Excel, Forefront, Hyper-V, Internet Explorer, JScript, Microsoft Press, MSDN, Outlook, SharePoint, Silverlight, SoftGrid, SQL Server, Visio, Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows Intune, Windows Mobile, Windows PowerShell, Windows Server, Windows Server System, and Windows Vista are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Contents
System Center 2012 Configuration Manager ................................................................................ 21 Getting Started with System Center 2012 Configuration Manager ............................................ 23 Introduction to Configuration Manager ................................................................................... 23 Whats New in Configuration Manager ................................................................................... 37 Whats New in Configuration Manager SP1 ........................................................................... 72 Whats New in the Documentation for Configuration Manager .............................................. 87 Fundamentals of Configuration Manager ............................................................................. 111 Supported Configurations for Configuration Manager .......................................................... 122 Frequently Asked Questions for Configuration Manager...................................................... 193 Accessibility Features of Configuration Manager ................................................................. 224 Information and Support for Configuration Manager ............................................................ 227 Site Administration for System Center 2012 Configuration Manager ...................................... 230 Introduction to Site Administration in Configuration Manager .............................................. 230 Planning for Configuration Manager Sites and Hierarchy .................................................... 234 Supported Configurations for Configuration Manager .......................................................... 235 Interoperability between Different Versions of Configuration Manager ....................................... 306 Planning for Hardware Configurations for Configuration Manager ............................................. 311 PKI Certificate Requirements for Configuration Manager ........................................................... 315 Identify Your Network and Business Requirements to Plan a Configuration Manager Hierarchy .................................................................................................................................................. 339 Determine Whether to Migrate Configuration Manager 2007 Data to System Center 2012 Configuration Manager ............................................................................................................. 362 Determine Whether to Extend the Active Directory Schema for Configuration Manager ........... 363 Planning for Sites and Hierarchies in Configuration Manager .................................................... 368 Planning to Upgrade System Center 2012 Configuration Manager ............................................ 390 Planning for Publishing of Site Data to Active Directory Domain Services ................................. 401 Planning for Discovery in Configuration Manager ....................................................................... 402 Planning for Client Settings in Configuration Manager................................................................ 429 Planning for Site Systems in Configuration Manager .................................................................. 430 Planning for Cloud Services in Configuration Manager .............................................................. 454

Planning for Content Management in Configuration Manager .................................................... 456 Planning for Boundaries and Boundary Groups in Configuration Manager ................................ 474 Planning for Security in Configuration Manager .......................................................................... 477 Planning for Communications in Configuration Manager ............................................................ 491 Planning for Site Operations in Configuration Manager .............................................................. 530 Planning for High Availability with Configuration Manager .......................................................... 550 Example Scenarios for Planning a Simplified Hierarchy with Configuration Manager ................ 561 Configuring Sites and Hierarchies in Configuration Manager ..................................................... 570 Prepare the Windows Environment for Configuration Manager .................................................. 571 Install Sites and Create a Hierarchy for Configuration Manager ................................................. 579 Expand a Stand-Alone Primary Site into a Hierarchy with a Central Administration Site ........... 658 Upgrade Configuration Manager to a New Service Pack ............................................................ 659 Configure Sites and the Hierarchy in Configuration Manager ..................................................... 664 Configuring Security for Configuration Manager ......................................................................... 665 Configuring Discovery in Configuration Manager ........................................................................ 676 Configuring Sites to Publish to Active Directory Domain Services .............................................. 688 Configuring Settings for Client Management in Configuration Manager ..................................... 689 Configuring Distribution Point Groups in Configuration Manager ............................................... 699 Configuring Boundaries and Boundary Groups in Configuration Manager ................................. 701 Configuring Alerts in Configuration Manager .............................................................................. 706 Configuring Site Components in Configuration Manager ............................................................ 710 Install and Configure Site System Roles for Configuration Manager .......................................... 720 Configure Database Replicas for Management Points ............................................................... 736 Migrate Data from Configuration Manager 2007 to Configuration Manager ............................... 750 Operations and Maintenance for Site Administration in Configuration Manager ........................ 750 Manage Site and Hierarchy Configurations ................................................................................. 751

Configure the Status System for Configuration Manager ............................................................ 764 Configure Maintenance Tasks for Configuration Manager Sites ................................................. 768 Monitor Configuration Manager Sites and Hierarchy .................................................................. 769 Manage Cloud Services for Configuration Manager ................................................................... 780 Backup and Recovery in Configuration Manager ........................................................................ 785 Update System Center 2012 Configuration Manager ................................................................. 818 Reporting in Configuration Manager............................................................................................ 828 Introduction to Reporting in Configuration Manager.................................................................... 829 Planning for Reporting in Configuration Manager ....................................................................... 835 Prerequisites for Reporting in Configuration Manager ................................................................ 837 Best Practices for Reporting ........................................................................................................ 839 Configuring Reporting in Configuration Manager ........................................................................ 840 Operations and Maintenance for Reporting in Configuration Manager ....................................... 850 Creating Custom Report Models in SQL Server Reporting Services .......................................... 860 Security and Privacy for Reporting in Configuration Manager .................................................... 871 Technical Reference for Reporting in Configuration Manager .................................................... 872 Security and Privacy for Site Administration in Configuration Manager ...................................... 872 Technical Reference for Site Administration in Configuration Manager...................................... 893 Technical Reference for Site Communications in Configuration Manager.................................. 894 Technical Reference for Ports Used in Configuration Manager .................................................. 897 Technical Reference for Log Files in Configuration Manager ..................................................... 916 Technical Reference for Accounts Used in Configuration Manager ........................................... 962 Technical Reference for Cryptographic Controls Used in Configuration Manager ..................... 981 Technical Reference for Language Packs in Configuration Manager ......................................... 992 Technical Reference for Unicode and ASCII Support in Configuration Manager ....................... 997 Technical Reference for the Hierarchy Maintenance Tool (Preinst.exe) in Configuration Manager .................................................................................................................................................. 999

Technical Reference for the Prerequisite Checker in Configuration Manager .......................... 1004 Technical Reference for International Support in Configuration Manager ................................ 1030 Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority ........................................................................................ 1031 Migrating Hierarchies in System Center 2012 Configuration Manager ..................................... 1054 Introduction to Migration in System Center 2012 Configuration Manager ................................ 1055 Planning for Migration to System Center 2012 Configuration Manager .................................... 1061 Prerequisites for Migration in System Center 2012 Configuration Manager ............................. 1062 Administrator Checklists for Migration Planning in System Center 2012 Configuration Manager ................................................................................................................................................ 1066 Determine Whether to Migrate Configuration Manager 2007 to System Center 2012 Configuration Manager ................................................................................................................................. 1072 Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager ........... 1074 Planning a Migration Job Strategy in System Center 2012 Configuration Manager ................. 1078 Planning a Client Migration Strategy in System Center 2012 Configuration Manager ............. 1087 Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager ................................................................................................................................. 1090 Planning for the Migration of Configuration Manager Objects to System Center 2012 Configuration Manager ........................................................................................................... 1099 Planning to Monitor Migration Activity in System Center 2012 Configuration Manager ............ 1108 Planning to Complete Migration in System Center 2012 Configuration Manager ..................... 1108 Configuring Source Hierarchies and Source Sites for Migration to System Center 2012 Configuration Manager ........................................................................................................... 1110 Operations for Migrating to System Center 2012 Configuration Manager ................................ 1113 Security and Privacy for Migration to System Center 2012 Configuration Manager ................. 1118 Deploying Clients for System Center 2012 Configuration Manager .......................................... 1120 Introduction to Client Deployment in Configuration Manager .................................................... 1121 Planning for Client Deployment in Configuration Manager ....................................................... 1138 Prerequisites for Windows Client Deployment in Configuration Manager................................. 1138

Best Practices for Client Deployment in Configuration Manager .............................................. 1149 Determine How to Manage Mobile Devices in Configuration Manager ..................................... 1152 Planning for Client Deployment for Linux and UNIX Servers .................................................... 1158 Determine the Site System Roles for Client Deployment in Configuration Manager ................ 1165 Determine the Client Installation Method to Use for Windows Computers in Configuration Manager ................................................................................................................................. 1168 Determine Whether to Block Clients in Configuration Manager ................................................ 1172 Configuring Client Deployment in Configuration Manager ........................................................ 1175 How to Configure Client Communication Port Numbers in Configuration Manager ................. 1175 How to Configure Client Computers to Find Management Points by using DNS Publishing in Configuration Manager ........................................................................................................... 1177 How to Prevent the Client Software from Installing on Specific Computers in Configuration Manager ................................................................................................................................. 1179 How to Configure Client Settings in Configuration Manager ..................................................... 1181 How to Install Clients on Windows-Based Computers in Configuration Manager .................... 1183 How to Assign Clients to a Site in Configuration Manager ........................................................ 1201 How to Install Clients on Mac Computers in Configuration Manager ........................................ 1208 How to Install Clients on Linux and UNIX Computers in Configuration Manager ..................... 1223 How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager .. 1231 How to Configure Client Status in Configuration Manager ........................................................ 1240 Operations and Maintenance for Client Deployment in Configuration Manager ....................... 1242 How to Manage Mobile Devices by Using the Exchange Server Connector in Configuration Manager ................................................................................................................................. 1243 How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager ................................................................................................................................. 1246 How to Manage Clients in Configuration Manager .................................................................... 1271 How to Monitor Clients in Configuration Manager ..................................................................... 1285 How to Manage Linux and UNIX Clients in Configuration Manager ......................................... 1287

How to Monitor Linux and UNIX Clients in Configuration Manager .......................................... 1290 Security and Privacy for Clients in Configuration Manager ....................................................... 1291 Technical Reference for Client Deployment in Configuration Manager .................................... 1304 About Client Settings in Configuration Manager ....................................................................... 1305 About Client Installation Properties in Configuration Manager .................................................. 1337 About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager ........................................................................................................... 1356 Administrator Checklist: Deploying Clients in Configuration Manager ...................................... 1359 Windows Firewall and Port Settings for Client Computers in Configuration Manager .............. 1361 Example Scenario for Deploying and Managing Configuration Manager Clients on Windows Embedded Devices ................................................................................................................ 1369 Technical Reference for the Configuration Manager Client for Linux and UNIX ....................... 1377 Administrator Checklist: Configuring Configuration Manager to Manage Mobile Devices by Using Windows Intune ...................................................................................................................... 1379 Deploying Software and Operating Systems in System Center 2012 Configuration Manager . 1381 Content Management in Configuration Manager ...................................................................... 1382 Introduction to Content Management in Configuration Manager .............................................. 1382 Planning for Content Management in Configuration Manager .................................................. 1389 Prerequisites for Content Management in Configuration Manager ........................................... 1407 Best Practices for Content Management in Configuration Manager ......................................... 1409 Configuring Content Management in Configuration Manager ................................................... 1410 Operations and Maintenance for Content Management in Configuration Manager .................. 1427 How to Prestage Content to Distribution Points Located on a Site Server ............................... 1443 Security and Privacy for Content Management in Configuration Manager ............................... 1444 Technical Reference for Content Management in Configuration Manager ............................... 1448 Application Management in Configuration Manager ................................................................. 1449 Introduction to Application Management in Configuration Manager ......................................... 1449

Planning for Application Management in Configuration Manager ............................................. 1462 Prerequisites for Application Management in Configuration Manager ...................................... 1463 Best Practices for Application Management in Configuration Manager .................................... 1468 Planning to Deploy Windows 8 Apps in Configuration Manager ............................................... 1470 Planning for App-V Integration with Configuration Manager ..................................................... 1475 Configuring the Application Catalog and Software Center in Configuration Manager .............. 1485 Operations and Maintenance for Application Management in Configuration Manager ............. 1492 How to Create Applications in Configuration Manager.............................................................. 1493 How to Create Deployment Types in Configuration Manager ................................................... 1500 How to Create and Deploy Applications for Mac Computers in Configuration Manager .......... 1514 How to Deploy Applications in Configuration Manager ............................................................. 1521 How to Simulate an Application Deployment in Configuration Manager ................................... 1525 How to Manage Applications and Deployment Types in Configuration Manager ..................... 1526 How to Manage Application Revisions in Configuration Manager ............................................ 1531 How to Use Application Supersedence in Configuration Manager ........................................... 1532 How to Uninstall Applications in Configuration Manager .......................................................... 1533 How to Monitor Applications in Configuration Manager ............................................................ 1535 How to Manage User Device Affinity in Configuration Manager ............................................... 1537 How to Create Global Conditions in Configuration Manager .................................................... 1542 How to Create App-V Virtual Environments in Configuration Manager..................................... 1550 Packages and Programs in Configuration Manager.................................................................. 1551 How to Create Packages and Programs in Configuration Manager ......................................... 1553 How to Deploy Packages and Programs in Configuration Manager ......................................... 1562 How to Monitor Packages and Programs in Configuration Manager ........................................ 1565 How to Manage Packages and Programs in Configuration Manager ....................................... 1565 Deploying Software to Linux and UNIX Servers in Configuration Manager .............................. 1567

Security and Privacy for Application Management in Configuration Manager .......................... 1574 Technical Reference for Application Management in Configuration Manager .......................... 1581 Example Scenario for Managing Applications by Using Configuration Manager ...................... 1582 Software Updates in Configuration Manager ............................................................................ 1591 Introduction to Software Updates in Configuration Manager .................................................... 1592 Planning for Software Updates in Configuration Manager ........................................................ 1609 Prerequisites for Software Updates in Configuration Manager ................................................. 1627 Best Practices for Software Updates in Configuration Manager ............................................... 1632 Configuring Software Updates in Configuration Manager ......................................................... 1634 How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster .... 1656 How to Determine the Port Settings Used by WSUS ................................................................ 1662 How to Enable CRL Checking for Software Updates ................................................................ 1663 Operations and Maintenance for Software Updates in Configuration Manager ........................ 1664 Security and Privacy for Software Updates in Configuration Manager ..................................... 1695 Technical Reference for Software Updates in Configuration Manager ..................................... 1700 Technical Reference for the Icons Used for Software Updates ................................................ 1700 Example Scenario for Using Configuration Manager to Deploy and Monitor the Security Software Updates Released Monthly by Microsoft ............................................................................... 1704 Operating System Deployment in Configuration Manager ........................................................ 1709 Introduction to Operating System Deployment in Configuration Manager ................................ 1710 Planning How to Deploy Operating Systems in Configuration Manager ................................... 1720 Prerequisites For Deploying Operating Systems in Configuration Manager ............................. 1721 Supported Operating Systems and Hard Disk Configurations for Operating System Deployment ................................................................................................................................................ 1729 Determine the Operating System Deployment Method to Use in Configuration Manager ........ 1730 Planning Site System Roles for Operating System Deployments in Configuration Manager ... 1734 Planning for Deploying Operating System Images in Configuration Manager .......................... 1737

Planning for Capturing Operating System Images in Configuration Manager .......................... 1740 Planning for Boot Image Deployments in Configuration Manager ............................................ 1746 Planning a Device Driver Strategy in Configuration Manager ................................................... 1748 Planning for PXE-Initiated Operating System Deployments in Configuration Manager ............ 1751 Planning a Multicast Strategy in Configuration Manager .......................................................... 1753 Planning for Media Operating System Deployments in Configuration Manager ....................... 1756 Planning a Task Sequences Strategy in Configuration Manager .............................................. 1759 Planning for Operating System Deployments in a NAP-Enabled Environment ........................ 1773 Planning for Operating System Deployment Interoperability .................................................... 1775 Configuring Configuration Manager for Operating System Deployments ................................. 1777 How to Manage Operating System Images and Installers in Configuration Manager .............. 1778 How to Manage Boot Images in Configuration Manager .......................................................... 1782 How to Manage the Driver Catalog in Configuration Manager .................................................. 1789 How to Manage Task Sequences in Configuration Manager .................................................... 1797 How to Manage the User State in Configuration Manager ........................................................ 1817 How to Manage Unknown Computer Deployments in Configuration Manager ......................... 1824 How to Associate Users with a Destination Computer .............................................................. 1826 How to Manage Multicast in Configuration Manager ................................................................. 1829 Operations and Maintenance for Deploying Operating Systems in Configuration Manager .... 1831 How to Deploy Operating Systems in Configuration Manager .................................................. 1832 How to Deploy Operating Systems by Using Media in Configuration Manager ........................ 1837 How to Deploy Operating Systems by Using PXE in Configuration Manager .......................... 1848 How to Deploy Operating Systems to Offline Computers in Configuration Manager................ 1852 Security and Privacy for Deploying Operating Systems in Configuration Manager .................. 1853 Technical Reference for Deploying Operating Systems in Configuration Manager .................. 1860 Example Scenario for PXE-Initiated Operating System Deployment by Using Configuration Manager ................................................................................................................................. 1861

Task Sequence Variables in Configuration Manager ................................................................ 1864 Task Sequence Action Variables in Configuration Manager ..................................................... 1865 Task Sequence Built-in Variables in Configuration Manager .................................................... 1891 Task Sequence Steps in Configuration Manager ...................................................................... 1900 Task Sequence Scenarios in Configuration Manager ............................................................... 1944 How to Provision Windows To Go in Configuration Manager ................................................... 1955 Prestart Commands for Task Sequence Media in Configuration Manager ............................... 1969 How to Create a PXE-Initiated Windows 8 Deployment for UEFI-Based or BIOS-Based Computers in Configuration Manager .................................................................................... 1971 Assets and Compliance in System Center 2012 Configuration Manager ................................. 1989 Collections in Configuration Manager ....................................................................................... 1989 Introduction to Collections in Configuration Manager................................................................ 1990 Planning for Collections in Configuration Manager ................................................................... 1995 Prerequisites for Collections in Configuration Manager ............................................................ 1995 Best Practices for Collections in Configuration Manager .......................................................... 1996 Operations and Maintenance for Collections in Configuration Manager ................................... 1997 How to Create Collections in Configuration Manager ............................................................... 1997 How to Manage Collections in Configuration Manager ............................................................. 2005 How to Use Maintenance Windows in Configuration Manager ................................................. 2013 Security and Privacy for Collections in Configuration Manager ................................................ 2015 Technical Reference for Collections in Configuration Manager ................................................ 2016 Queries in Configuration Manager............................................................................................. 2016 Introduction to Queries in Configuration Manager ..................................................................... 2017 Operations and Maintenance for Queries in Configuration Manager ........................................ 2018 How to Create Queries in Configuration Manager .................................................................... 2018 How to Manage Queries in Configuration Manager .................................................................. 2023 Security and Privacy for Queries in Configuration Manager ..................................................... 2024

Technical Reference for Queries in Configuration Manager ..................................................... 2025 Inventory in Configuration Manager .......................................................................................... 2025 Hardware Inventory in Configuration Manager .......................................................................... 2026 Introduction to Hardware Inventory in Configuration Manager .................................................. 2027 Planning for Hardware Inventory in Configuration Manager ..................................................... 2029 Prerequisites for Hardware Inventory in Configuration Manager .............................................. 2029 Best Practices for Hardware Inventory in Configuration Manager ............................................ 2030 Configuring Hardware Inventory in Configuration Manager ...................................................... 2030 How to Configure Hardware Inventory in Configuration Manager ............................................. 2031 How to Extend Hardware Inventory in Configuration Manager ................................................. 2032 Operations and Maintenance for Hardware Inventory in Configuration Manager ..................... 2037 How to Use Resource Explorer to View Hardware Inventory in Configuration Manager .......... 2037 Hardware Inventory for Linux and UNIX in Configuration Manager .......................................... 2039 Security and Privacy for Hardware Inventory in Configuration Manager .................................. 2041 Technical Reference for Hardware Inventory in Configuration Manager .................................. 2043 Software Inventory in Configuration Manager ........................................................................... 2043 Introduction to Software Inventory in Configuration Manager ................................................... 2043 Planning for Software Inventory in Configuration Manager ....................................................... 2045 Prerequisites for Software Inventory ......................................................................................... 2045 Configuring Software Inventory in Configuration Manager........................................................ 2046 How to Configure Software Inventory in Configuration Manager .............................................. 2046 How to Exclude Folders from Software Inventory in Configuration Manager............................ 2047 Operations and Maintenance for Software Inventory in Configuration Manager ...................... 2047 How to Use Resource Explorer to View Software Inventory in Configuration Manager ........... 2048 Security and Privacy for Software Inventory in Configuration Manager .................................... 2049 Technical Reference for Software Inventory in Configuration Manager.................................... 2051

Asset Intelligence in Configuration Manager ............................................................................. 2051 Introduction to Asset Intelligence in Configuration Manager ..................................................... 2051 Prerequisites for Asset Intelligence in Configuration Manager ................................................. 2063 Configuring Asset Intelligence in Configuration Manager ......................................................... 2067 Operations for Asset Intelligence in Configuration Manager ..................................................... 2078 Security and Privacy for Asset Intelligence in Configuration Manager ...................................... 2088 Technical Reference for Asset Intelligence in Configuration Manager ..................................... 2090 Example Validation State Transitions for Asset Intelligence ..................................................... 2090 Example Asset Intelligence General License Import File .......................................................... 2094 Power Management in Configuration Manager ......................................................................... 2096 Introduction to Power Management in Configuration Manager ................................................. 2097 Planning for Power Management in Configuration Manager .................................................... 2098 Prerequisites for Power Management in Configuration Manager ............................................. 2099 Best Practices for Power Management in Configuration Manager ........................................... 2100 Administrator Checklist for Power Management in Configuration Manager ............................. 2102 Configuring Power Management in Configuration Manager ..................................................... 2107 Operations and Maintenance for Power Management in Configuration Manager .................... 2109 How to Monitor and Plan for Power Management in Configuration Manager ........................... 2109 How to Create and Apply Power Plans in Configuration Manager ............................................ 2137 Security and Privacy for Power Management in Configuration Manager.................................. 2144 Technical Reference for Power Management in Configuration Manager ................................. 2145 Remote Control in Configuration Manager ................................................................................ 2145 Introduction to Remote Control in Configuration Manager ........................................................ 2146 Planning for Remote Control in Configuration Manager ........................................................... 2147 Prerequisites for Remote Control in Configuration Manager .................................................... 2148 Configuring Remote Control in Configuration Manager ............................................................ 2150

Operations and Maintenance for Remote Control in Configuration Manager ........................... 2152 How to Remotely Administer a Client Computer by Using Configuration Manager .................. 2152 How to Audit Remote Control Usage in Configuration Manager ............................................... 2154 Security and Privacy for Remote Control in Configuration Manager ......................................... 2155 Technical Reference for Remote Control in Configuration Manager ........................................ 2158 Keyboard Shortcuts for the Remote Control Viewer in Configuration Manager ........................ 2159 Software Metering in Configuration Manager ............................................................................ 2159 Introduction to Software Metering in Configuration Manager .................................................... 2160 Planning for Software Metering in Configuration Manager........................................................ 2161 Prerequisites for Software Metering in Configuration Manager ................................................ 2161 Configuring Software Metering in Configuration Manager ........................................................ 2162 How to Configure Software Metering in Configuration Manager ............................................... 2162 Operations and Maintenance for Software Metering in Configuration Manager ....................... 2163 How to Create Software Metering Rules in Configuration Manager ......................................... 2164 How to Configure Automatic Software Metering Rule Generation in Configuration Manager .. 2165 How to Manage Software Metering Rules in Configuration Manager ....................................... 2166 How to Monitor Software Metering in Configuration Manager .................................................. 2167 Security and Privacy for Software Metering in Configuration Manager..................................... 2168 Technical Reference for Software Metering in Configuration Manager .................................... 2169 Example Scenario for Software Metering in Configuration Manager ........................................ 2169 Maintenance Tasks for Software Metering in Configuration Manager ...................................... 2171 Out of Band Management in Configuration Manager ................................................................ 2173 Introduction to Out of Band Management in Configuration Manager ........................................ 2174 Planning for Out of Band Management in Configuration Manager ........................................... 2179 Prerequisites for Out of Band Management in Configuration Manager .................................... 2180 Best Practices for Out of Band Management in Configuration Manager .................................. 2186

Determine Whether to Use a Customized Firmware Image From Your Computer Manufacturer ................................................................................................................................................ 2188 Configuring Out of Band Management in Configuration Manager ............................................ 2189 Administrator Checklist: Out of Band Management in Configuration Manager ......................... 2189 How to Provision and Configure AMT-Based Computers in Configuration Manager ............... 2190 How to Manage AMT Provisioning Information in Configuration Manager ............................... 2202 Operations and Maintenance for Out of Band Management in Configuration Manager ........... 2205 How to Manage AMT-based Computers Out of Band in Configuration Manager ..................... 2206 How to Manage the Audit Log for AMT-Based Computers in Configuration Manager ............. 2213 How to Monitor Out of Band Management in Configuration Manager ...................................... 2215 Security and Privacy for Out of Band Management in Configuration Manager ........................ 2217 Technical Reference for Out of Band Management in Configuration Manager ........................ 2224 About the AMT Status and Out of Band Management in Configuration Manager .................... 2224 Example Scenario for Implementing Out of Band Management in Configuration Manager ..... 2227 Example Scenarios for Using Out of Band Management in Configuration Manager ................ 2234 AMT Provisioning Process for Out of Band Management in Configuration Manager ............... 2241 Compliance Settings in Configuration Manager ........................................................................ 2243 Introduction to Compliance Settings in Configuration Manager ................................................ 2244 Planning for Compliance Settings in Configuration Manager .................................................... 2248 Prerequisites for Compliance Settings in Configuration Manager ............................................. 2248 Configuring Compliance Settings in Configuration Manager .................................................... 2250 Operations and Maintenance for Compliance Settings in Configuration Manager ................... 2251 How to Create Windows Configuration Items for Compliance Settings in Configuration Manager ................................................................................................................................................ 2252 How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager ................................................................................................................................. 2270 How to Create Mac Computer Configuration Items in Configuration Manager ......................... 2271

How to Create Configuration Baselines for Compliance Settings in Configuration Manager ... 2278 How to Create Child Configuration Items in Configuration Manager ........................................ 2280 How to Deploy Configuration Baselines in Configuration Manager .......................................... 2281 How to Manage Configuration Baselines for Compliance Settings in Configuration Manager . 2282 How to Manage Configuration Items for Compliance Settings in Configuration Manager ........ 2284 How to Monitor for Compliance Settings in Configuration Manager ......................................... 2286 How to Import Configuration Data in Configuration Manager ................................................... 2290 How to Create User Data and Profiles Configuration Items in Configuration Manager ............ 2291 Security and Privacy for Compliance Settings in Configuration Manager ................................. 2295 Technical Reference for Compliance Settings in Configuration Manager................................. 2296 Example Scenario for Compliance Settings in Configuration Manager .................................... 2297 Example Scenario for User Data and Profiles Management in Configuration Manager ........... 2302 Endpoint Protection in Configuration Manager .......................................................................... 2307 Introduction to Endpoint Protection in Configuration Manager .................................................. 2307 Planning for Endpoint Protection in Configuration Manager ..................................................... 2312 Prerequisites for Endpoint Protection in Configuration Manager .............................................. 2313 Best Practices for Endpoint Protection in Configuration Manager ............................................ 2316 Administrator Workflow for Endpoint Protection in Configuration Manager .............................. 2317 Configuring Endpoint Protection in Configuration Manager ...................................................... 2318 How to Configure Endpoint Protection in Configuration Manager ............................................. 2318 How to Configure Alerts for Endpoint Protection in Configuration Manager ............................. 2323 How to Configure Definition Updates for Endpoint Protection in Configuration Manager ......... 2327 Operations and Maintenance for Endpoint Protection in Configuration Manager ..................... 2333 How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager ................................................................................................................................................ 2334 How to Create and Deploy Windows Firewall Policies for Endpoint Protection in Configuration Manager ................................................................................................................................. 2340

How to Manage Antimalware Policies and Firewall Settings for Endpoint Protection in Configuration Manager ........................................................................................................... 2342 How to Monitor Endpoint Protection in Configuration Manager ................................................ 2346 Security and Privacy for Endpoint Protection in Configuration Manager .................................. 2349 Technical Reference for Endpoint Protection in Configuration Manager .................................. 2351 Example Scenario for Protecting Computers From Malware by Configuring Endpoint Protection in Configuration Manager ........................................................................................................... 2351 Security and Privacy for System Center 2012 Configuration Manager ..................................... 2357 Planning for Security in Configuration Manager ........................................................................ 2358 Configuring Security for Configuration Manager ....................................................................... 2372 Microsoft System Center 2012 Configuration Manager Privacy Statement .............................. 2383 Microsoft System Center 2012 Configuration Manager Privacy Statement - Mobile Device Addendum .............................................................................................................................. 2398 Security Best Practices and Privacy Information for Configuration Manager ........................... 2398 Security and Privacy for Site Administration in Configuration Manager .................................... 2399 Security and Privacy for Reporting in Configuration Manager .................................................. 2420 Security and Privacy for Migration to System Center 2012 Configuration Manager ................. 2421 Security and Privacy for Clients in Configuration Manager ....................................................... 2422 Security and Privacy for Content Management in Configuration Manager ............................... 2435 Security and Privacy for Application Management in Configuration Manager .......................... 2440 Security and Privacy for Software Updates in Configuration Manager ..................................... 2447 Security and Privacy for Deploying Operating Systems in Configuration Manager .................. 2452 Security and Privacy for Collections in Configuration Manager ................................................ 2460 Security and Privacy for Queries in Configuration Manager ..................................................... 2461 Security and Privacy for Hardware Inventory in Configuration Manager .................................. 2461 Security and Privacy for Software Inventory in Configuration Manager .................................... 2463 Security and Privacy for Asset Intelligence in Configuration Manager ...................................... 2465

Security and Privacy for Power Management in Configuration Manager.................................. 2467 Security and Privacy for Remote Control in Configuration Manager ......................................... 2468 Security and Privacy for Software Metering in Configuration Manager..................................... 2471 Security and Privacy for Out of Band Management in Configuration Manager ........................ 2472 Security and Privacy for Compliance Settings in Configuration Manager ................................. 2479 Security and Privacy for Endpoint Protection in Configuration Manager .................................. 2480 Technical Reference for Cryptographic Controls Used in Configuration Manager ................... 2483 Technical Reference for Ports Used in Configuration Manager ................................................ 2494 Technical Reference for Accounts Used in Configuration Manager ......................................... 2513 Scenarios and Solutions Using System Center 2012 Configuration Manager .......................... 2531 Example Scenarios for Planning a Simplified Hierarchy with Configuration Manager .............. 2532 Example Scenario for Deploying and Managing Configuration Manager Clients on Windows Embedded Devices ................................................................................................................ 2541 How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager ................................................................................................................................. 2550 Example Scenario for Managing Applications by Using Configuration Manager ...................... 2574 Example Scenario for Using Configuration Manager to Deploy and Monitor the Security Software Updates Released Monthly by Microsoft ............................................................................... 2584 Example Scenario for PXE-Initiated Operating System Deployment by Using Configuration Manager ................................................................................................................................. 2590 How to Provision Windows To Go in Configuration Manager ................................................... 2593 How to Create a PXE-Initiated Windows 8 Deployment for UEFI-Based or BIOS-Based Computers in Configuration Manager .................................................................................... 2607 Example Scenario for Software Metering in Configuration Manager ........................................ 2625 Example Scenario for Implementing Out of Band Management in Configuration Manager ..... 2627 Example Scenarios for Using Out of Band Management in Configuration Manager ................ 2634 Example Scenario for Compliance Settings in Configuration Manager .................................... 2641 Example Scenario for User Data and Profiles Management in Configuration Manager ........... 2646

Example Scenario for Protecting Computers From Malware by Configuring Endpoint Protection in Configuration Manager ........................................................................................................... 2651 Glossary for Microsoft System Center 2012 Configuration Manager ........................................ 2656

System Center 2012 Configuration Manager

Updated: February 1, 2013 Welcome to Microsoft System Center 2012 Configuration Manager. Use Configuration Manager to provide more effective IT services by enabling secure and scalable software deployment, compliance settings management, and comprehensive asset management of servers, desktops, and mobile devices. For in-depth information about how System Center 2012 Configuration Manager can help you manage your IT infrastructure, see the following guides: Getting Started with System Center 2012 Configuration Manager Site Administration for System Center 2012 Configuration Manager Migrating Hierarchies in System Center 2012 Configuration Manager Deploying Clients for System Center 2012 Configuration Manager Deploying Software and Operating Systems in System Center 2012 Configuration Manager Assets and Compliance in System Center 2012 Configuration Manager Security and Privacy for System Center 2012 Configuration Manager Scenarios and Solutions Using System Center 2012 Configuration Manager

Release Notes
The release notes are published online. See the Release Notes for System Center 2012 Configuration Manager on TechNet.

Search the Configuration Manager Documentation Library

Find information online from the Documentation Library for System Center 2012 Configuration Manager. This customized Bing search query scopes your search so that you see results from the Documentation Library for System Center 2012 Configuration Manager only. It uses the search
21

text Configuration Manager, which you can replace in the search bar with your own search string or strings, and choice of search operators, to help you narrow the search results.

Example Searches
Use the Find information online link and customize the search by using the following examples. Single search string: To search for topics that contain the search string Endpoint Protection, replace Configuration Manager with Endpoint Protection: ("Endpoint Protection") site:technet.microsoft.com/enus/library meta:search.MSCategory(gg682056) Combining search strings: To search for topics that contain the search strings Endpoint Protection and monitoring, use the AND operator: ("Endpoint Protection") AND ("monitoring") site:technet.microsoft.com/en-us/library meta:search.MSCategory(gg682056) Alternative search strings: To search for topics that contain the search string Endpoint Protection or monitoring, use the OR operator: ("Endpoint Protection" OR "monitoring") site:technet.microsoft.com/en-us/library meta:search.MSCategory(gg682056) Exclude search strings: To search for topics that contain the search string Endpoint Protection and exclude topics about monitoring, use the NOT operator: ("Endpoint Protection)" NOT ("monitoring") site:technet.microsoft.com/en-us/library meta:search.MSCategory(gg682056)

Search Tips
Use the following search tips to help you find the information that you need: When you search on a page in TechNet or in the help file (for example, press Ctrl-F1, and enter search terms in the Find box), the results exclude text that is in collapsed sections. To search for text in collapsed sections, expand the sections before you search on the page. Whenever possible, use the TechNet online library rather than downloaded documentation. TechNet contains the most up-to-date information and the information that you are searching for might not be in the downloaded documentation or there might be corrections or additional information online. If you find it easier and faster to search documentation when it is stored locally, you can select multiple topics on TechNet and save them locally. For more information, see the following instructions on the TechNet wiki: How to Build Your Own Custom TechNet Documentation.

22

Copyright Information
This document is provided "as-is". Information and views expressed in this document, including URL and other Internet website references, may change without notice. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes. 2013 Microsoft Corporation. All rights reserved. Microsoft, Access, Active Directory, ActiveSync, ActiveX, Authenticode, Bing, BitLocker, Excel, Forefront, Hyper-V, Internet Explorer, JScript, Microsoft Press, MSDN, Outlook, SharePoint, Silverlight, SoftGrid, SQL Server, Visio, Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows Intune, Windows Mobile, Windows PowerShell, Windows Server, Windows Server System, and Windows Vista are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Getting Started with System Center 2012 Configuration Manager

Getting Started Topics
Use the following topics to help you get started with Microsoft System Center 2012 Configuration Manager: Introduction to Configuration Manager Whats New in Configuration Manager Whats New in Configuration Manager SP1 Whats New in the Documentation for Configuration Manager Fundamentals of Configuration Manager Frequently Asked Questions for Configuration Manager Supported Configurations for Configuration Manager Accessibility Features of Configuration Manager Information and Support for Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Documentation Library for System Center 2012 Configuration Manager

Introduction to Configuration Manager

A member of the Microsoft System Center suite of management solutions, System Center 2012 Configuration Manager increases IT productivity and efficiency by reducing manual tasks and
23

letting you focus on high-value projects, maximize hardware and software investments, and empower end-user productivity by providing the right software at the right time. Configuration Manager helps you deliver more effective IT services by enabling secure and scalable software deployment, compliance settings management, and comprehensive asset management of servers, desktops, laptops, and mobile devices. Configuration Manager extends and works alongside your existing Microsoft technologies and solutions. For example: Configuration Manager uses Active Directory Domain Services for security, service location, configuration, and to discover the users and devices that you want to manage. Configuration Manager uses Microsoft SQL Server as a distributed change management database and integrates with SQL Server Reporting Services (SSRS) to produce reports to monitor and track the management activities. Many of the Configuration Manager site system roles that provide management functionality use the web services of Internet Information Services (IIS). Background Intelligent Transfer Service (BITS) and BranchCache can be used to help manage the available network bandwidth.

In addition, Configuration Manager can integrate with Windows Server Update Services (WSUS), Network Access Protection (NAP), Certificate Services, Exchange Server and Exchange Online, Group Policy, the DNS Server role, Windows Automated Installation Kit (Windows AIK) and the User State Migration Tool (USMT), Windows Deployment Services (WDS), and Remote Desktop and Remote Assistance. To be successful with Configuration Manager, you must first thoroughly plan and test the management features before you use Configuration Manager in a production environment. As a powerful management application, Configuration Manager can potentially affect every computer in your organization. When you deploy and manage Configuration Manager with careful planning and consideration of your business requirements, Configuration Manager can reduce your administrative overhead and total cost of ownership. Use the following sections to learn more about Configuration Manager: Configuration Manager Management Capabilities The Configuration Manager Console The Application Catalog and Software Center Configuration Manager Properties (Client) Example Scenario: Empower Users by Ensuring Access to Applications from Any Device Example Scenario: Unify Compliance Management for Devices Example Scenario: Simplify Client Management for Devices Example Scenarios for Configuration Manager

Next Steps

24

Configuration Manager Management Capabilities

The following table provides details about the primary management capabilities of Configuration Manager. Each capability has its own prerequisites, and the capabilities that you want to use might influence the design and implementation of your Configuration Manager hierarchy. For example, if you want to deploy software to devices in your hierarchy, you must install the distribution point site system role.
Management capability Description More information

Application management

Provides a set of tools and resources that can help you create, manage, deploy, and monitor applications in the enterprise. Provides a set of tools and resources that can help you to assess, track, and remediate the configuration compliance of client devices in the enterprise. Provides security, antimalware, and Windows Firewall management for computers in your enterprise. Provides a set of tools to help identify and monitor assets: Hardware inventory: Collects detailed information about the hardware of devices in your enterprise. Software inventory: Collects and reports information about the files that are stored on client computers in your organization. Asset Intelligence: Provides tools to collect inventory data and to monitor software license usage in your enterprise.

Introduction to Application Management in Configuration Manager

Compliance settings

Introduction to Compliance Settings in Configuration Manager

Endpoint Protection

Introduction to Endpoint Protection in Configuration Manager

Inventory

See the following documentation: Introduction to Hardware Inventory in Configuration Manager Introduction to Software Inventory in Configuration Manager Introduction to Asset Intelligence in Configuration Manager

25

Management capability

Description

More information

Operating system deployment

Provides a tool to create operating system images. You can then use these images to deploy them to computers that are managed by Configuration Manager and to unmanaged computers, by using PXE boot or bootable media such as a CD set, DVD, or USB flash drives. Integrates with Intel Active Management Technology (Intel AMT), which lets you manage desktop and laptop computers independently from the Configuration Manager client or the computer operating system. Provides a set of tools and resources that you can use to manage and monitor the power consumption of client computers in the enterprise. Provides a tool to retrieve information about resources in your hierarchy and information about inventory data and status messages. You can then use this information for reporting or for defining collections of devices or users for software deployment and configuration settings. Provides tools to remotely administer client computers from the Configuration Manager console. Provides a set of tools and resources that help you use

Introduction to Operating System Deployment in Configuration Manager

Out of band management

Introduction to Out of Band Management in Configuration Manager

Power management

Introduction to Power Management in Configuration Manager

Queries

Introduction to Queries in Configuration Manager

Remote control

Introduction to Remote Control in Configuration Manager

Reporting

Introduction to Reporting in Configuration Manager

26

Management capability

Description

More information

the advanced reporting capabilities of SQL Server Reporting Services from the Configuration Manager console. Software metering Provides tools to monitor and collect software usage data from Configuration Manager clients. Provides a set of tools and resources that can help you manage, deploy, and monitor software updates in the enterprise. Introduction to Software Metering in Configuration Manager

Software updates

Introduction to Software Updates in Configuration Manager

For more information about how to plan and install Configuration Manager to support these management capabilities in your environment, see Introduction to Site Administration in Configuration Manager.

The Configuration Manager Console

After you install Configuration Manager, use the Configuration Manager console to configure sites and clients, and to run and monitor management tasks. This console is the main point of administration and lets you manage multiple sites. You can use the console to run secondary consoles to support specific client management tasks, such as the following: Resource Explorer, to view hardware and software inventory information. Remote control, to remotely connect to a client computer to perform troubleshooting tasks. Out of band management, to connect to the AMT management controller on Intel AMT-based computers and perform power management operations or troubleshooting tasks.

You can install the Configuration Manager console on additional server computers and workstations, and restrict access and limit what administrative users can see in the console by using Configuration Manager role-based administration. For more information, see the Install a Configuration Manager Console section in the Install Sites and Create a Hierarchy for Configuration Manager topic.

The Application Catalog and Software Center

The Configuration Manager Application Catalog is a website where users can browse for and request software. To use the Application Catalog, you must install the Application Catalog web service point and the Application Catalog website point for the site.
27

Software Center is an application that is installed when the Configuration Manager client is installed on Windows-based computers. Users run this application to request software and manage the software that is deployed to them by using Configuration Manager. Software Center lets users do the following: Browse for and install software from the Application Catalog. View their software request history. Configure when Configuration Manager can install software on their devices. Configure access settings for remote control, if an administrative user enabled remote control.

For more information about the Application Catalog and Software Center, see the Deploying Applications in Configuration Manager section in the Introduction to Application Management in Configuration Manager topic. Configuration Manager Properties (Client) When the Configuration Manager client is installed on Windows computers, Configuration Manager is installed in Control Panel. Typically, you do not have to configure this application because the client configuration is performed in the Configuration Manager console. This application helps administrative users and the help desk troubleshoot problems with individual clients. For more information about client deployment, see Introduction to Client Deployment in Configuration Manager

Example Scenarios for Configuration Manager

The following example scenarios demonstrate how a company named Trey Research uses System Center 2012 Configuration Manager to empower users to be more productive, unify their compliance management for devices for a more streamlined administration experience, and simplify device management to reduce IT operating costs. In all scenarios, Adam is the main administrator for Configuration Manager. Example Scenario: Empower Users by Ensuring Access to Applications from Any Device Trey Research wants to ensure that employees have access to the applications that they require and as efficiently as possible. Adam maps these company requirements to the following scenarios:
Requirement Current client management state Future client management state

New employees can work efficiently from day one.

When employees join the company, they have to wait for applications to be installed after they first log on. When employees require

When employees join the company, they log on and their applications are installed and are ready to be used. When employees require
28

Employees can quickly and

Requirement

Current client management state

Future client management state

easily request additional software that they need.

additional applications, they file a ticket with the help desk, and then typically wait two days for the ticket to be processed and the applications are installed.

additional applications, they can request them from a website and they are installed immediately if there are no licensing restrictions. If there are licensing restrictions, users must first ask for approval before they can install the application. The website shows users only the applications that they are allowed to install.

Employees can use their mobile devices at work if the devices comply with security policies that are monitored and enforced. These policies include the following: Strong password Lock after period of inactivity Lost or stolen mobile devices are remotely wiped

Employees connect their mobile devices to Exchange Server for email service but there is limited reporting to confirm that they are in compliance with the security policies in the default Exchange ActiveSync mailbox policies. The personal use of mobile devices is at risk of being prohibited unless IT can confirm adherence to policy.

The IT organization can report mobile device security compliance with the required settings. This confirmation lets users continue to use their mobile device at work. Users can remotely wipe their mobile device if it is lost or stolen, and the help desk can wipe any users mobile device that is reported as lost or stolen. Provide mobile device enrollment in a PKI environment for additional security and control. Employees can use kiosk computers to access their applications and data.

Employees can be productive even if they are not at their desk.

When employees are not at their desk and do not have portable computers, they cannot access their applications by using the kiosk computers that are available throughout the company. Applications and software updates that are required install during the day and frequently disrupt users from working because their

Usually, business continuity takes precedence over installing required applications and software updates.

Users can configure their working hours to prevent required software from installing while they are using their computer.
29

Requirement

Current client management state

Future client management state

computers slow down or restart during the installation. To meet the requirements, Adam uses these Configuration Manager management capabilities and configuration options: Application management Mobile device management

He implements these by using the configuration steps in the following table.

Configuration steps Outcome

Adam makes sure that the new users have user accounts in Active Directory and creates a new query-based collection in Configuration Manager for these users. He then defines user device affinity for these users by creating a file that maps the user accounts to the primary computers that they will use and imports this file into Configuration Manager. The applications that the new users must have are already created in Configuration Manager. He then deploys these applications that have the purpose of Required to the collection that contains the new users. Adam installs and configures the Application Catalog site system roles so that users can browse for applications to install. He creates application deployments that have the purpose of Available, and then deploys these applications to the collection that contains the new users. For the applications that have a restricted number of licenses, Adam configures these applications to require approval. Adam creates an Exchange Server connector in Configuration Manager to manage the mobile devices that connect to the companys onpremises Exchange Server. He configures this connector with security settings that include the

Because of the user device affinity information, the applications are installed to each users primary computer or computers before the user log on. The applications are ready to use as soon as the user successfully logs on.

By configuring applications as available to these users and by using the Application Catalog, users can now browse the applications that they are allowed to install. Users can then either install the applications immediately or request approval and return to the Application Catalog to install them after the help desk has approved their request.

With these two mobile device management solutions, the IT organization can now provide reporting information about the mobile devices that are being used on the company network and their compliance with the configured
30

Configuration steps

Outcome

requirement for a strong password and lock the mobile device after a period of inactivity. Adam has Configuration Manager SP1, so for additional management for devices that run Windows Phone 8, Windows RT, and iOS, he obtains a Windows Intune subscription and then installs the Windows Intune connector site system role. This mobile device management solution gives the company greater management support for these devices. This includes making applications available for users to install on these devices, and extensive settings management. In addition, mobile device connections are secured by using PKI certificates that are automatically created and deployed by Windows Intune. After configuring the Windows Intune connector, Adam sends an email message to the users who own these mobile devices for them to click a link to start the enrollment process. For the mobile devices to be enrolled by Windows Intune, Adam uses compliance settings to configure security settings for these mobile devices. These settings include the requirement to configure a strong password and lock the mobile device after a period of inactivity. Trey Research has several kiosk computers that are used by employees who visit the office. The employees want their applications to be available to them wherever they log on. However, Adam does not want to locally install all the applications on each computer. To achieve this, Adam creates the required applications that have two deployment types: A full, local installation of the application that has a requirement that it can only be installed on a users primary device. A virtual version of the application that has the requirement that it must not be installed

security settings. Users are shown how to remotely wipe their mobile device by using the Application Catalog or the company portal if their mobile device is lost or stolen. The help desk is also instructed how to remotely wipe a mobile device for users by using the Configuration Manager console. In addition, for the mobile devices that are enrolled by Windows Intune, Adam can now deploy mobile applications for users to install, collect more inventory data from these devices, and have better management control over these devices by being able to access more settings.

When visiting employees log on to a kiosk computer, they see the applications that they require displayed as icons on the kiosk computers desktop. When they run the application, it is streamed as a virtual application. This way, they can be as productive as if they are sitting at their desktop.

31

Configuration steps

Outcome

on the users primary device. Adam lets users know that they can configure their business hours in Software Center and select options to prevent software deployment activities during this time period and when the computer is in presentation mode. Because users can control when Configuration Manager deploys software to their computers, users remain more productive during their work day.

These configuration steps and outcomes let Trey Research successfully empower their employees by ensuring access to applications from any device. Example Scenario: Unify Compliance Management for Devices Trey Research wants a unified client management solution that ensures that their computers run antivirus software that is automatically kept up-to-date. That is, Windows Firewall is enabled, critical software updates are installed, specific registry keys are set, and managed mobile devices cannot install or run unsigned applications. The company also wants to extend this protection to the Internet for laptops that move from the intranet to the Internet. Adam maps these company requirements to the following scenarios:
Requirement Current client management state Future client management state

All computers run antimalware software that has up-to-date definition files and enables Windows Firewall.

Different computers run different antimalware solutions that are not always kept up-todate and although Windows Firewall is enabled by default, users sometimes disable it. Users are asked to contact the help desk if malware is detected on their computer.

All computers run the same antimalware solution that automatically downloads the latest definition update files and automatically re-enables Windows Firewall if users disable it. The help desk is automatically notified by email if malware is detected. Improve the current compliance rate within the specified month to over 95% without sending email messages or asking the help desk to manually install them.

All computers install critical software updates within the first month of release.

Although software updates are installed on computers, many computers do not automatically install critical software updates until two or three months after they are released. This leaves them vulnerable to attack during this time period.

32

Requirement

Current client management state

Future client management state

For the computers that do not install the critical software updates, the help desk first sends out email messages asking users to install the updates. For computers that remain noncompliant, engineers remotely connect to these computers and manually install the missing software updates. Security settings for specific applications are regularly checked and remediated if it is necessary. Computers run complex startup scripts that rely on computer group membership to reset registry values for specific applications. Because these scripts only run at startup and some computers are left on for days, the help desk cannot check for configuration drift on a timely basis. Mobile devices cannot install or run unsafe applications. Users are asked not to download and run potentially unsafe applications from the Internet but there are no controls in place to monitor or enforce this. Mobile devices that are managed by the Windows Intune connector or Configuration Manager automatically prevent unsigned applications from installing or running. An Internet connection is all that is required for laptops to be kept in compliance with security requirements. Users do not have to log on or use the VPN. Registry values are checked and automatically remediated without relying on computer group membership or restarting the computer.

Laptops that move from the intranet to the Internet must be kept secure.

For users who travel, they frequently cannot connect over the VPN daily and these laptops become out of compliance with security requirements.

To meet the requirements, Adam uses these Configuration Manager management capabilities and configuration options: Endpoint Protection
33

Software updates Compliance settings Mobile device management Internet-based client management

He implements these by using the configuration steps in the following table.

Configuration steps Outcome

Adam configures Endpoint Protection and enables the client setting to uninstall other antimalware solutions and enables Windows Firewall. He configures automatic deployment rules so that computers check for and install the latest definition updates regularly.

The single antimalware solution helps protect all computers by using minimal administrative overhead. Because the help desk is automatically notified by email message if antimalware is detected, problems can be resolved quickly. This helps prevent attacks on other computers. Compliance for critical software updates increases and reduces the requirement for users or the help desk to install software updates manually.

To help increase compliance rates, Adam uses automatic deployment rules, defines maintenance windows for servers, and investigates the advantages and disadvantages of using Wake on LAN for computers that hibernate. Adam uses compliance settings to check for the presence of the specified applications. When the applications are detected, configuration items then check the registry values and automatically remediate them if they are out of compliance. Adam uses compliance settings for enrolled mobile devices and configures the Exchange Server connector so that unsigned applications are prohibited from installing and running on mobile devices. Adam makes sure that site system servers and computers have the PKI certificates that Configuration Manager requires for HTTPS connections, and then he installs additional site system roles in the perimeter network that accept client connections from the Internet.

By using configuration items and configuration baselines that are deployed to all computers and that check for compliance every day, separate scripts that rely on computer membership and computer restarts are no longer required. By prohibiting unsigned applications, mobile devices are automatically protected from potentially harmful applications.

Computers that move from the intranet to the Internet automatically continue to be managed by Configuration Manager when they have an Internet connection. Those computers do not rely on users logging on to their computer or connecting to the VPN. These computers continue to be managed for antimalware and Windows Firewall, software updates, and configuration items. As a result,
34

Configuration steps

Outcome

compliance levels automatically increase. These configuration steps and outcomes result in Trey Research successfully unifying their compliance management for devices. Example Scenario: Simplify Client Management for Devices Trey Research wants all new computers to automatically install their companys base computer image that runs Windows 7. After the operating image is installed on these computers, they must be managed and monitored for additional software that users install. Computers that store highly confidential information require more restrictive management policies than the other computers. For example, help desk engineers must not connect to them remotely, BitLocker PIN entry must be used for restarts, and only local administrators can install software. Adam maps these company requirements to the following scenarios:
Requirement Current client management state Future client management state

New computers are installed with Windows 7.

The help desk installs and configures Windows 7 for users and then sends the computer to the respective location. The Configuration Manager client is deployed by using automatic client push and the help desk investigates installation failures and clients that do not send inventory data when expected. Failures are frequent because of installation dependencies that are not met and WMI corruption on the client.

New computers go straight to the final destination, are plugged into the network, and they automatically install and configure Windows 7. Client installation and inventory data that is collected from computers is more reliable and requires less intervention from the help desk. Reports show software usage for license information.

Computers must be managed and monitored. This includes hardware and software inventory to help determine licensing requirements.

Some computers must have more rigorous management policies.

Because of the more rigorous management policies, these computers are currently not managed by Configuration Manager.

Manage these computers by using Configuration Manager without additional administrative overhead to accommodate the exceptions.

35

To meet the requirements, Adam uses these Configuration Manager management capabilities and configuration options: Operating system deployment Client deployment and client status Compliance settings Client settings Inventory and Asset Intelligence Role-based administration

He implements these by using the configuration steps in the following table.

Configuration steps Outcome

Adam captures an operating system image New computers are up and running more from a computer that has Windows 7 installed quickly without intervention from the help desk. and that is configured to the company specifications. He then deploys the operating system to the new computers by using unknown computer support and PXE. He also installs the Configuration Manager client as part of the operating system deployment. Adam configures automatic site-wide client push installation to install the Configuration Manager client on any computers that are discovered. This ensures that any computers that were not imaged with the client still install the client so that the computer is managed by Configuration Manager. Installing the client together with the operating system is quicker and more reliable than waiting for Configuration Manager to discover the computer and then try to install the client source files on the computer. However, leaving the automatic client push option enabled provides a backup means for a computer that already has the operating system installed to Adam configures client status to automatically remediate any client issues that are discovered. install the client when the computer connects to the network. Adam also configures client settings that enable the collection of inventory data that is Client settings ensure that clients send their required, and configures Asset Intelligence. inventory information to the site regularly. This, in addition to the client status tests, help to keep the client running with minimal intervention from the help desk. For example, WMI corruptions are detected and automatically remediated. The Asset Intelligence reports help monitor software usage and licenses. Adam creates a collection for the computers that must have more rigorous policy settings These computers are now managed by Configuration Manager but with specific
36

Configuration steps

Outcome

and then creates a custom client device setting for this collection that includes disabling remote control, enables BitLocker PIN entry, and lets only local administrators to install software. Adam configures role-based administration so that help desk engineers do not see this collection of computers to help ensure that they are not accidentally managed as a standard computer.

settings that do not require a new site. The collection for these computers is not visible to the help desk engineers to help reduce the possibility that they are accidentally sent deployments and scripts for standard computers.

These configuration steps and outcomes result in Trey Research successfully simplifying client management for devices.

Next Steps
Before you install Configuration Manager, you can become familiar with some basic concepts and terms that are specific to Configuration Manager. If you are familiar with Configuration Manager 2007, see Whats New in Configuration Manager, because there are some important changes in basic concepts and functionality from earlier versions of the software. If you are upgrading from System Center 2012 Configuration Manager with no service pack to Configuration Manager SP1, see W hats New in Configuration Manager SP1 for changes and updates to this release. For a high-level technical overview of System Center 2012 Configuration Manager, see Fundamentals of Configuration Manager.

When you are familiar with the basic concepts, use the System Center 2012 Configuration Manager documentation to help you successfully deploy and use Configuration Manager. For more information about the available documentation, see Whats New in the Documentation for Configuration Manager.

See Also
Getting Started with System Center 2012 Configuration Manager

Whats New in Configuration Manager

Use the following sections to review information about significant changes in System Center 2012 Configuration Manager since Configuration Manager 2007: Site Installation and the Configuration Manager Console Sites and Hierarchies Client Deployment and Operations Software Deployment and Content Management
37

Monitoring and Reporting Wake on LAN Windows Embedded devices

In addition, the following features either have not changed or have minor changes:

Site Installation and the Configuration Manager Console

The following sections contain information about changes in Configuration Manager since Configuration Manager 2007 that relate to how you install System Center 2012 Configuration Manager and changes to the Configuration Manager console. Site Installation The following options in Setup for site installation are new or have changed since Configuration Manager 2007. Central Administration Site The top-level Configuration Manager 2007 site in a multi-primary site hierarchy was known as a central site. In System Center 2012 Configuration Manager the central site is replaced by the central administration site. The central administration site is not a primary site at the top of the hierarchy, but rather a site that is used for reporting and to facilitate communication between primary sites in the hierarchy. A central administration site supports a limited selection of site system roles and does not directly support clients or process client data. Installation of Site System Roles The following site roles can be installed and configured during Setup: Management point Distribution point

The site system roles are installed locally on the site server. After installation, you can add a distribution point on another server. The management point for the secondary site is a supported role only on the site server. No Secondary Site Installation Option Secondary sites can only be installed from the System Center 2012 Configuration Manager console. For more information about installing a secondary site, see the Install a Secondary Site section in the topic. Optional Configuration Manager Console Installation You can choose to install the Configuration Manager console during Setup or install the console after Setup by using the Configuration Manager console Windows Installer package (consolesetup.exe). Server and client language selections You are no longer required to install your site servers by using source files for a specific language or install International Client Packs when you want to support different languages on the client. From Setup, you can choose the server and client languages that are supported in your Configuration Manager hierarchy. Configuration Manager uses the display language
38

of the server or client computer when you have configured support for the language. English is the default language used when Configuration Manager does not support the display language of the server or client computer. Warning You cannot select specific languages for mobile device clients. Instead, you must enable all available client languages or use English only. Unattended installation script is automatically created Setup automatically creates the unattended installation script when you confirm the settings on the Summary page of the wizard. The unattended installation script contains the settings that you choose in the wizard. You can modify the script to install other sites in your hierarchy. Setup creates the script in %TEMP%\ConfigMgrAutoSave.ini. Database Replication When you have more than one System Center 2012 Configuration Manager site in your hierarchy, Configuration Manager uses database replication to transfer data and merge changes made to a sites database with the information stored in the database at other sites in the hierarchy. This enables all sites to share the same information. When you have a primary site without any other sites, database replication is not used. Database replication is enabled when you install a primary site that reports to a central administration site or when you connect a secondary site to a primary site. Setup Downloader Setup Downloader (SetupDL.exe) is a stand-alone application that downloads the files required by Setup. You can run Setup Downloader or Setup can run it during site installation. You can see the progress of files being downloaded and verified, and only the required files are downloaded (missing files and files that have been updated). For more information about Setup Downloader, see the Setup Downloader section in this topic. Prerequisite Checker The Prerequisite Checker (prereqchk.exe) is a standalone application that verifies server readiness for a specific site system role. In addition to the site server, site database server, and provider computer, the Prerequisite Checker now checks management point and distribution point site systems. You can run Prerequisite Checker manually or Setup runs it automatically as part of site installation. For more information about the Prerequisite Checker, see the Prerequisite Checker section in this topic. The Configuration Manager 2007 log viewer tool, Trace32, is now replaced with CMTrace. For more information, see the Install Sites and Create a Hierarchy for Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. The Configuration Manager Console There is a new console for System Center 2012 Configuration Manager, which provides the following benefits: Logical grouping of operations into the following workspaces: Assets and Compliance, Software Library, Monitoring, and Administration. To change the default order of the
39

workspaces and which ones are displayed, click the down arrow on the navigation pane above the status bar, and then select one of the options: Show More Buttons, Show Fewer Buttons, or Navigation Pane Options. A ribbon to help you more efficiently use the console. An administrative user sees only the objects that she is allowed to see, as defined by rolebased administration. Search capabilities throughout the console, to help you find your data more quickly. Browse and verify capability for many accounts that you configure in the console, which helps to eliminate misconfiguration and can be useful for troubleshooting scenarios. For example, this design applies to the Client Push Installation Account and the Network Access Account. Use of temporary nodes in the navigation pane that are automatically created and selected as a result of actions that you take and that do not display after you close the console. Examples of temporary nodes include the following: In the Assets and Compliance workspace, click the Device Collections node, and then select the All Systems collection. In the Collection group, click Show Members and the temporary node named All Systems is created and automatically selected in the navigation pane. In the Monitoring workspace, click Client Status, and in the Statistics section, browse to the All Systems collection, and then click Active clients that passed client check or no results. The temporary node named Active clients that passed client check or no results from All Systems is created and automatically selected in the Assets and Compliance workspace.

Sites and Hierarchies

The following sections contain information about changes from Configuration Manager 2007 that relate to sites and hierarchies in System Center 2012 Configuration Manager. Note The Active Directory schema extensions for System Center 2012 Configuration Manager are unchanged from those used by Configuration Manager 2007. If you extended the schema for Configuration Manager 2007, you do not need to extend the schema again for System Center 2012 Configuration Manager. Site Types System Center 2012 Configuration Manager introduces the central administration site and some changes to primary and secondary sites. The following tables summaries these sites and how they compare to sites in Configuration Manager 2007.
Site Purpose Change from Configuration Manager 2007

Central administration site

The central administration Although this is the site at the top site coordinates intersite data of the hierarchy in
40

Site

Purpose

Change from Configuration Manager 2007

replication across the hierarchy by using Configuration Manager database replication. It also enables the administration of hierarchy-wide configurations for client agents, discovery, and other operations. Use this site for all administration and reporting for the hierarchy.

System Center 2012 Configuration Manager, it has the following differences from a central site in Configuration Manager 2007: Does not process data submitted by clients, except for the Heartbeat Discovery discovery data record. Does not accept client assignments. Does not support all site system roles. Participates in database replication

Primary site

Manages clients in wellconnected networks.

Primary sites in System Center 2012 Configuration Manager have the following differences from primary sites in Configuration Manager 2007: Additional primary sites allow the hierarchy to support more clients. Cannot be tiered below other primary sites. No longer used as a boundary for client agent settings or security. Participates in database replication.

Secondary site Controls content distribution for clients in remote locations across links that have limited network bandwidth.

Secondary sites in System Center 2012 Configuration Manager have the following differences from secondary sites in Configuration Manager 2007: SQL Server is required and SQL Server Express will be
41

Site

Purpose

Change from Configuration Manager 2007

installed during site installation if required. A management point and distribution point are automatically deployed during the site installation. Secondary sites can send content distribution to other secondary sites. Participates in database replication.

For more information, see the Planning for Sites and Hierarchies in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Site Communication The following items are new or have changed for site communication since Configuration Manager 2007: Site-to-site communication now uses database replication in addition to file-based replication for many site-to-site data transfers, including configurations and settings. The Configuration Manager 2007 concept of mixed-mode or native-mode sites to define how clients communicate to site systems in the site has been replaced by site system roles that can independently support HTTP or HTTPS client communications. To help support client computers in other forests, Configuration Manager can discover computers in these forests and publish site information to these forests. The server locator point is no longer used, and the functionality of this site system role is moved to the management point. Note Although the Active Directory schema extensions still include the server locator point, this object is not used by Microsoft System Center 2012 Configuration Manager. Internet-based client management now supports the following: User policies when the Internet-based management point can authenticate the user by using Windows authentication (Kerberos or NTLM). Simple task sequences, such as scripts. Operating system deployment on the Internet remains unsupported. Internet-based clients on the Internet first try to download any required software updates from Microsoft Update, rather than from an Internet-based distribution point in their assigned site. Only if this fails, will they then try to download the required software updates from an Internet-based distribution point.
42

For more information, see the Planning for Communications in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Site Modes Sites are no longer configured for mixed mode or native mode. Instead, you secure client communication endpoints by configuring individual site system roles to support client connections over HTTPS or HTTP. Site system roles in the same site can have different settings, for example, some management points are configured for HTTPS and some are configured for HTTP. Most client connections over HTTPS use mutual authentication so you must make sure that clients have a PKI certificate that has client authentication capability to support this configuration. Mobile devices and client connections over the Internet must use HTTPS. Active Directory Domain Services and DNS remains the preferred method for clients to find management points. However, you can still use WINS as an alternative service location method and Configuration Manager now supports an entry for HTTPS management points (record type of [19]) in addition to the entry for HTTP (record type of [1A]. For sites that use HTTPS client connections, you do not have to specify a PKI certificate for document signing (the site server signing certificate in Configuration Manager 2007) because System Center 2012 Configuration Manager automatically creates this certificate (self-signed). However, most of the PKI certificate requirements from Configuration Manager 2007 remain the same when you configure site system roles to use HTTPS client communication, except that many certificates now support SHA-2 in addition to SHA-1. For more information about the certificates, see Security: Certificates and Cryptographic Controls in this topic. Language Pack Support The following items are new or have changed for language support since Configuration Manager 2007: You no longer install site servers by using source files designed for a specific language. Additionally, you no longer install International Client Packs to support different languages on the client. Instead, you can choose to install only the server and client languages that you want to support. Available client and server language packs are included with the Configuration Manager installation media in the LanguagePack folder, and updates are available by download with the prerequisite files. You can add client and server language packs to a site when you install the site, and can modify the language packs in use after the site installs. Each site supports multiple languages for use with Configuration Manager consoles. At each site you can install individual client language packs, adding support for only the client languages you want to support.

You can install multiple languages at each site, and only need to install those you use:

When you install support for a language that matches the display language of a computer, Configuration Manager consoles and the client user interface that run on that computer display information in that language.
43

When you install support for a language that matches the language preference that is in use by the web browser of a computer, connections to web-based information including the Application Catalog or SQL Server Reporting Services reports display in that language.

Site System Roles The following site systems roles are removed: The reporting point. All reports are generated by the reporting services point. The PXE service point. This functionality is moved to the distribution point. The server locator point. This functionality is moved to the management point. The branch distribution point. Distribution points can be installed on servers or workstations that are in an Active Directory domain. The functionality of the branch distribution point is now a BranchCache setting for an application deployment type and the package deployment.

In addition, network load balanced (NLB) management points are no longer supported and this configuration is removed from the management point component properties. Instead, this functionality is automatically provided when you install more than one management point in the site. The following site system roles are new: The Application Catalog website point and the Application Catalog web services point. These site system roles require IIS and support the new client application, Software Center. The enrollment proxy point, which manages enrollment requests from mobile devices, and the enrollment point, which completes mobile device enrollment and provisions AMT-based computers. These site system roles require IIS.

There is no longer a default management point at primary sites. Instead you can install multiple management points and the client will automatically select one, based on network location and capability (HTTPS or HTTP). This behavior supports a higher number of clients in a single site and provides redundancy, which was previously obtained by using a network load balancing (NLB) cluster. When the site contains some management points that support HTTPS client connections and some management points that support HTTP client connections, the client will connect to a management point that is configured for HTTPS when the client has a valid PKI certificate. You can also have more than one Internet-based management point in a primary site, although you can specify only one when you configure clients for Internet-based client management. When Internet-based clients communicate with the specified Internet-based management point, they will be given a list of all the Internet-based management points in the site and then select one. At a secondary site, the management point is no longer referred to as proxy management point, and must be co-located on the secondary site server. Boundaries and Boundary Groups The following items are new or have changed for boundaries since Configuration Manager 2007: Boundaries are no longer site specific, but defined once for the hierarchy, and they are available at all sites in the hierarchy.

44

Each boundary must be a member of a boundary group before a device on that boundary can identify an assigned site, or a content server such as a distribution point. You no longer configure the network connection speed of each boundary. Instead, in a boundary group you specify the network connection speed for each site system server associated to the boundary group as a content location server.

For more information, see the Planning for Boundaries and Boundary Groups in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Fallback Site for Client Assignment In Configuration Manager 2007, automatic site assignment would fail if the client was not in a specified boundary. New in System Center 2012 Configuration Manager, if you specify a fallback site (an optional setting for the hierarchy) and the client is not in a boundary group, automatic site assignment succeeds and the client is assigned to the specified fallback site. For more information, see the How to Assign Clients to a Site in Configuration Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide. Discovery The following items are new or have changed for Discovery since Configuration Manager 2007: Each data discovery record is processed and entered into the database one time only, at a primary site or central administration site, and then the data discovery record is deleted without additional processing. Discovery information entered into the database at one site is shared to each site in the hierarchy by using Configuration Manager database replication. Active Directory Forest Discovery is a new discovery method that can discover subnets and Active Directory sites, and can add them as boundaries for your hierarchy. Active Directory System Group Discovery has been removed. Active Directory Security Group Discovery is renamed to Active Directory Group Discovery and discovers the group memberships of resources. Active Directory System Discovery and Active Directory Group Discovery support options to filter out stale computer records from discovery. Active Directory System, User, and Group Discovery support Active Directory Delta Discovery. Delta Discovery is improved from Configuration Manager 2007 R3 and can now detect when computers or users are added or removed from a group.

For more information, see the Planning for Discovery in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Client Agent Settings is Now Client Settings In Configuration Manager 2007, client agent settings are configured on a per-site basis and you cannot configure these settings for the whole hierarchy. In System Center 2012 Configuration Manager, client agent settings and other client settings are grouped into centrally configurable client settings objects that are applied at the hierarchy. To view and configure these, modify the default client settings. If you need additional flexibility for groups of users or
45

computers, configure custom client settings and assign them to collections. For example, you can configure remote control to be available only on specified computers. For more information, see the Planning for Client Settings in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Security: Role-Based Administration In Configuration Manager 2007, administrative access to site resources is controlled by using class and instance security settings that are verified by the SMS Provider computer to allow access to site information and configuration settings. System Center 2012 Configuration Manager introduces role-based administration to centrally define and manage hierarchy-wide security access settings for all sites and site settings. Instead of using individual class rights, role-based administration uses security roles to group typical administrative tasks that are assigned to multiple administrative users. Security scopes replace individual instance rights per object to group the permissions that are applied to site objects. The combination of security roles, security scopes, and collections allow you to segregate the administrative assignments that meet your organization requirements and this combination defines what an administrative user can view and manage in the Configuration Manager hierarchy. Role-based administration provides the following benefits: Sites are no longer administrative boundaries. You create administrative users for the hierarchy and assign security to them one time only. You create content for the hierarchy and assign security to that content one time only. All security assignments are replicated and available throughout the hierarchy. There are built-in security roles to assign the typical administration tasks and you can create your own custom security roles. Administrative users see only the objects that they have permissions to manage. You can audit administrative security actions.

The following table illustrates the differences between implementing security permissions in Configuration Manager 2007 and System Center 2012 Configuration Manager:
Scenario Configuration Manager 2007 System Center 2012 Configuration Manager

Add new administrative user

Perform the following actions from each site in the hierarchy: 1. Add the Configuration Manager user. 2. Select the security classes.

Perform the following actions one time only from any site in the hierarchy: 1. Add the Configuration Manager administrative user. 2. Select the security roles. 3. Select the security scopes.
46

Scenario

Configuration Manager 2007

System Center 2012 Configuration Manager

3. For each class selected, select instance permissions. Create and deploy software. Perform the following actions from each site in the hierarchy:

4. Select the collections.

Perform the following actions one time only from any site in the hierarchy:

1. Edit the package 1. Assign a security scope to the properties and select the software deployment. security classes 2. Deploy the software. 2. Add each user or group to the instance and then select the instance rights. 3. Deploy the software. To configure role-based administration, in the Administration workspace, click Security, and then view or edit the Administrative Users, Security Roles, and Security Scopes. For more information, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Security: Certificates and Cryptographic Controls The following items are new or have changed for certificates and cryptographic controls since Configuration Manager 2007: For most Configuration Manager communications that require certificates for authentication, signing, or encryption, Configuration Manager automatically uses PKI certificates if they are available. If they are not available, Configuration Manager generates self-signed certificates. The primary hashing algorithm that Configuration Manager uses for signing is SHA-256. When two Configuration Manager sites communicate with each other, they sign their communications by using SHA-256 and you can require that all clients use SHA-256. Configuration Manager uses two new types of certificates for site systems: a site system server certificate for authentication to other site systems in the same Configuration Manager site, and a site system role certificate. Configuration Manager also uses a client authentication certificate to send status messages from the distribution point to the management point. The site server signing certificate is now self-signed; you cannot use a PKI certificate to sign client policies. You can use a client PKI certificate for authentication to a site system that accepts HTTP client connections. The new certificate issuers list for a site acts like a certificate trust list (CTL) in IIS. It is used by site systems and clients to help ensure that the correct client PKI certificate is used for PKI
47

communication in Configuration Manager. For more information, see the Planning for the PKI Trusted Root Certificates and the Certificate Issuers List section in the Planning for Security in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. For more information about the certificates and the cryptographic controls, see Technical Reference for Cryptographic Controls Used in Configuration Manager in the Site Administration for System Center 2012 Configuration Manager guide. For more information about the PKI certificate requirements, see PKI Certificate Requirements for Configuration Manager in the Site Administration for System Center 2012 Configuration Manager guide. In addition, when you deploy operating systems and use PKI certificates, Configuration Manager now supports the following: The client authentication certificate supports the Subject Alternative Name (SAN) certificate field and a blank Subject. If you use Active Directory Certificate Services with an enterprise CA to deploy this certificate, you can use the Workstation certificate template to generate a certificate with a blank Subject and SAN value. Task sequences support the option to disable CRL checking on clients.

When you implement Internet-based client management, user policies are now supported for devices that are on the Internet when the management point can authenticate the user in Active Directory Domain Services. For example, the management point is in the intranet and accepts connections from Internet clients and intranet clients; or the management point is in a perimeter network that trusts the intranet forest where the user account resides. For more information about Internet-based client management, see the Planning for Internet-Based Client Management section in the Planning for Communications in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Backup and Recovery The following items are new or have changed for backup and recovery since Configuration Manager 2007.
Feature Description

Recovery integrated with System Center 2012 Configuration Manager Setup

Configuration Manager 2007 used the Site Repair Wizard to recover sites. In System Center 2012 Configuration Manager, recovery is integrated in the Configuration Manager Setup Wizard. You have the following options when running recovery in System Center 2012 Configuration Manager: Site Server Recover the site server from a backup.
48

Support for multiple recovery options

Feature

Description

Recovery uses data replication to minimize data loss

Reinstall the site server Recover the site database from a backup Create a new site database Use a site database that been manually recovered Skip database recovery

Site Database

System Center 2012 Configuration Manager database replication uses SQL Server to transfer data and merge changes made to a sites database with the information stored in the database at other sites in the hierarchy. This enables all sites to share the same information. Recovery in System Center 2012 Configuration Manager leverages database replication to retrieve global data that was created by the failed site before it failed. This process minimizes data loss even when no backup is available.

Recovery using a Setup script

You can initiate an unattended site recovery by configuring an unattended installation script and then using the Setup command /script option.

For more information, see the Planning for Backup and Recovery section in the Planning for Site Operations in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Manage Site Accounts Tool (MSAC) The Manage Site Accounts (MSAC) command-line tool that was provided with Configuration Manager 2007 is not provided with System Center 2012 Configuration Manager. Do not use MSAC from Configuration Manager 2007 with System Center 2012 Configuration Manager. Instead, configure and manage the accounts by using the Configuration Manager console.

Client Deployment and Operations

The following sections contain information about changes from Configuration Manager 2007 that relate to client deployment and client operations in System Center 2012 Configuration Manager.

49

Client Deployment The following items are new or have changed for client deployment since Configuration Manager 2007: Clients are no longer configured for mixed mode or native mode, but instead use HTTPS with public key infrastructure (PKI) certificates or HTTP with self-signed certificates. Clients use HTTPS or HTTP according to the configuration of the site system roles that the clients connect to and whether they have a valid PKI certificate that includes client authentication capability. On the Configuration Manager client, in Properties, on the General tab, review the Client certificate value to determine the current client communication method. This value displays PKI certificate when the client communicates with a management point over HTTPS, and Self-signed when the client communicates with a management point over HTTP. Just as the client property value for the Connection type updates, depending on the current network status of the client, so the Client certificate client property value updates, depending on which management point the client communicates with. Because Microsoft System Center 2012 Configuration Manager does not use mixed mode and native mode, the client installation property, /native: [<native mode option>] , is no longer used. Instead, use /UsePKICert to use a PKI certificate that has client authentication capability, if it is available, but fall back to an HTTP connection if no certificate is available. If /UsePKICert is not specified, the client does not attempt to communicate by using a PKI certificate, but communicates by using HTTP only. Additionally, use the new command /NoCRLCheck if you do not want a client to check the certificate revocation list (CRL) before it establishes an HTTPS communication. The client.msi property SMSSIGNCERT is still used but requires the exported self-signed certificate of the site server. This certificate is stored in the SMS certificate store and has the Subject name Site Server and the friendly name Site Server Signing Certificate. When you reassign a client from a Microsoft System Center 2012 Configuration Manager hierarchy to another Microsoft System Center 2012 Configuration Manager hierarchy, the client will be able to automatically replace the trusted root key if the new site is published to Active Directory Domain Services and the client can access that information from a Global Catalog server. For this scenario in Configuration Manager 2007, you had to remove the trusted root key, manually replace the trusted root key, or uninstall and reinstall the client. The server locator point is no longer used for site assignment or to locate management points. This functionality is replaced by the management point. The CCMSetup Client.msi property SMSSLP remains supported, but only to specify the computer name of management points. You no longer install International Client Packs when you want to support different languages on the client. Instead, select the client languages that you want during Setup. Then, during the client installation, Configuration Manager automatically installs support for those languages on the client, enabling the display of information in a language that matches the users language preferences. If a matching language is not available, the client displays information in the default of English. For more information, see the Planning for Client Language Packs section in the Planning for Sites and Hierarchies in Configuration Manager topic.
50

Decommissioned clients are no longer displayed in the Configuration Manager console and they are automatically removed from the database by the Delete Aged Discovery Data task. The Client.msi property for CCMSetup, SMSDIRECTORYLOOKUP=WINSPROMISCUOUS, is no longer supported. This setting allowed the client to use WINS to find a management point without verifying the management point's self-signed certificate. To support the new 64-bit client, the location of the CCM folder for client-related files (such as the client cache and log files) has changed from %windir%\system32 to %windir%. If you reference the CCM folder for your own script files, update these references for the new folder location for Microsoft System Center 2012 Configuration Manager clients. Microsoft System Center 2012 Configuration Manager does not support the CCM folder on paths that support redirection (such as Program Files and %windir%\system32) on 64-bit operating systems. Automatic, site-wide client push now installs the Configuration Manager on existing computer resources if the client is not installed, and not just newly discovered computer resources. Client push installation initiates and tracks the installation of the client by using the Configuration Manager database and no longer creates individual .CCR files. When you enable client push installation for a site, all discovered resources that are assigned to the site and that do not have a client installed are immediately added to the database and client installation begins. Configuration Manager can automatically upgrade Configuration Manager 2007 and System Center 2012 Configuration Manager clients to the latest System Center 2012 Configuration Manager version when they are below a version that you specify. For more information see the How to Automatically Upgrade the Configuration Manager Client section in the topic How to Install Clients on Windows-Based Computers in Configuration Manager.

For more information, see the Introduction to Client Deployment in Configuration Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide. Client Assignment The following items are new or have changed for client assignment since Configuration Manager 2007: For automatic site assignment to succeed with boundary information, the boundary must be configured in a boundary group that is configured for site assignment. In Configuration Manager 2007, automatic site assignment would fail if the client was not in a specified boundary. New in System Center 2012 Configuration Manager, if you specify a fallback site (an optional setting for the hierarchy) and the clients network location is not in a boundary group, automatic site assignment succeeds, and the client is assigned to the specified fallback site. Clients can now download site settings from the management point after they have assigned to the site if they cannot locate these settings from Active Directory Domain Services. Although clients continue to download policy and upload client data to management points in their assigned site or in a secondary site that is a child site of their assigned site, all clients that are configured for intranet client management can now use any management point in the hierarchy for content location requests. There is no longer a requirement to extend the Active

51

Directory schema to support this capability, and there is no longer a concept of regional and global roaming. For more information, see the How to Assign Clients to a Site in Configuration Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide. Collections The following items are new or have changed for collections since Configuration Manager 2007:
Feature Description

User Collections and Device Collections nodes

You can no longer combine user resources and device resources in the same collection. The Configuration Manager console has two new nodes for user collections and device collections. Sub collections are no longer used in System Center 2012 Configuration Manager. In Configuration Manager 2007, sub collections had two main uses: Organize collections in folders. In System Center 2012 Configuration Manager, you can now create a hierarchy of folders in which to store collections. Sub collections were often used in Configuration Manager 2007 for phased software deployments to a larger collection of computers. In System Center 2012 Configuration Manager, you can use include rules to progressively increase the membership of a collection.

Sub collections

For more information, see How to Manage Collections in Configuration Manager. Include collection rules and exclude collection rules In System Center 2012 Configuration Manager, you can include or exclude the contents of another collection from a specified collection. Incremental collection member evaluation periodically scans for new or changed resources from the previous collection evaluation and updates a collections membership with these resources, independently of a full collection evaluation. By
52

Incremental collection member evaluation

Feature

Description

default, when you enable incremental collection member updates, it runs every 10 minutes and helps to keep your collection data up-to-date without the overhead of a full collection evaluation. Migration support Collections can be migrated from Configuration Manager 2007 collections. For more information, see Planning a Migration Job Strategy in System Center 2012 Configuration Manager. You can use collections to limit access to Configuration Manager objects. For more information, see Planning for Security in Configuration Manager. In Configuration Manager 2007, collections contained only resources from the site where they were created and from child sites of that site. In System Center 2012 Configuration Manager, collections contain resources from all sites in the hierarchy. In System Center 2012 Configuration Manager, all collections must be limited to the membership of another collection. When you create a collection, you must specify a limiting collection. A collection is always a subset of its limiting collection.

Role-based administration security scopes

Collection resources

Collection limiting

For more information, see the Introduction to Collections in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Queries The following items are new or have changed for queries since Configuration Manager 2007: The option to export the results of a query is not available in this release. As a workaround, you can copy the query results to the Windows clipboard.

For more information about queries, see the Introduction to Queries in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide.

53

Client Status Reporting is Now Client Status The following items are new or have changed for client status reporting (now client status) since Configuration Manager 2007: Client status and client activity information is integrated into the Configuration Manager console. Typical client problems that are detected are automatically remediated. The Ping tool from Configuration Manager 2007 R2 client status reporting is not used by System Center 2012 Configuration Manager.

For more information, see the Monitoring the Status of Client Computers in Configuration Manager section in the Introduction to Client Deployment in Configuration Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide. Desired Configuration Management is Now Compliance Settings The following items are new or have changed for desired configuration management (now compliance settings) since Configuration Manager 2007: Configuration Manager 2007 desired configuration management is now called compliance settings in System Center 2012 Configuration Manager. Configuration Manager provides a new built-in security role named Compliance Settings Manager. Administrative users who are members of this role can manage and deploy configuration items and configuration baselines and view compliance results. An administrative user can create registry and file system settings by browsing to an existing file, folder, or registry setting on the local or a remote reference computer. It is now easier to create configuration baselines. You can reuse settings for multiple configuration items. You can remediate noncompliant settings for WMI, the registry, scripts, and all settings for the mobile devices that are enrolled by Configuration Manager. When you deploy a configuration baseline, you can specify a compliance threshold for the deployment. If the compliance is below the specified threshold after a specified date and time, System Center 2012 Configuration Manager generates an alert to notify the administrator. You can use the new monitoring features of System Center 2012 Configuration Manager to monitor compliance settings and to view the most common causes of noncompliance, errors, and the number of users and devices that are affected. You can deploy configuration baselines to users and devices. Configuration baseline deployments and evaluation support Configuration Manager maintenance windows. You can use compliance settings to manage the mobile devices that you enroll with Configuration Manager. Configuration item versioning lets you view and use previous versions of configuration items. You can restore or delete previous versions of configuration items and see the user names of administrative users who made changes.

54

Configuration items can contain user and device settings. User settings are evaluated when the user is logged on. Examples of user settings include registry settings that are stored in HKEY CURRENT USER and user-based script settings that an administrative user configured. Improved reports contain rule details, remediation information, and troubleshooting information. You can now detect and report conflicting compliance rules. Unlike Configuration Manager 2007, System Center 2012 Configuration Manager does not support uninterpreted configuration items. An uninterpreted configuration item is a configuration item that is imported into compliance settings, but the Configuration Manager console cannot interpret it. Consequently you cannot view or edit the configuration item properties in the console. Before you import Configuration Packs or configuration baselines to System Center 2012 Configuration Manager, you must remove uninterpreted configuration items in Configuration Manager 2007. You can migrate configuration items and configuration baselines from Configuration Manager 2007 to System Center 2012 Configuration Manager. During migration, configuration data is automatically converted into the new format. Settings groups from Configuration Manager 2007 are no longer supported in System Center 2012 Configuration Manager. Regular expressions for settings are not supported in System Center 2012 Configuration Manager. Using wildcards for registry settings is not supported in System Center 2012 Configuration Manager. If you migrate configuration data from Configuration Manager 2007, you must remove wildcards from registry settings before you migrate otherwise the data will be invalid in the System Center 2012 Configuration Manager configuration item. The string operators Matches and Do not Match are not supported in System Center 2012 Configuration Manager. You can no longer create configuration items of the type General from the Configuration Manager console. You can now create only application configuration items and operating system configuration items. However, if you create a configuration item for a mobile device, this is created as a general configuration item.

For more information, see the Introduction to Compliance Settings in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Out of Band Management The following have changed for out of band management since Configuration Manager 2007: System Center 2012 Configuration Manager no longer supports provisioning out of band, which could be used in Configuration Manager 2007 when the Configuration Manager client was not installed, or the computer did not have an operating system installed. To provision computers for AMT in System Center 2012 Configuration Manager, they must belong to an Active Directory domain, have the System Center 2012 Configuration Manager client installed, and be assigned to a System Center 2012 Configuration Manager primary site.

55

To provision computers for AMT, you must install the new site system role, the enrollment point, in addition to the out of band service point. You must install both these site system roles on the same primary site. There is a new account, the AMT Provisioning Removal Account, which you specify on the Out of Band Management Component Properties: Provisioning tab. When you specify this account and use the same Windows account that is specified as an AMT User Account, you can use this account to remove the AMT provisioning information, if you have to recover the site. You might also be able to use it when the client was reassigned and the AMT provisioning information was not removed on the old site. Configuration Manager no longer generates a status message to warn you that the AMT provisioning certificate is about to expire. You must check the remaining validity period yourself and ensure that you renew this certificate before it expires. AMT discovery no longer uses port TCP 16992; only port TCP 16993 is used. Port TCP 9971 is no longer used to connect the AMT management controller to the out of band service point to provision computers for AMT. The out of band service point uses HTTPS (by default, port TCP 443) to connect to the enrollment point. The WS-MAN translator is no longer supported. The maintenance task Reset AMT Computer Passwords has been removed. You no longer select individual permissions for each AMT User Account. Instead, all AMT User Accounts are automatically configured for the PT Administration (Configuration Manager 2007 SP1) or Platform Administration (Configuration Manager 2007 SP2) right, which grants permissions to all AMT features. You must specify a universal security group in the Out Of Band Management Component Properties to contain the AMT computer accounts that Configuration Manager creates during the AMT provisioning process. The site server computer no longer requires Full Control to the organizational unit (OU) that is used during AMT provisioning. Instead, it grants Read Members and Writer Members (this object only) permissions. The enrollment point rather than the primary site server computer now requires the Issue and Manage Certificates permission on the issuing certification authority (CA). This permission is required to revoke AMT certificates. As in Configuration Manager 2007, this computer account requires DCOM permissions to communicate with the issuing CA. To configure this, ensure that for Windows Server 2008, the computer account of the enrollment point site system server is a member of the security group Certificate Service DCOM Access, or, for Windows Server 2003 SP1 and later, a member of the security group CERTSVC_DCOM_ACCESS in the domain where the issuing CA resides. The certificate templates for the AMT web server certificate and the AMT 802.1X client certificate no longer use Supply in the request, and the site server computer account no longer requires permissions to the following certificate templates: For the AMT web server certificate template: On the Subject tab, select Build from this Active Directory information, and then select Common name for the Subject name format. On the Security tab, grant Read and Enroll permissions to the universal security group that you specify in the Out Of Band Management Component Properties.
56

For the AMT 802.1X client certificate template: On the Subject tab, select Build from this Active Directory information, and then select Common name for the Subject name format. Clear the DNS name check box, and then select User principal name (UPN) as the alternate subject name. On the Security tab, grant Read and Enroll permissions to the universal security group that you specify in Out Of Band Management Point Component Properties.

The AMT provisioning certificate no longer requires that the private key can be exported. By default, the out of band service point checks the AMT provisioning certificate for certificate revocation. This occurs when the site system first runs, and when the AMT provisioning certificate is changed. You can disable this option in the Out Of Band Service Point Properties. You can enable or disable CRL checking for the AMT web server certificate in the out of band management console. To change the settings, click the Tools menu, and then click Options. The new setting is used when you next connect to an AMT-based computer. When a certificate for an AMT-based computer is revoked, the revocation reason is now Cease of Operation instead of Superseded. AMT-based computers that are assigned to the same Configuration Manager site must have a unique computer name, even when they belong to different domains and therefore have a unique FQDN. When you reassign an AMT-based computer from one Configuration Manager site to another, you must first remove the AMT provisioning information, reassign the client, and then provision the client again for AMT. The security rights View management controllers and Manage management controllers in Configuration Manager 2007 are now named Provision AMT and Control AMT, respectively. The Control AMT permission is automatically added to the Remote Tools Operator security role. If an administrative user is assigned to the Remote Tools Operator security role, and you want this administrative user to provision AMT-based computers or control the AMT audit log, you must add the Provision AMT permission to this security role, or ensure that the administrative user belongs to another security role that includes this permission.

For more information, see the Introduction to Out of Band Management in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Remote Control The following items are new or have changed for remote control since Configuration Manager 2007: Remote control now supports sending the CTRL+ALT+DEL command to computers. You can apply different remote control settings to collections of computers by using client settings. You can lock the keyboard and mouse of the computer that is being administered during a remote control session. The copy and paste functionality between the host computer and the computer that is being administered has been improved.
57

If the remote control network connection is disconnected, the desktop of the computer that is being administered will be locked. You can start the remote control viewer from the Windows Start menu. Remote control client settings can automatically configure the Windows Firewall on client computers to allow remote control to operate. Remote control supports connecting to computers with multiple monitors. A high visibility notification bar is visible on client computers to inform the user that a remote control session is active. By default, members of the local Administrators group are granted the Remote Control permission as a client setting. The account name of the administrative user who starts the remote control session is automatically displayed to users during the remote control session. This display helps users to verify who is connecting to their computer. If Kerberos authentication fails when you make a remote control connection to a computer, you are prompted to confirm that you want to continue before Configuration Manager falls back to using the less secure authentication method of NTLM. Only TCP port 2701 is required for remote control packets; ports TCP 2702 and TCP 135 are no longer used. Responsiveness for low-bandwidth connections supports the following improvements: Elimination of mouse trails by using single mouse cursor design. Full support for Windows Aero. Elimination of mirror driver.

For more information, see the Introduction to Remote Control in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Hardware Inventory The following items are new or have changed for hardware inventory since Configuration Manager 2007: In System Center 2012 Configuration Manager, you can enable custom hardware inventory, and add and import new inventory classes from the Configuration Manager console. The sms_def.mof file is no longer used to customize hardware inventory. You can extend the inventory schema by adding or importing new classes. Different hardware inventory settings can be applied to collections of devices by using client settings.

For more information, see the Introduction to Hardware Inventory in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Software Inventory There are no significant changes for software inventory in Configuration Manager since Configuration Manager 2007.

58

For more information about software inventory, see the Introduction to Software Inventory in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Asset Intelligence The following items are new or have changed for Asset Intelligence since Configuration Manager 2007: In System Center 2012 Configuration Manager, you can enable Asset Intelligence hardware inventory classes without editing the sms_def.mof file. You can now download the Microsoft Volume Licensing Service (MVLS) license statement from the Microsoft Volume Licensing Service Center and import the license statement from the Configuration Manager console. There is a new maintenance task (Check Application Title with Inventory Information) that checks that the software title reported in software inventory is reconciled with the software title in the Asset Intelligence catalog. There is a new maintenance task (Summarize Installed Software Data) that provides the information displayed in the Inventoried Software node under the Asset Intelligence node in the Assets and Compliance workspace. The Client Access License reports have been deprecated.

For more information, see the Introduction to Asset Intelligence in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Software Metering There are no significant changes for software metering in Configuration Manager since Configuration Manager 2007. For more information about software metering, see the Introduction to Software Metering in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Power Management The following items are new or have changed for power management since Configuration Manager 2007: If an administrative user enables this option, users can exclude computers from power management. Virtual machines are excluded from power management. Administrative users can copy power management settings from another collection. A new Computers Excluded report is now available. It displays the computers that are excluded from power management.

For more information, see the Introduction to Power Management in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide.

59

Mobile Devices Enrollment for mobile devices in System Center 2012 Configuration Manager is now natively supported by using the two new enrollment site system roles (the enrollment point and the enrollment proxy point) and a Microsoft enterprise certification authority. For more information about how to configure enrollment for mobile devices by using System Center 2012 Configuration Manager, see How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager. After the mobile devices are enrolled, you can manage their settings by creating mobile device configuration items and then deploy them in a configuration baseline. For more information, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager. For more information, see the Deploying the Configuration Manager Client to Mobile Devices section in the Introduction to Client Deployment in Configuration Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide. Exchange Server Connector New in System Center 2012 Configuration Manager, the Exchange Server connector allows you to find and manage devices that connect to Exchange Server (on-premise or hosted) by using the Exchange ActiveSync protocol. Use this mobile device management process when you cannot install the Configuration Manager client on the mobile device. For more information about the different management capabilities when you manage mobile devices by using the Exchange Server connector and when you install a Configuration Manager client on mobile devices, see Determine How to Manage Mobile Devices in Configuration Manager. For more information about how to install and configure the Exchange Server connector, see the How to Manage Mobile Devices by Using the Exchange Server Connector in Configuration Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide. Mobile Device Legacy Client If you have mobile devices that you managed with Configuration Manager 2007 and you cannot enroll them by using System Center 2012 Configuration Manager, you can continue to use them with System Center 2012 Configuration Manager. The installation for this mobile device client remains the same. However, whereas Configuration Manager 2007 did not require PKI certificates, System Center 2012 Configuration Manager requires PKI certificates on the mobile device and the management points and distribution points. Unlike other clients, mobile device legacy clients cannot automatically use multiple management points in a site. File collection is no longer supported for these mobile device clients in System Center 2012 Configuration Manager and unlike the mobile devices that you can enroll with Configuration Manager or manage by using the Exchange Server connector, you cannot manage settings for these mobile devices. In addition, the mobile device management inventory extension tool

60

(DmInvExtension.exe) is no longer supported. This functionality is replaced with the Exchange Server connector. For more information about the different mobile device management capabilities, see Determine How to Manage Mobile Devices in Configuration Manager. For more information, see the Deploying the Configuration Manager Client to Mobile Devices section in the Introduction to Client Deployment in Configuration Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide. Endpoint Protection System Center 2012 Endpoint Protection is now integrated with System Center 2012 Configuration Manager. The following items are new or have changed for Endpoint Protection since Forefront Endpoint Protection 2010: Because Endpoint Protection is now fully integrated with Configuration Manager, you do not run a separate Setup program to install an Endpoint Protection server. Instead, select the Endpoint Protection point as one of the available Configuration Manager site system roles. You can install the Endpoint Protection client by using Configuration Manager client settings, or you can manage existing Endpoint Protection clients. You do not use a package and program to install the Endpoint Protection client. The Endpoint Protection Manager role-based administration security role provides an administrative user with the minimum permissions required to manage Endpoint Protection in the hierarchy. Endpoint Protection in Configuration Manager provides new reports that integrate with Configuration Manager reporting. For example, you can now identify the users who have computers that most frequently report security threats. You can use Configuration Manager software updates to automatically update definitions and the definition engine by using automatic deployment rules. You can configure multiple malware alert types to notify you when Endpoint Protection detects malware on computers. You can also configure subscriptions to notify you about these alerts by using email. The Endpoint Protection dashboard is integrated with the Configuration Manager console. You do not have to install the dashboard separately. To view the Endpoint Protection dashboard, click the System Center 2012 Endpoint Protection Status node in the Monitoring workspace.

For more information, see the Introduction to Endpoint Protection in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide.

Software Deployment and Content Management

The following sections contain information about changes from Configuration Manager 2007 that relate to software updates, software distribution, operating system deployment and task sequences in System Center 2012 Configuration Manager.

61

Software Updates Although the general concepts for deploying software updates are the same in System Center 2012 Configuration Manager as they were in Configuration Manager 2007, new or updated functionality is available that improves the software update deployment process. This includes automatic approval and deployment for software updates, improved search with expanded criteria, enhancements to software updates monitoring, and greater user control for scheduling software update installation. The following table lists the functionality that is new or that has changed for software updates since Configuration Manager 2007.
Functionality Description

Software update groups

Software update groups are new in Configuration Manager and replace update lists that were used in Configuration Manager 2007. Software update groups more effectively organize software updates in your environment. You can manually add software updates to a software updates group, or add software updates automatically to a new or existing software update group by using an automatic deployment rule. You can also deploy a software update group manually or automatically by using an automatic deployment rule. After you deploy a software update group, you can add new software updates to the group, and they are automatically deployed. Automatic deployment rules automatically approve and deploy software updates. You specify the criteria for software updates (for example, all Windows 7 software updates released in the last week), the software updates are added to a software update group, you configure deployment and monitoring settings, and decide whether to deploy the software updates in the software update group. You can deploy the software updates in the software update group or retrieve compliance information from client computers for the software updates in the software update group without deploying them.

Automatic deployment rules

62

Functionality

Description

Software updates filtering

New search and expanded criteria are available when software updates are listed in the Configuration Manager console. You can add a set of criteria that makes it easy to find the software updates that you require. You can save the search criteria to use later. For example, you can set criteria for all critical software updates for Windows 7 and for software updates that were released in the last year. After you filter for the updates that you require, you can select the software updates and review compliance information per software update, create a software update group that contains the software updates, manually deploy the software updates, and so on. In the Configuration Manager console, you can monitor the following software updates objects and processes: Important software updates compliance and deployment views Detailed state messages for all deployments and assets Software updates error codes with additional information to help identify issues Status for software updates synchronization Alerts for important software updates issues

Software updates monitoring

Software update reports are also available that provide detailed state information for software updates, software update groups, and software update deployments. Manage superseded software updates Superseded software updates in Configuration Manager 2007 were automatically expired during the full software updates synchronization process for a site. In System Center 2012 Configuration Manager, you can decide whether to manage superseded software updates as in Configuration Manager 2007, or you can configure a specified period of
63

Functionality

Description

time where the software update is not automatically expired after it is superseded. During this time, you can deploy superseded software updates. Increased user control over software updates installation Configuration Manager gives users more control over when to install software updates on their computer. Configuration Manager Software Center is an application that is installed with the Configuration Manager client. Users run this application on the Start menu to manage the software that is deployed to them. This includes software updates. In Software Center, users can schedule software update installation at a convenient time before the deadline and install optional software updates. For example, you can configure your business hours and have software updates run outside of those hours to minimize productivity loss. When the deadline is reached for a software update, the installation for the software update is started. The content library in System Center 2012 Configuration Manager is the location that stores all content files for software updates, applications, operating system deployment, and so on. The content library provides a single instance store for content files on the site server and distribution points, and provides an advantage over content management functionality in Configuration Manager 2007. For example, in Configuration Manager 2007, you might distribute the same content files multiple times by using different deployments and deployment packages. The result was that the same content files were stored multiple times on the site server and on distribution points and added unnecessary processing overhead and excessive hard disk space requirements. For more information about content
64

Software update files are stored in the content library

Functionality

Description

management, see the Content Library section in the Introduction to Content Management in Configuration Manager topic. Software update deployment template There is no longer a Deployment Templates node in the Configuration Manager console to manage your templates. Deployment templates can be created only in the Automatic Deployment Rules Wizard or Deploy Software Updates Wizard. Deployment templates store many of the deployment properties that might not change from deployment to deployment, and they can save much time for administrative users when they deploy software updates. Deployment templates can be created for different deployment scenarios in your environment. For example, you can create a template for expedited software update deployments and planned deployments. The template for the expedited deployment can suppress display notifications on client computers, set the deadline for zero (0) days from the deployment schedule, and enable system restarts outside maintenance windows. The template for a planned deployment can allow for display notifications on client computers and set the deadline for 14 days from the deployment schedule. Internet-based clients can retrieve update files from the Internet When an Internet-based client receives a deployment, the client first tries to download the software files from Microsoft Update instead of distribution points. When the connection to Microsoft is not successful, clients fall back to a distribution point that hosts the software update files and is configured to accept communication from clients on the Internet. Update lists have been replaced by software update groups. Although you can still deploy software updates in System Center 2012 Configuration Manager,
65

Update lists are no longer used

Deployments are no longer used

Functionality

Description

there is no longer a visible software update deployment object. The deployment object is now nested in a software update group.

The New Policies Wizard is no longer available to create a NAP policy for software updates

The Network Access Protection node in the Configuration Manager console and the New Policies Wizard are no longer available in System Center 2012 Configuration Manager. To create a NAP policy for software updates, you must select Enable NAP evaluation on the NAP Evaluation tab in software update properties.

For more information, see the Introduction to Software Updates in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Application Management Applications are new in System Center 2012 Configuration Manager and have the following characteristics: Applications contain the files and information necessary to deploy a software package to a computer or a mobile device. Applications contain multiple deployment types that contain the files and commands necessary to install the software. For example, an application could contain deployment types for a local installation of a software package, a virtual application package or a version of the application for mobile devices. Requirement rules define conditions that specify how an application is deployed to client devices. For example, you can specify that the application should not be installed if the destination computer has less than 2GB RAM or you could specify that a virtual application deployment type is installed when the destination computer is not the primary device of the user. Global conditions are similar to requirement rules but can be reused with any deployment type. User device affinity allows you to associate a user with specified devices. This allows you to deploy software to a user rather than a device. For example, you could deploy an application so that it only installs on the primary device of the user. On devices that are not the primary device of the user, you could deploy a virtual application that is removed when the user logs out. Deployments are used to distribute applications. A deployment can have an action which specifies whether to install or uninstall the application and a purpose which specifies whether the application must be installed or whether the user can choose to install it.

66

System Center 2012 Configuration Manager can use detection methods to determine if a deployment type has already been installed on a device by using product information, or a script. Application management supports the new monitoring features in System Center 2012 Configuration Manager. The status of an application deployment can be monitored directly in the Configuration Manager console. Packages and programs from Configuration Manager 2007 are supported in System Center 2012 Configuration Manager and can use some of the new deployment and monitoring features. You can now deploy a task sequence on the Internet, as a method to deploy a script, for example, prior to installing a package and program. It is still not supported to deploy an operating system over the Internet. Software Center is a new client interface that allows users to request and install applications, control some client functionality, and to access the Application Catalog, which contains details about all available applications. When you deploy software to users, users no longer have to log off and back on again for Configuration Manager to include the new software deployment in the user policy. However, if the deployment uses a Windows group and you have newly added the user to this group, the Windows requirement for the user to log off and back on again to receive the new Windows group membership still applies before the user can receive the user-targeted software deployment.

The following are new or changed for virtual application (App-V) deployment in System Center 2012 Configuration Manager: Virtual applications support App-V Dynamic Suite Composition by using Configuration Manager local and virtual application dependencies. You can selectively publish the components of a virtual application to client computers. Performance improvements when publishing application shortcuts to client computers. Clients now check more quickly for required installations after logon. Clients also now check for required installations when the desktop is unlocked. Applications can be deployed to users of Remote Desktop Services or Citrix servers when other users are logged in. System Center 2012 Configuration Manager supports streaming virtual applications over the Internet from an Internet-based distribution point. Streaming support for packages suited together using Dynamic Suite Composition. In Configuration Manager 2007, you had to enable streaming support for virtual applications on each distribution point. In System Center 2012 Configuration Manager, all distribution points are automatically capable of virtual application streaming. Reduced disk space usage on distribution points as application content is no longer duplicated for multiple application revisions. Virtual application content is no longer persisted by default in the Configuration Manager client cache. You can no longer create virtual applications by using Configuration Manager packages and programs. You must use Configuration Manager application management.
67

Configuration Manager supports migrating virtual application packages from Configuration Manager 2007 to System Center 2012 Configuration Manager. When you migrate an App-V package from Configuration Manager 2007, the migration Wizard will create this as a System Center 2012 Configuration Manager application. The Configuration Manager 2007 client option Allow virtual application package advertisement has been removed. In System Center 2012 Configuration Manager, virtual applications can be deployed by default. Virtual applications that are deployed from an App-V Server are not deleted by the Configuration Manager client. Configuration Manager hardware inventory can be used to inventory virtual applications deployed by an App-V Server. Application content that has been downloaded to the App-V cache is not downloaded to the Configuration Manager client cache. Note To modify a virtual application, you must first create it as a Configuration Manager application.

For more information, see the Introduction to Application Management in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Operating System Deployment The following items are new or have changed for operating system deployment since Configuration Manager 2007: You can apply Windows Updates by using Component-Based Servicing (CBS) to update the Windows Imaging Format (WIM) files that are stored in the Image node of the Software Library workspace. The Task Sequence Media Wizard includes steps to add prestart command files (formerly pre-execution hooks) to prestaged media, bootable media, and stand-alone media. For more information about how to deploy operation system including using prestart commands when you create media, see one of the following sections in the How to Deploy Operating Systems by Using Media in Configuration Manager topic: How to Create Prestaged Media How to Create Bootable Media How to Create Stand-alone Media

When you create media that deploys an operating system, you can configure the Task Sequence Media Wizard to suppress the Task Sequence wizard during operating system installation. This configuration enables you to deploy operating systems without end-user intervention. For more information about how to create media by using the Task Sequence Media Wizard, see How to Deploy Operating Systems by Using Media in Configuration Manager.

You can define a deployment in a prestart command that overrides existing deployments to the destination computer. Use the SMSTSPreferredAdvertID task sequence variable to
68

configure the task sequence to use the specific Offer ID that defines the conditions for the deployment. You can use the same task sequence media to deploy operating systems to computers anywhere in the hierarchy. For more information about how to create media by using the Task Sequence Media Wizard, see How to Deploy Operating Systems by Using Media in Configuration Manager. The Capture User State task sequence action and the Restore User State task sequence steps support new features from the User State Migration Tool (USMT) version 4. For more information about capturing and restoring the user state, see How to Manage the User State in Configuration Manager. You can use the Install Application task sequence step to deploy applications when you deploy an operating system. For more information about task sequences, see Planning a Task Sequences Strategy in Configuration Manager. You can associate a user with the computer where the operating system is deployed to support user device affinity actions. For more information about creating an association between users and the destination computer, see How to Associate Users with a Destination Computer. For more information about how to manage user device affinity, see How to Manage User Device Affinity in Configuration Manager. The functionality of the PXE service point and its configuration is moved to the distribution point to increase scalability. For more information about creating a distribution point that accepts PXE requests, see the Creating Distribution Points that Accept PXE Requests section of the How to Deploy Operating Systems by Using PXE in Configuration Manager topic. CMTrace, the Configuration Manager log viewer tool, is added to all boot images that are added to the Software Library. For more information about boot images, see Planning for Boot Image Deployments in Configuration Manager. For more information, see the Introduction to Operating System Deployment in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Content Management The following items are new or have changed for content management since Configuration Manager 2007: Branch distribution points were available in Configuration Manager 2007 to distribute content, for example, to a small office with limited bandwidth. In System Center 2012 Configuration Manager, there is only one distribution point type with the following new functionality: You can install the distribution point site system role on client or server computers.
69

You can configure bandwidth settings, throttling settings, and schedule content distribution between the site server and distribution point. You can prestage content on remote distribution points and manage how Configuration Manager updates content to the prestaged distribution points. The PXE service point and the associated settings are in the properties for the distribution point.

In Configuration Manager 2007, you configure a distribution point as protected to prevent clients outside the protected boundaries from accessing the distribution point. In System Center 2012 Configuration Manager, preferred distribution points replace protected distribution points. Distribution point groups provide a logical grouping of distribution points for content distribution. You can add one or more distribution points from any site in the Configuration Manager hierarchy to the distribution point group. You can also add the distribution point to more than one distribution point group. This expanded functionality lets you manage and monitor content from a central location for distribution points that span multiple sites. The content library in System Center 2012 Configuration Manager is the location that stores all content files for software updates, applications, operating system deployment, and so on. The content library provides a single instance store for content files on the site server and distribution points, and provides an advantage over content management functionality in Configuration Manager 2007. For example, in Configuration Manager 2007, you might distribute the same content files multiple times by using different deployments and deployment packages. The result was that the same content files were stored multiple times on the site server and on distribution points and added unnecessary processing overhead and excessive hard disk space requirements. You can prestage content, which is the process to copy content, to the content library on a site server or distribution point before you distribute the content. Because the content files are already in the content library, Configuration Manager does not copy the files over the network when you distribute the content. The Configuration Manager console provides content monitoring that includes the status for all package types in relation to the associated distribution points, the status of content assigned to a specific distribution point group, the state of content assigned to a distribution point, and the status of optional features for each distribution point. You can enable content validation on distribution points to verify the integrity of packages that have been distributed to the distribution point. In Configuration Manager 2007, content files are automatically distributed to the disk drive with the most amount of free space. In System Center 2012 Configuration Manager, you configure the disk drives on which you want to store content and configure the priority for each drive when Configuration Manager copies the content files. BranchCache has been integrated in System Center 2012 Configuration Manager so that you can control usage at a more detailed level. You can configure the BranchCache settings on a deployment type for applications and on the deployment for a package.

For more information, see the Introduction to Content Management in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.
70

Monitoring and Reporting

The following sections contain information about changes from Configuration Manager 2007 that relate to monitoring and reporting in System Center 2012 Configuration Manager. Reporting The following items are new or have changed for reporting since Configuration Manager 2007: Configuration Manager no longer uses the reporting point; the reporting services point is the only site system role that Configuration Manager now uses for reporting. Full integration of the Configuration Manager 2007 R2 SQL Server Reporting Services solution: In addition to standard report management, Configuration Manager 2007 R2 introduced support for SQL Server Reporting Services reporting. System Center 2012 Configuration Manager integrates the Reporting Services solution, adds new functionality, and removes standard report management as a reporting solution. Report Builder 2.0 integration: System Center 2012 Configuration Manager uses Microsoft SQL Server 2008 Reporting Services Report Builder 2.0 as the exclusive authoring and editing tool for both model-based and SQL-based reports. Report Builder 2.0 is automatically installed when you create or modify a report for the first time. Report subscriptions in SQL Server Reporting Services let you configure the automatic delivery of specified reports by email or to a file share in scheduled intervals. You can run Configuration Manager reports in the Configuration Manager console by using Report Viewer, or you can run reports from a browser by using Report Manager. Both methods for running reports provide a similar experience. Reports in Configuration Manager are rendered in the locale of the installed Configuration Manager console. Subscriptions are rendered in the locale that SQL Server Reporting Services is installed. When you author a report, you can specify the assembly and expression.

For more information, see the Introduction to Reporting in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Alerts Alerts are new in System Center 2012 Configuration Manager and provide near real-time awareness of current site operations and conditions in the Configuration Manager console. Alerts are state-based and will automatically update when conditions change. System Center 2012 Configuration Manager alerts are not similar to status messages in Configuration Manager, nor are they similar to alerts in other System Center products, such as those found in Microsoft System Center Operations Manager 2007. For more information, see the Configuring Alerts in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Monitoring Database Replication You can monitor the status of System Center 2012 Configuration Manager data replication by using the Database Replication node in the Monitoring workspace of the Configuration Manager console.
71

For more information, see the How to Monitor Database Replication and SQL Server Status for Database Replication section in the Monitor Configuration Manager Sites and Hierarchy topic from the Site Administration for System Center 2012 Configuration Manager guide.

See Also
Getting Started with System Center 2012 Configuration Manager

Whats New in Configuration Manager SP1

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. Use the following sections to review information about significant changes in System Center 2012 Configuration Manager SP1 since System Center 2012 Configuration Manager: Setup and Site Installation Sites and Hierarchies Migration Client Deployment and Operations Software Deployment and Content Management Monitoring and Reporting

One of the most significant changes is support for Windows 8 for Configuration Manager clients. Configuration Manager SP1 supports Windows 8 in the following ways: You can install the Configuration Manager client on Windows 8 computers and deploy Windows 8 to new computers or to upgrade previous client operating versions. Configuration Manager also supports Windows To Go. You can configure user data and profiles configuration items for folder redirection, offline files, and roaming profiles. You can configure new deployment types for Windows 8 applications, which support standalone applications (.appx files) and links to the Windows Store. Configuration Manager supports Windows 8 features, such as metered Internet connections and Always On Always Connected. Support for Windows Server 2012 on site systems and clients, and support for SQL Server 2012 for the Configuration Manager database. Support for clients on Mac computers, and on Linux and UNIX servers. Support for user-owned mobile devices that run Windows Phone 8, Windows RT, iOS, and Android when you have a Windows Intune organizational account. Windows PowerShell cmdlets are available to automate Configuration Manager operations by using Windows PowerShell scripts. Support for cloud services, such as a new distribution point for Windows Azure.
72

Other significant changes include the following:

More flexible hierarchy management, along with support to expand a stand-alone primary site into a hierarchy that includes a new central administration site, and the migration of a Configuration Manager SP1 hierarchy to another Configuration Manager SP1 hierarchy. Support for multiple software update points for a site to provide automatic redundancy for clients without requiring you to configure a network load balancing cluster. Client notification to start some client operations from the Configuration Manager console. These include downloading computer policy and initiating a malware scan to be performed as soon as possible, instead of during the normal client policy polling interval. Support for virtual environments that allow multiple virtual applications to share file system and registry information instead of running in an isolated space. Email alert subscriptions are now supported for all features, not just Endpoint Protection.

For more information about the supported operating system versions and editions that Configuration Manager SP1 supports, see Supported Configurations for Configuration Manager. You can read more detailed information about these changes in the following sections.

Setup and Site Installation

The following sections contain information about setup and site installation changes in Configuration Manager SP1. Site Installation The following options in Setup for site installation are new or have changed for Configuration Manager SP1: With System Center 2012 Configuration Manager SP1 there is a new option when you install a central administration site. You have the option to install the central administration site as the first site of a new hierarchy, or install the central administration site to expand a standalone primary site into a hierarchy with the new central administration site.

For more information, see the Expand a Stand-Alone Primary Site into a Hierarchy with a Central Administration Site topic in the Site Administration for System Center 2012 Configuration Manager guide. Upgrade Support You can upgrade from System Center 2012 Configuration Manager to System Center 2012 Configuration Manager SP1. For more information, see Planning to Upgrade System Center 2012 Configuration Manager in the Site Administration for System Center 2012 Configuration Manager guide. Windows PowerShell After you have installed Configuration Manager SP1, you can automate console operations by using Windows PowerShell cmdlets. For example, you can create user and device collections, configure client settings, and create email subscriptions for alerts. Configuration Manager SP1 requires Windows PowerShell 3.0.

73

To open a Windows PowerShell session, click the Application menu, and then select Connect via Windows PowerShell. To discover which cmdlets are available, type the following command at the Windows PowerShell prompt. get-command -module ConfigurationManager Tip All Configuration Manager cmdlets include the CM prefix in their name. For more information about Configuration Manager cmdlets, see Cmdlets in Configuration Manager SP1.

Sites and Hierarchies

The following sections contain information about site and hierarchy changes in Configuration Manager SP1. Note The Active Directory schema extensions for System Center 2012 Configuration Manager SP1 are unchanged from those used by System Center 2012 Configuration Manager. If you extended the schema for Configuration Manager 2007 or for System Center 2012 Configuration Manager, you do not have to extend the schema again for System Center 2012 Configuration Manager SP1. Site to Site Communication The following items are new or have changed for site communication for Configuration Manager SP1: File replication routes replace addresses for file-based replication between sites. This is only a change in the name for file-based replication and brings consistency with database replication. There is no change in functionality. Configure database replication links between site databases to control and monitor the network traffic for database replication: Use distributed views to prevent the replication of selected site data from a primary site to the central administration site. The central administration site then accesses this data directly from the primary site database. Schedule the transfer of selected site data across database replication links. Control the frequency that replication traffic is summarized for reports. Define custom thresholds that raise alerts for replication problems. Change the port that Configuration Manager uses for the SQL Server Service Broker. Configure the period of time to wait before a replication failure triggers a site to reinitialize its local copy of global data. Configure a site database to compress the data that it replicates by database replication. The data is compressed only for transfer between sites, and not for storage in the site database at either site.
74

Configure replication controls for the SQL Server database at a site:

For more information about file replication, see the File-Based Replication section in the Planning for Communications in Configuration Manager topic. For more information about database replication links, see the Database Replication Links section in the Planning for Communications in Configuration Manager topic. For more information about replication controls for the SQL Server database, see the Site Database Replication Controls section in the Planning for Communications in Configuration Manager topic. Backup and Recovery The following item is new in backup and recovery in Configuration Manager SP1: You can recover a secondary site by using the Recover Secondary Site action from the Sites node in the Configuration Manager console. During the recovery, the secondary site files are installed on the destination computer and then the secondary site data is reinitialized with data from the primary site. The secondary site that you recover must have the same FQDN, meet all secondary site prerequisites, and you must configure appropriate security rights for the secondary site. For more information about secondary site security requirements, see the Install a Secondary Site section in the Install Sites and Create a Hierarchy for Configuration Manager topic. For more information about how to secondary site recovery, see the Recover a Secondary Site section in the Backup and Recovery in Configuration Manager topic.

Site System Roles The following are new for site system roles in Configuration Manager SP1: Configuration Manager primary sites now support distribution points that run as a cloud service in Windows Azure. Clients can use the cloud-based distribution point as standard content location or as a fallback location, after the client receives client settings that enable the use of cloud-based distribution points. For more information, see the Planning for Cloud Services in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. You can configure a proxy server on each site system server for use by all site system roles installed on that computer. This is not a new site system role, but a configuration for site system server computers. For more information, see the Planning for Proxy Servers Configurations for Site System Roles section in the Planning for Site Systems in Configuration Manager topic.

Migration
The following items are new for migration in Configuration Manager SP1: You can merge hierarchies from other organizations that also use Configuration Manager SP1 into your Configuration Manager SP1 hierarchy. You can migrate data from your Configuration Manager SP1 test environment into your Configuration Manager SP1 production environment.
75

Some UI labels and descriptions are updated to reflect the change in functionality that lets you migrate from one Configuration Manager SP1 hierarchy to another.

For more information about migration, see Introduction to Migration in System Center 2012 Configuration Manager.

Client Deployment and Operations

The following sections contain information about client deployment and client operations changes in Configuration Manager SP1. Client Deployment The following items are new or have changed for client deployment in Configuration Manager SP1: Configuration Manager can automatically upgrade Configuration Manager 2007 and System Center 2012 Configuration Manager clients to the version of their assigned System Center 2012 Configuration Manager site. For more information see the How to Automatically Upgrade the Configuration Manager Client for the Hierarchy section in the topic How to Install Clients on Windows-Based Computers in Configuration Manager. You can now specify the following CCMSetup.exe properties as installation options when you use client push: /forcereboot /skipprereq /logon /BITSPriority /downloadtimeout /forceinstall

Configuration Manager SP1 clients now use Microsoft Silverlight 5 for the Application Catalog. Configuration Manager automatically installs this version of Silverlight on clients if it is not already installed, and by default, configures the Computer Agent client setting Allow Silverlight applications to run in elevated trust mode to Yes. For more information, see the Certificates for Silverlight 5 and Elevated Trust Mode Required for the Application Catalog section in the Security and Privacy for Application Management in Configuration Manager topic. There is a new value that is now the default for the Computer Agent client setting, PowerShell execution policy: All Signed. This new value restricts the Configuration Manager client to running Windows PowerShell scripts only if they are signed by a trusted publisher, regardless of the current Windows PowerShell configuration on the client computer. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic. The new Computer Agent client setting, Disable deadline randomization, by default, disables the installation randomization delay for required software updates and required application deployments. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic.
76

Client notification in Configuration Manager enables some client operations to be performed as soon as possible, instead of during the usual client policy polling interval. For example, you can use the client management task Download Computer Policy to instruct computers to download policy as soon as possible. Additionally, you can initiate some actions for Endpoint Protection, such as a malware scan of a client. By default, client notification communication uses TCP port 10123, which is configurable as a site property for a primary site. You might have to configure Windows Firewall on the management point, clients, and any intervening firewalls for this new port communication. However, client notification can fall back to using the established client-to-management point communication of HTTP or HTTPS. Actions taken by client notification are displayed in the new Client Operations node in the Monitoring workspace. For more information, see How to Configure Client Communication Port Numbers in Configuration Manager and How to Manage Clients in Configuration Manager.

You can install the Configuration Manager client on computers that run Mac OS X. You can then manage this client by using compliance settings, deploying software, and by collecting hardware inventory. For more information, see How to Install Clients on Mac Computers in Configuration Manager. You can install the Configuration Manager client on servers that run a supported version of Linux or UNIX. You can then manage this client by using deploying software, and by collecting hardware inventory. For more information, see How to Install Clients on Linux and UNIX Computers in Configuration Manager.

For more information, see the Introduction to Client Deployment in Configuration Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide. Mobile Devices The following items are new or have changed for mobile devices in Configuration Manager SP1: The client settings group to configure mobile device enrollment settings is no longer named Mobile Devices but Enrollment. This change and associated changes, such as the change from the client setting of Mobile device enrollment profile to Enrollment profile, reflects that the enrollment functionality is now extended to Mac computers. Important The client certificates for mobile devices and Mac computers have different requirements. Therefore, if you configure client settings enrollment for mobile devices and Mac computers, do not configure the certificate templates to use the same user accounts. Mobile devices that are enrolled by Configuration Manager SP1 now use the client policy polling interval setting in the Client Policy client setting group and no longer use the polling interval in the renamed Enrollment client setting group. This change lets you configure different client policy intervals for mobile devices that are enrolled by Configuration Manager, by using custom device client settings. You cannot create custom device client settings for Enrollment.

77

You can enroll mobile devices that run Windows Phone 8, Windows RT, and iOS when you use the Windows Intune connector. For more information, see How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager. Users who have mobile devices that are enrolled by Windows Intune and Android devices that are managed by the Exchange Server connector can install apps from the company portal. The company portal is the Application Catalog equivalent for these mobile devices. The new Retire option for mobile devices in the Configuration Manager console is supported only for mobile devices that are enrolled by Windows Intune.

Client Management The following items are new or have changed for client management in Configuration Manager SP1: The Configuration Manager SP1 client supports Windows 8 Always On Always Connected. The Configuration Manager client can now detect power states for devices that support Always On Always Connected and therefore, these clients might delay client actions. This automatic adjustment helps to maximize performance and preserve battery life for the device. The Configuration Manager client can detect the following states on an Always On Always Connected device. Whether networking is turned on or off Whether the device is running on battery power or plugged in The battery power remaining Whether the device is in idle mode Whether the device is in its Windows Automatic Maintenance window Whether the device is using a metered Internet connection Note These changes can also improve performance of the Configuration Manager client on computers that do not support Always On Always Connected. Configuration Manager supports Always On Always Connected devices that run Windows 8 versions on x86 and x64 platforms. Configuration Manager does not support Always On Always Connected for Windows 8 RT devices. Client notification in Configuration Manager lets some client operations be performed as soon as possible, instead of during the usual client policy polling interval. For example, you can use the client management task Download Computer Policy to instruct computers to download policy as soon as possible. Additionally, you can start some actions for Endpoint Protection, such as a malware scan of a client. Actions taken by client notification are displayed in the new Client Operations node in the Monitoring workspace. For more information, see How to Manage Clients in Configuration Manager. You can manage how Windows 8 client computers transfer data over metered Internet connections by using the Metered Internet Connections client setting Specify how clients communicate on metered network connections and the software deployment setting Allow clients to use a metered Internet connection to download content after the
78

installation deadline in a required software deployment. For more information, see the Metered Internet Connections section in the About Client Settings in Configuration Manager topic. When Configuration Manager SP1 clients run Windows 7, Windows 8, Windows Server 2008 R2, or Windows Server 2012, you can supplement the Wake on LAN site setting for unicast packets by using the wake-up proxy client settings. This combination helps to wake up computers on subnets without the requirement to reconfigure network switches. For more information about wake-up proxy, see the Planning How to Wake Up Clients in the Planning for Communications in Configuration Manager topic.

For more information, see the Introduction to Client Deployment in Configuration Manager and How to Manage Clients in Configuration Manager topics in the Deploying Clients for System Center 2012 Configuration Manager guide. Collections The following items are new or have changed for collections in Configuration Manager SP1: The built-in collections are now read-only and cannot be modified. For more information, see the Introduction to Collections in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Compliance Settings The following items are new or have changed for compliance settings in Configuration Manager SP1: You can now configure user data and profiles configuration items that contain settings that control how users in your hierarchy manage folder redirection, offline files, and roaming profiles on computers that run Windows 8. You can deploy these settings to collections of users and then monitor their compliance from the Monitoring node of the Configuration Manager console. For more information, see How to Create User Data and Profiles Configuration Items in Configuration Manager. The new Mac OS X configuration item enables you to evaluate and remediate property list (.plist) settings on Mac computers. You can also use shell scripts to evaluate and remediate other Mac settings. For more information, see How to Create Mac Computer Configuration Items in Configuration Manager. For more information, see the Introduction to Compliance Settings in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Endpoint Protection The following items are new or have changed for Endpoint Protection in Configuration Manager SP1: You can now enable an Endpoint Protection client setting that commits the installation of the Endpoint Protection client on Windows Embedded devices that are write filter enabled. For

79

more information about this client setting, see the Endpoint Protection section in the About Client Settings in Configuration Manager topic. Additionally, definition updates that are deployed by software updates can be configured to write to the overlay on Windows Embedded devices, so that these updates are installed immediately and without a restart. For more information, see the Support for Windows Embedded Devices That Use Write Filters section in the Introduction to Software Updates in Configuration Manager topic. You can now configure the Endpoint Protection client to install only during configured maintenance windows. The maintenance window must be at least 30 minutes long to allow installation to occur. Endpoint Protection in Configuration Manager now uses client notification to start the following actions as soon as possible, instead of during the normal client policy polling interval: Force antimalware definition updates Run quick scans Run full scans Allow threats Exclude folders and files Restore quarantined files

Improvements to software updates to allow more frequent distribution of Endpoint Protection definition updates. Multiple antimalware policies that are deployed to the same client computer are merged on the client. When two settings are in conflict, the highest priority option is used. Some settings are also merged, such as exclusion lists from separate antimalware policies. Client-side merge also honors the priority that you configured for each antimalware policy. A software update deployment template named Definition Updates is included in the Deploy Software Updates Wizard and Automatic Deployment Rule Wizard. This template includes typical settings to use when you deploy definition software updates for Endpoint Protection.

For more information, see the Introduction to Endpoint Protection in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Asset Intelligence The following items are new for Asset Intelligence in Configuration Manager SP1: Asset Intelligence supports the 7 mandatory software identification tags that are defined in ISO/IEC 19770-2. The ISO/IEC 19770-2 standard specifies the structure and basic usage of software identification. Software identification tags provide authoritative information that is used to identify installed software. If software contains software identification tag information that is compliant with ISO/IEC 19770-2, then Asset Intelligence collects the software identification tags from the software. Note

80

You must enable the SMS_SoftwareTag Asset Intelligence hardware inventory reporting class before Configuration Manager will collect the software identification tags. Asset Intelligence provides the three new reports that provide information about software with the software identification tags. The report titles start with Software 14A, Software 14B, and Software 14C. Asset Intelligence collects information about Application Virtualization 5 applications and continues to collect information about Application Virtualization 4.

For more information about Asset Intelligence, see the Introduction to Asset Intelligence in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide.

Software Deployment and Content Management

The following sections contain information about changes for software updates, software distribution, operating system deployment and task sequences in Configuration Manager SP1. Software Updates The following items are new or have changed for software updates in Configuration Manager SP1: Software update points are redesigned in Configuration Manager SP1. You can install multiple software update point site systems at a site. You can configure a software update point to be in the same forest as the site server or in a different forest, and whether to accept communication from clients on the Internet, intranet, or both. This behavior provides a level of fault tolerance without requiring a network load balancing (NLB) cluster. You cannot install more than one software update point in a secondary site. For more information, see the Determine the Software Update Point Infrastructure section in the Planning for Software Updates in Configuration Manager topic. Note The active software update point concept is deprecated in Configuration Manager SP1. You no longer have the option to configure a software update point as an NLB in the Configuration Manager console. Before you upgrade from Configuration Manager with no service pack to Configuration Manager SP1, you must remove the NLB for your active software update point. After the upgrade is complete, you have the option to reconfigure the NLB by using the Set-CMSoftwareUpdatePoint PowerShell cmdlet. For more information about a software update point configured to use an NLB, see Software Update Point Configured to Use an NLB section in the Planning for Software Updates in Configuration Manager topic. For more information about the Set-CMSoftwareUpdatePoint PowerShell cmdlet, see the Set-CMSoftwareUpdatePoint topic in the System Center 2012 Configuration Manager SP1 Cmdlet Reference guide. At the top-level Configuration Manager site, you can now specify an existing WSUS server as the upstream synchronization source location. During synchronization, the site connects to this location to synchronize software updates. For example, if you have an existing WSUS
81

server that is not part of the Configuration Manager hierarchy, you can specify the existing WSUS server to synchronize software updates. You can select from two built-in software update deployment templates from the Automatic Deployment Rule Wizard. The Definition Updates template provides common settings to use when you deploy definition software updates. The Patch Tuesday template provides common settings to use when you deploy software updates on a monthly cycle. In the software update point properties, you can provide credentials for the site server to use to connect to the WSUS server. You can specify this account to connect to a software update point in a different forest, for example. You can run an automatic deployment rule up to 3 times per day to align with the Microsoft System Center Endpoint Protection definition updates publishing frequency. You can select multiple software updates to install as a group from Software Center. You can control the behavior of the write filter on Windows Embedded devices when you deploy software updates by using the new user experience setting of Commit changes at deadline or during a maintenance windows (requires restarts). For more information about how Configuration Manager manages embedded devices that use write filters, see the Deploying the Configuration Manager Client to Windows Embedded Devices section in the Introduction to Client Deployment in Configuration Manager topic. The new Computer Agent client setting, Disable deadline randomization, by default, disables the installation randomization delay for required software updates and required application deployments. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic.

For more information, see the Introduction to Software Updates in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Application Management The following items are new or have changed for application management in Configuration Manager SP1: App-V virtual environments in Configuration Manager enable virtual applications to share the same file system and registry on client computers. This allows applications that are in the same virtual environment to share data with one other. For more information, see How to Create App-V Virtual Environments in Configuration Manager. You can configure new deployment types for Windows 8 applications that support standalone applications (.appx files) and links to the Windows Store. Configuration Manager includes a new deployment type that you can use to deploy virtual applications that you have created by using Microsoft Application Virtualization 5.0. Configuration Manager includes a new deployment type that you can use to deploy applications to Mac computers that run the Configuration Manager client. Configuration Manager includes new deployment types for the following mobile devices when you use the Windows Intune connector: Windows Phone 8, Windows RT, iOS, and Android. Users download these apps from the new self-service portal for mobile devices, the company

82

portal. For more information, see How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager. You can control the behavior of the write filter on Windows Embedded devices when you deploy applications, and packages and programs, by using the new user experience setting of Commit changes at deadline or during a maintenance windows (requires restarts). For Windows Embedded devices that have the write filter enabled: Software deployments that have a purpose of Available are not supported. If you target a software deployment to these devices, users can see the deployment in Software Center but if they try to install it from there, they see an error message that they do not have permissions. Users on these devices cannot configure their business hours in Software Center. Users on these devices do not see user notifications to let them postpone a software deployment to nonbusiness hours.

Users can no longer install applications from the Application Catalog if the Client Policy client setting Enable user policy polling on clients is set to No. The new Computer Agent client setting, Disable deadline randomization, by default, disables the installation randomization delay for required software updates and for required application deployments. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic.

For more information, see the Introduction to Application Management in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Operating System Deployment The following items are new or have changed for operating system deployment in Configuration Manager SP1: Changes to Configuration Manager Setup: Configuration Manager SP1 uses the Windows Assessment and Deployment Kit (Windows ADK) instead of Windows Automated Installation Kit (Windows AIK) to deploy an operating system. Before you run Setup, you must download and install Windows ADK on the site server and the provider computer. The User State Migration Tool (USMT) for Windows 8 is installed as part of the Windows ADK. At the top-level site, Setup automatically creates the package for this new version of USMT at the site. Setup automatically updates default boot images at the site. You must manually update any custom boot images. The default task sequences were changed to optimize the deployment of operating systems starting with Windows 7. Support for computers that are in Unified Extensible Firmware Interface (UEFI) mode. The task sequence sets the SMSTSBootUEFI built-in task sequence variable when it detects a computer that is in UEFI mode.
83

Changes to task sequence:

The default task sequence automatically partitions the computer based on whether it was booted in UEFI mode or BIOS mode (conditioned based on the value of the _SMSTSBootUEFI variable). The build and capture task sequence was updated to apply an operating system image instead of running Setup.exe for installation. You can still run Setup.exe for Windows 8 deployments by editing the task sequence in the task sequence editor. Support for operating system deployments to devices with limited available disk space, such as embedded devices. You can configure the Apply Operating System Image step to install the image directly from a distribution point even if the task sequence deployment is configured to download content to the task sequence cache first. You can control the behavior of write filters on Windows Embedded devices when you deploy task sequences. Note For information about task sequences, see Planning a Task Sequences Strategy in Configuration Manager.

Changes to how you create pre-staged media: You can specify applications, packages, and driver packages to deploy with the operating system. When you deploy the task sequence by using pre-staged media, the wizard checks the local task sequence cache for valid content first, and if the content cannot be found or was revised, the content is downloaded from the distribution point. Note For information about how to create pre-staged media, see the How to Create Prestaged Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic.

Changes to BitLocker support: Use the Pre-provision BitLocker task sequence step to encrypt the disk drive from Windows PE and only encrypt the space that is used by data. The result is much faster encryption times. For more information, see the Pre-provision BitLocker section in the Task Sequence Steps in Configuration Manager topic. TPM and PIN is now available as one of the key management options for the current operating system drive in the Enable BitLocker task sequence step. For more information, see the Enable BitLocker section in the Task Sequence Steps in Configuration Manager topic.

You can configure the Windows PE scratch space in the boot image properties. For more information, see the How to Modify a Boot Image section in the How to Manage Boot Images in Configuration Manager topic. Added language neutral boot images: You can use the SMSTSLanguageFolder built-in variable to change the language for information displayed by Windows PE. Languages are auto-detected and used when boot images are started from Software Center.
84

Note For information about boot image deployments, see Planning for Boot Image Deployments in Configuration Manager. Added the following task sequence built-in variables: SMSTSPersistContent: Use this variable to temporarily persist content in the task sequence cache. SMSTSPostAction: Use this variable to run a command after the task sequence is completed. SMSTSLanguageFolder: Use this variable to change the display language of a language neutral boot image. OSDPreserveDriveLetter: This variable determines whether the task sequence uses the drive letter on the operating system image WIM file. In Configuration Manager with no service pack, the drive letter on the WIM file was used when it applied the operating system image WIM file. In Configuration Manager SP1, you can set the value for this variable to False to use the drive letter that you specify in the task sequence. SMSTSDownloadProgram: Use this variable to specify an Alternate Content Provider, a downloader program that is used to download content instead of the default Configuration Manager downloader, for the task sequence. As part of the content download process, the task sequence checks the variable for a specified downloader program. If specified, the task sequence runs the program to perform the download. SMSTSAssignmentsDownloadInterval: Use this variable to specify the number of seconds to wait before the client tries to download the task sequence policy since the last attempt that returned no policies. You can set this variable by using a prestart command from media or PXE. SMSTSAssignmentsDownloadRetry: Use this variable to specify the number of times a client will attempt to download the task sequence policy after no policies are found on the first attempt. You can set this variable by using a prestart command from media or PXE. _SMSTSBootUEFI: The task sequence sets the _SMSTSBootUEFI variable when it detects a computer that boots in UEFI mode. _SMSTSWTG: Specifies if the computer is running as a Windows To Go device. Note For more information about built-in task sequence variables, see the Task Sequence Built-in Variables in Configuration Manager topic. Changes to software update installation for offline operating system images: Ability to continue to update an image even when one or more software updates cannot be installed. Software updates are copied from the content library on the site server instead of the package source.

Ability to provision Windows To Go in Configuration Manager. Windows To Go is an operating system stored on a USB-connected external drive. You can provision the Windows To Go drive the same as you pre-stage media in Configuration Manager. For more
85

information about how to provision Windows To Go, see How to Provision Windows To Go in Configuration Manager. Better monitoring and status for task sequence content and task sequence deployments. New deployment setting lets you deploy task sequences that are available only in Windows PE. You can manage Windows PE optional components from the Optional Components tab in the properties for boot images. You can export and import driver packages from the Driver Packages node in the Software Library workspace.

Content Management The following items are new or have changed for content management in Configuration Manager SP1: You can configure the drive location for the content library in the Create Site System Server Wizard and Add Site System Roles Wizard when you create the distribution point site role. You can configure some distribution points as pull-distribution points. When you distribute content to a pull-distribution point, the Configuration Manager site server does not transfer the content that you distribute to the distribution point computer. Instead, Configuration Manager notifies the pull-distribution point which then transfers the content from a source distribution point that you specify.

For more information, see the Introduction to Content Management in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.

Monitoring and Reporting

The following sections contain information about monitoring and reporting changes in Configuration Manager SP1. Reporting The following items are new or have changed for reporting in Configuration Manager SP1: Configuration Manager SP1 supports Microsoft SQL Server 2012 Reporting Services. When Microsoft SQL Server 2012 or SQL Server 2008 R2 runs on the Reporting Services point, Configuration Manager opens Reporting Services Report Builder 3.0 when you create or change reports. When Microsoft SQL Server 2008 runs on the Reporting Services point, Configuration Manager opens Reporting Services Report Builder 2.0 when you create or change reports. Software metering reports filter content based on the administrative scope that is configured for the current administrative user.

For more information, see the Introduction to Reporting in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide.

86

Alerts The following items are new or have changed for alerts in Configuration Manager SP1: You can create email subscriptions to all alerts that are generated by Configuration Manager. For more information, see the Configuring Alerts in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide.

See Also
Getting Started with System Center 2012 Configuration Manager

Whats New in the Documentation for Configuration Manager

Use this topic to track a summary of significant changes in the Documentation Library for System Center 2012 Configuration Manager. After the release, the documentation might be updated for new information, to incorporate customer feedback, and to make any corrections that might be required. Typically, any documentation changes are announced each month on the System Center Configuration Manager Team Blog, and then periodically summarized in this topic. Tip You can use the Configuration Manager Documentation Team Twitter feed to be notified about recent updates. In the release publication of the library, the following guides include information to help you be successful with Configuration Manager:
Guide Description

Getting Started with System Center 2012 Configuration Manager

This guide helps you get started with System Center 2012 Configuration Manager with an introduction to the product, whats new and changed since Configuration Manager 2007, basic concepts, and some frequently asked questions. This guide provides the information to help you plan, install, configure, and maintain System Center 2012 Configuration Manager. This information includes how to run Setup for the product. This guide provides information about migrating an existing Configuration Manager 2007 infrastructure to System Center 2012 Configuration Manager. This guide provides information to help you plan, install, configure, and manage client
87

Site Administration for System Center 2012 Configuration Manager

Migrating Hierarchies in System Center 2012 Configuration Manager

Deploying Clients for System Center 2012

Guide

Description

Configuration Manager

deployment in System Center 2012 Configuration Manager. This information includes enrolling mobile devices with Configuration Manager and how to manage mobile devices by using the Exchange Server connector. This guide provides information to help you plan, configure, and manage the deployment of software and operating systems in System Center 2012 Configuration Manager. This guide provides information to help you manage your devices (computers and mobile devices) in System Center 2012 Configuration Manager. This guide contains security-related information from the other Configuration Manager guides and privacy statements for the product.

Deploying Software and Operating Systems in System Center 2012 Configuration Manager

Assets and Compliance in System Center 2012 Configuration Manager

Security and Privacy for System Center 2012 Configuration Manager

For a glossary of terms and definitions, see Glossary for Microsoft System Center 2012 Configuration Manager.

What's New in the Documentation Library for May 2012

The following sections describe what's new in the Documentation Library for System Center 2012 Configuration Manager since the official documentation library release in March 2012. The topics that are listed are either new topics or topics that contain significant technical changes. Topics that contain minor changes are not listed. In addition, you can now download a copy of this technical documentation from the Microsoft Download Center. Always use the TechNet online library for the most up-to-date information. Getting Started with System Center 2012 Configuration Manager The following new or updated topics are from the Getting Started with System Center 2012 Configuration Manager guide.
Topic More information

Whats New in Configuration Manager

In the Sites and Hierarchies section, added a new section for Language Pack Support. This information is also clarified in the Client Deployment and Operations section, which contains the information that you no longer
88

Topic

More information

install International Client Packs (ICPs) when you want to support different languages on the client. Supported Configurations for Configuration Manager Frequently Asked Questions for Configuration Manager Updated for the latest support statements.

Updated for new questions that include the following: Where are the supported scenarios and network diagrams for Internet-based client management that you had for Configuration Manager 2007? Can I migrate maintenance windows? Which antimalware solutions can Endpoint Protection uninstall?

Information and Support for Configuration Manager

Updated the Search the Configuration Manager Documentation Library section to explain how to use the scoped search link, with examples and search tips.

Site Administration for System Center 2012 Configuration Manager The following new or updated topics are from the Site Administration for System Center 2012 Configuration Manager guide.
Topic More information

Planning for Site Systems in Configuration Manager Planning for Sites and Hierarchies in Configuration Manager

Updated the site system role placement for secondary sites. Updated for additional information about planning for language packs at Configuration Manager sites, clients, and the Configuration Manager console. Updated for the new section, Best Practices for Discovery. Updated for the information that the Application Catalog web service point, like the out of band service point, must reside in the same Active Directory forest as the site server. Other site system roles can be installed in other forests.
89

Planning for Discovery in Configuration Manager Planning for Communications in Configuration Manager

Topic

More information

This topic is also updated for a procedure how to manually publish management points to DNS on Windows Server. Install Sites and Create a Hierarchy for Configuration Manager Updated for a new section, Decommission Sites and Hierarchies, for information about how to uninstall Configuration Manager. In addition, the /TESTDBUPGRADE option is updated in the Using Command-Line Options with Setup section to clarify that this switch is not supported on a production database. Manage Site and Hierarchy Configurations Updated the Modify the Site Database Configuration section to clarify that Configuration Manager does not support changing the port for SQL Server after the site is installed. Added new sections, Manage Language Packs at Configuration Manager Sites and Configure Custom Locations for the Site Database Files. Security and Privacy for Site Administration in Configuration Manager Updated the entry about the Security Configuration Wizard with the link to download the toolkit for System Center 2012 Configuration Manager: System Center 2012 Configuration Manager Component Add-ons and Extensions. This information is also updated in the Security and Privacy for System Center 2012 Configuration Manager guide. Updated for the ports used by the new site system roles: the Application Catalog website point and Application Catalog web service point; the enrollment point and enrollment proxy point; and the Endpoint Protection point. Also clarified that Configuration Manager does not support dynamic ports for SQL Server. New topic that provides technical details about language support in System Center 2012 Configuration Manager.

Technical Reference for Ports Used in Configuration Manager

Technical Reference for Language Packs in Configuration Manager

90

Migrating from Configuration Manager 2007 to System Center 2012 Configuration Manager The following new or updated topics are from the Migrating Hierarchies in System Center 2012 Configuration Manager guide.
Topic More information

Planning for Migration to System Center 2012 Configuration Manager

Updated for additional information about planning for overlapping boundaries if you will install new Configuration Manager 2007 client during the migration period. Updated to clarify that when a collection migrates, Configuration Manager also migrates collection settings that include maintenance windows and collection variables, but cannot migrate collection settings for AMT provisioning. Updated the Distribution Point Upgrade section to clarify the package migration behavior during a distribution point upgrade.

Planning a Migration Job Strategy in System Center 2012 Configuration Manager

Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager

Deploying Clients for System Center 2012 Configuration Manager The following new or updated topics are from the Deploying Clients for System Center 2012 Configuration Manager guide.
Topic More information

Prerequisites for Windows Client Deployment in Updated to clarify that although most operating Configuration Manager systems now include BITS, some operating systems, such as Windows Server 2003 R2 SP2, do not. If you install the client on an operating system that does not already have BITS installed, you must first install it. Best Practices for Client Deployment in Configuration Manager Updated for the new best practice to install additional client languages on the site before you deploy clients on computers and mobile devices. Updated to clarify the assignment behavior for a System Center 2012 Configuration Manager client when it is assigned to a Configuration Manager 2007 site.

How to Assign Clients to a Site in Configuration Manager

91

Topic

More information

About Client Installation Properties in Configuration Manager

Updated for information about file locations for the /config: and CCMENABLELOGGING installation properties.

Deploying Software and Operating Systems in System Center 2012 Configuration Manager The following new or updated topics are from the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.
Topic More information

Example Scenario for Using Configuration Manager to Deploy and Monitor the Security Software Updates Released Monthly by Microsoft How to Manage Applications and Deployment Types in Configuration Manager

New topic that provides an example scenario for how you might deploy software updates in your environment.

Updated to clarify that the Retire management task does not remove any installed copies of the application from client computers. Updated for information about running task sequences in a maintenance window. Updated for how to create a USMT package and how to restore the user state if the operating system deployment fails. Updated the Updated Install Software Updates step for the information that the step cannot suppress restarts if the software update requires a restart. New topic that provides an example scenario for how you might deploy an operating system by using PXE in your environment.

Planning a Task Sequences Strategy in Configuration Manager How to Manage the User State in Configuration Manager

Task Sequence Steps in Configuration Manager

Example Scenario for PXE-Initiated Operating System Deployment by Using Configuration Manager

Assets and Compliance in System Center 2012 Configuration Manager The following new or updated topics are from the Assets and Compliance in System Center 2012 Configuration Manager guide.
Topic More information

How to Create Queries in Configuration Manager

Updated to clarify that a query that contains no criteria will return all devices in the All
92

Topic

More information

Systems collection. How to Extend Hardware Inventory in Configuration Manager Updated for the information that you must create a hardware inventory class for any MIF files you want to add to inventory. Updated for an example of how to specify a file type that you want to inventory. Updated to include the reference to Example Scenario for Software Metering in Configuration Manager. Updated to clarify that the out of band management power control commands are always available for a collection, even if the collection contains resources that are not provisioned for AMT. Updated for information about using software updates automatic deployment rules to deploy definition updates for Endpoint Protection.

How to Configure Software Inventory in Configuration Manager Introduction to Software Metering in Configuration Manager

How to Manage AMT-based Computers Out of Band in Configuration Manager

How to Configure Endpoint Protection in Configuration Manager

What's New in the Documentation Library for January 2013

The following sections describe what's new in the Documentation Library for System Center 2012 Configuration Manager since the documentation library was updated in May 2012. The documentation library now contains information for Configuration Manager Service Pack 1 (SP1). The topics that are listed are either new topics or topics that contain significant technical changes. Topics that contain minor changes are not listed. In addition to these sections, the Glossary for Microsoft System Center 2012 Configuration Manager is updated for System Center 2012 Configuration Manager SP1. Getting Started with System Center 2012 Configuration Manager The following new or updated topics are from the Getting Started with System Center 2012 Configuration Manager guide.
Topic More information

Introduction to Configuration Manager Whats New in Configuration Manager SP1

Updated for Configuration Manager SP1. New topic that lists the changes in Configuration Manager SP1, with links to additional information.
93

Topic

More information

Fundamentals of Configuration Manager

Updated for Configuration Manager SP1. For example, how you can use site expansion if you install a stand-alone primary site and later decide that you require additional primary sites. This topic also has diagrams added to illustrate example site designs, site system roles, and client settings.

Supported Configurations for Configuration Manager

Updated support statements for Configuration Manager with no service pack, and new support statements for Configuration Manager SP1. Updated for new questions that include the following: To support computers in an untrusted forest, do I have to create a new primary site and configure a two-way forest trust? Do I have to configure my site for Internetbased client management before I can use cloud-based distribution points in Configuration Manager SP1? How can I create a collection that contains only Mac computers, or only Linux servers? Why might there be differences between a clients assigned, installed, and resident site values when I look at the client properties in the Configuration Manager console? Can I install the Configuration Manager client on my Windows Embedded devices that have very small disks? Where is the documentation for the Configuration Manager client for Mac Computers? Where is the documentation for the Configuration Manager client for Linux and UNIX? If the same application is deployed to a user and a device, which one takes priority? Why do I see an error message about
94

Frequently Asked Questions for Configuration Manager

Topic

More information

insufficient permissions from a Windows Embedded device when I try to install software from Software Center? Whats the minimum permission an administrative user requires for the Client Push Installation Wizard? Why dont clients run scheduled activities such as inventory, software updates, and application evaluation and installations at the time I schedule them? How can I create a collection of Windows 8 computers that are Always On Always Connected capable?

Accessibility Features of Configuration Manager

New topic that outlines accessibility features for Configuration Manager and provides links to more information.

Site Administration for System Center 2012 Configuration Manager The following new or updated topics are from the Site Administration for System Center 2012 Configuration Manager guide.
Topic More information

Interoperability between Different Versions of Configuration Manager

New topic that contains information about interoperability between System Center 2012 Configuration Manager and Configuration Manager 2007 and about interoperability between sites with different service pack versions in System Center 2012 Configuration Manager. Updated for the new certificates in Configuration Manager SP1, which includes certificates for Mac computers, cloud-based distribution points, and the Windows Intune connector and mobile devices that are enrolled by Windows Intune. This topic also includes a new entry for the specific certificate requirements when you use a SQL Server cluster for the Configuration Manager site database.
95

PKI Certificate Requirements for Configuration Manager

Topic

More information

Planning to Upgrade System Center 2012 Configuration Manager

New topic to help you plan to upgrade System Center 2012 Configuration Manager to Configuration Manager SP1. Updated for the information that there are no new schema changes in Configuration Manager SP1. The topic also lists the clients that do not use the Configuration Manager schema extensions. Updated for the new Planning to Expand a Stand-Alone Primary Site section for Configuration Manager SP1 information about how to expand a stand-alone primary site into a new hierarchy with a central administration site. Updated for the new best practice to not run Active Directory Forest Discovery at multiple sites when you plan to automatically create boundaries from the discovery data, because this can create duplicate boundary objects. Also updated to clarify that when Active Directory Forest Discovery discovers a supernet that is assigned to an Active Directory site, Configuration Manager translates the supernet into a boundary as an IP address range. This information is also added to Planning for Boundaries and Boundary Groups in Configuration Manager.

Determine Whether to Extend the Active Directory Schema for Configuration Manager

Planning for Sites and Hierarchies in Configuration Manager

Planning for Discovery in Configuration Manager

Planning for Site Systems in Configuration Manager

Updated for the new Configuration Manager SP1 site system roles, proxy server configuration, cloud-based distribution points, and the Windows Intune connector. New topic that contains planning information for cloud-based distribution points in Windows Azure. Updated for how to use database replication controls and distributed views in Configuration Manager SP1. The Planning How to Wake Up Clients section is also updated for the new wake-up proxy
96

Manage Cloud Services for Configuration Manager

Planning for Communications in Configuration Manager

Topic

More information

functionality in Configuration Manager SP1. Configuring Settings for Client Management in Configuration Manager Updated the Configure Wake on LAN section for the new wake-up proxy functionality in Configuration Manager SP1. The topic that contains information about how to run Setup has the following updates: The required permissions to run Setup for the site installation procedures. In Configuration Manager SP1, you must disable distributed views for all primary sites before you uninstall from the hierarchy a primary site that uses distributed views In Configuration Manager SP1, you can configure the SQL Server service port to be a non-default TCP port number.

Install Sites and Create a Hierarchy for Configuration Manager

In addition, the following information is updated for unattended installations: The script file details. Updated information about the automatic creation of an unattended installation script when you run Setup. Updated the command line details for /MANGAELANGS, which is used to manage languages at a previously installed site. New sections for an unattended recovery of a primary site or central administration site.

Expand a Stand-Alone Primary Site into a Hierarchy with a Central Administration Site

New topic that provides information about the new site expansion functionality in Configuration Manager SP1. New topic that contains information about how to upgrade to the latest service pack, such as Configuration Manager SP1. Updated with the new information that for Configuration Manager SP1, you can configure email subscriptions for all alerts whereas in Configuration Manager with no service pack, email subscriptions were restricted to Endpoint Protection.
97

Upgrade Configuration Manager to a New Service Pack

Configuring Alerts in Configuration Manager

Topic

More information

Install and Configure Site System Roles for Configuration Manager

Updated for the new site system roles in Configuration Manager SP1 and the information that when you install a site system on a domain controller that does not host the site server, the new site system role does not complete the installation until the Kerberos ticket refreshes. Updated for a new section to uninstall a database replica. The Configuring the Database Replica Server section is also updated for the information that the SQL Server service on the replica database server must run as the System account. This topic is also updated for the required configurations to use a database replica; you must configure databases to support a Max Text Repl Size of 2 GB.

Configure Database Replicas for Management Points

Manage Cloud Services for Configuration Manager

New topic to help you manage cloud-based distribution points in Configuration Manager SP1. Updated to add the new Using Data Protection Manager to Back up Your Site Database section and updated the Recover a Secondary Site section. New topic that explains how to install update bundles if you require hotfixes to System Center 2012 Configuration Manager. Updated to add the section Supported SQL Server Versions for the Reporting Services Point. Updated to add the new section Reporting Services Security Roles for Configuration Manager. Updated for the new ports used by Configuration Manager SP1, which includes the client notification, cloud-based distribution point, and the Windows Intune connector. Also added the ports used by the Exchange Server connector.
98

Backup and Recovery in Configuration Manager

Update System Center 2012 Configuration Manager

Prerequisites for Reporting in Configuration Manager

Configuring Reporting in Configuration Manager

Technical Reference for Ports Used in Configuration Manager

Topic

More information

Technical Reference for Log Files in Configuration Manager

Updated to include the AppDiscovery.log and AppEnforce.log log files, which are used with application management. Also updated for the new log files in Configuration Manager SP1, which includes log files for Mac computers, Linux and UNIX servers, and cloud-based distribution points.

Technical Reference for Cryptographic Controls Updated for the new security controls in Used in Configuration Manager Configuration Manager SP1, which includes content hashing support for the new devices that Configuration Manager SP1 supports, the encryption algorithm used by client notification, and certificates used by cloud-based distribution points and for Windows Intune. Technical Reference for Language Packs in Configuration Manager Technical Reference for the Prerequisite Checker in Configuration Manager Updated for the new languages supported by Configuration Manager SP1. Updated the information about prerequisite checks for Configuration Manager, which includes the prerequisite checks for Configuration Manager with no service pack, new prerequisite checks for Configuration Manager SP1, and prerequisite checks for upgrading to Configuration Manager SP1. Updated for new procedures for deploying the client certificate for Mac computers and the service certificate for cloud-based distribution points in Configuration Manager SP1.

Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority

Migrating Hierarchies in System Center 2012 Configuration Manager This guide was previously named Migrating from Configuration Manager 2007 to System Center 2012 Configuration Manager and is now renamed to reflect the new functionality in Configuration Manager SP1 that now also lets you migrate a System Center 2012 Configuration Manager SP1 hierarchy to another System Center 2012 Configuration Manager SP1 hierarchy. Topics in this guide are updated to reflect this new functionality, where applicable. Deploying Clients for System Center 2012 Configuration Manager The following new or updated topics are from the Deploying Clients for System Center 2012 Configuration Manager guide.
99

Topic

More information

Introduction to Client Deployment in Configuration Manager Prerequisites for Windows Client Deployment in Configuration Manager

Updated for information for Configuration Manager SP1 information about Windows Embedded, Mac computers, and Linux and UNIX servers. This topic is also updated to include a list of client checks that Windows-based clients make when Configuration Manager monitor clients and remediates any issues. Updated for Configuration Manager SP1, which includes the following: You no longer have to configure Internet Explorer to exclude the ActiveX control Microsoft.ConfigurationManager.SoftwareCatalog.Website.ClientBridgeCont rol.dll from ActiveX filtering and allow it to run in the browser. Silverlight 5 is automatically downloaded and installed during client installation.

This topic is also updated to clarify that BITS is not automatically downloaded during client installation. Best Practices for Client Deployment in Configuration Manager Updated for the following best practices: Plan and prepare any required PKI certificates in advance for Internetbased client management, enrolled mobile devices, and Mac computers. Before you install clients, configure any required client settings and maintenance windows. For Mac computers and mobile devices that are enrolled by Configuration Manager, plan your user enrollment experience. When you manage Windows Embedded devices on the Configuration Manager SP1 client, use File-Based Write Filters (FBWF) rather than Enhanced Write Filters (EWF) for higher scalability.

Planning for New topic that provides planning information to help you install the client on Client Linux and UNIX server in Configuration Manager SP1. Deployment for Linux and UNIX Servers Determine the Updated for the information that you require an enrollment point and enrollment Site System proxy point to manage Mac computers in Configuration Manager SP1. Roles for Client Deployment in Configuration Manager How to Configure Client Updated for information about ports for client notification in Configuration Manager SP1.

100

Topic

More information

Communicatio n Port Numbers in Configuration Manager How to Install Clients on WindowsBased Computers in Configuration Manager This topic was previously named How to Install Clients on Computers in Configuration Manager and renamed because Configuration Manager SP1 supports the installation of clients on other operating systems, such as Mac OS X, and Linux and UNIX. Other updates to this topic include the following: Configuration Manager SP1 does not support client push installation for Windows Embedded devices that have write filters that are enabled. Configuration Manager SP1 client push installation now supports some CCMSetup properties in the Installation Properties tab. Configuration Manager SP1 updates for How to Automatically Upgrade the Configuration Manager Client for the Hierarchy. Examples are added to How to Install Configuration Manager Clients Manually, How to Install Configuration Manager Clients on Workgroup Computers, and How to Install Configuration Manager Clients for Internetbased Client Management.

How to Install Clients on Mac Computers in Configuration Manager How to Install Clients on Linux and UNIX Computers in Configuration Manager How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration

New topic that explains how to install and enroll Mac computers that so that you manage these computers similarly to how you manage other clients in the Configuration Manager hierarchy.

New topic that explains how to install the Configuration Manager client on Linux and UNIX servers that so that you manage these computers similarly to how you manage other clients in the Configuration Manager hierarchy.

New topic for Configuration Manager SP1 that explains how to manage mobile devices that run Windows Phone 8, Windows RTM, iOS, and Android. This mobile devices management solution requires a subscription to Windows Intune and uses the Windows Intune connector site system role.

101

Topic

More information

Manager How to Manage Clients in Configuration Manager How to Manage Linux and UNIX Clients in Configuration Manager Updated to include information about how to notify computers to download policy as soon as possible when they run the Configuration Manager SP1 client.

New topic that explains how to manage the Configuration Manager SP1 client on Linux and UNIX servers.

How to Monitor New topic that explains how to monitor the Configuration Manager SP1 client on Linux and Linux and UNIX servers. UNIX Clients in Configuration Manager Security and Privacy for Clients in Configuration Manager Updated for the following security best practices: Do not use automatic site assignment if the client will download the trusted root key from the first management point it contacts. For Windows embedded devices that have write filters, take additional security precautions to reduce the attack surface if Configuration Manager disables the write filters to persist software installations and changes. For mobile devices: Do not deploy applications to users who have mobile devices enrolled by Configuration Manager or Windows Intune when the mobile device is used by more than one person, the device is enrolled by an administrator on behalf of a user, or the device is transferred to another person without retiring and then re-enrolling the device. For mobile devices: Make sure that users enroll their own mobile devices for Windows Intune. For Mac computers: Independently from Configuration Manager, monitor and track the validity period of the certificate that enrolled to users. In Configuration Manager SP1, the connection from a client to the management point is not dropped if you block a client and the blocked client could continue to send client notification packets to the management point, as keep-alive messages. In Configuration Manager SP1, when you use automatic client upgrade and the client is directed to a management point to download the client source
102

This topic also has the following new security issues listed:

Topic

More information

files, the management point is not verified as a trusted source. In Configuration Manager SP1, if you use the options to commit changes on Windows Embedded devices, accounts might be locked out sooner than expected.

About Client Settings in Configuration Manager

Updated throughout to incorporate the change in Configuration Manager SP1 where the True and False values in Configuration Manager with no service pack are now Yes and No. Other updates include the following: Background Intelligent Transfer Added information for these settings. Client Policy: Client policy polling interval Updated for Configuration Manager SP1 because the client policy interval in Service Pack 1 now applies to mobile devices that are enrolled by Configuration Manager, to Mac computers, and to computers that run Linux or UNIX. Computer Agent: Additional software manages the deployment of applications and software updates - This setting in Configuration Manager with no service pack was named Agent extensions manage the deployment of applications and software updates and has been renamed for clarity. There is no change in behavior. Typically, you select this option if you have installed a vendor add-on for Configuration Manager or use the SDK to install applications and software updates. Computer Agent: Allow Silverlight applications to run in elevated trust mode - This is a new setting to support Silverlight 5 in Service Pack 1. Computer Agent: PowerShell execution policy Added the value of All Signed, which is new in Configuration Manager SP1 and the new default value. Computer Agent: Disable deadline randomization Added for Configuration Manager SP1 and determines whether the client uses an activation delay of up to two hours to install required software updates and required applications when the deadline is reached. Endpoint Protection: Install Endpoint Protection client on client computers Updated to clarify that False or No does not uninstall the Endpoint Protection client. To uninstall the Endpoint Protection client, you must set the Manage Endpoint Protection client on client computers client setting to False or No, and then deploy a package and program to uninstall the Endpoint Protection client. Client Policy: Enable user policy polling on clients Updated for the new restriction in Configuration Manager SP1 that if this setting is not enabled, users cannot install applications from the Application Catalog. Metered Internet Connections New group settings that lets you specify how Configuration Manager SP1 clients that run Windows 8 communicate on metered network connections. Power Management New settings that let you configure wake-up proxy
103

Topic

More information

for Configuration Manager SP1 clients. Enrollment: - Added for Configuration Manager SP1, which replaces the Mobile Devices group settings in Configuration Manager with no service pack. Endpoint Protection: For Windows Embedded devices with write filters, commit Endpoint Protection client installation (requires restart) Added for Windows Embedded clients in Configuration Manager SP1.

About Client Installation Properties in Configuration Manager

Updated for the following: Updated to add the new CCMSetup property of /forceinstall, which lets you specify that any existing Configuration Manager client will be uninstalled before installing the new client. Updated to correct the information that /NotifyOnly is a Client.msi property and not a CCMSetup property. Updated to correct the information about the minimum cache size that you can specify, which is 1 MB for a new client. For a reinstalled client, you cannot specify a value lower than the previously configured cache size.

Administrator Checklist: Deploying Clients in Configuration Manager Windows Firewall and Port Settings for Client Computers in Configuration Manager Example Scenario for Deploying and Managing Configuration Manager Clients on Windows Embedded Devices

Updated for references to the new devices that are supported in Configuration Manager SP1.

Updated for the new wake-up proxy and client notification communication in Configuration Manager SP1.

New topic that provides an example scenario of how to manage write filters on Windows Embedded devices when you manage these clients in Configuration Manager SP1.

104

Topic

More information

Technical New topic that contains technical reference information that you might require if Reference for you install the Configuration Manager SP1 client on Linux or UNIX servers. the Configuration Manager Client for Linux and UNIX

Deploying Software and Operating Systems in System Center 2012 Configuration Manager The following new or updated topics are from the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.
Topic More information

Introduction to Content Management in Configuration Manager

Updated for information about the Configuration Manager content library, which includes a new section, About the Content Library on the Central Administration Site to help you plan for content storage on a central administration site. More information about this requirement appears in the Planning for Content Management in Configuration Manager. This topic, and the Planning for Content Management in Configuration Manager topic is also updated for information about how to move the content library.

Planning for Content Management in Configuration Manager

Updated for planning information for cloudbased distribution points and pull distribution points in Configuration Manager SP1. Updated the Install and Configure the Distribution Point section for additional information about the Allow clients to connect anonymously setting. Updated for security best practices and security issues for cloud-based distribution points in Configuration Manager SP1. Updated for the following new functionality in Configuration Manager SP1:
105

Configuring Content Management in Configuration Manager

Security and Privacy for Content Management in Configuration Manager

Introduction to Application Management in Configuration Manager

Topic

More information

App-V virtual environments App-V 5 deployment type New deployment types to support client computers that run Windows 8, and new deployment types for mobile devices that are managed by the Windows Intune connector.

This topic also has a new section to explain how mobile devices that are managed by the Windows Intune connector use the company portal so that users can download apps that you make available. Planning to Deploy Windows 8 Apps in Configuration Manager Planning for App-V Integration with Configuration Manager New topic to help you plan for deploying Windows 8 apps in Configuration Manager SP1. New topic that contains planning information to help you deploy virtual applications by using Configuration Manager. Updated for the following: Updated Step 4 instructions that for Configuration Manager with no service pack, you must include setting permissions explicitly on the CMApplicationCatalog\Content\Images\AppI cons folder for users in other domains, because this folder does not inherit permissions from the parent folder, CMApplicationCatalog. In Configuration Manager SP1, users from other domains can automatically access the Application Catalog without manual configuration for the security permissions. Updated Step 6 with the tip that missing prerequisites are one of the most typical reasons for the Application Catalog to not operate correctly after installation. Check and confirm the site system role prerequisites for the Application Catalog site system roles by using the Site System Requirements section of the Supported Configurations for Configuration Manager topic. The footnotes for the table include important information about configuring
106

Configuring the Application Catalog and Software Center in Configuration Manager

Topic

More information

WCF activation and the requirement to explicitly enable ASP.NET. How to Create Applications in Configuration Manager How to Create and Deploy Applications for Mac Computers in Configuration Manager Updated to include information about the new application types in Configuration Manager SP1. New topic that contains information about how to deploy applications to Mac computers in Configuration Manager SP1. Updated for information about the new Configuration Manager SP1 option Allow clients on a metered Internet connection to download content after the installation deadline, which might occur additional costs. Updated to include information about the new deployment types in Configuration Manager SP1. This topic is also updated for information about how to create a script to detect if an application is already installed. How to Create App-V Virtual Environments in Configuration Manager New topic that contains information about how to create and manage App-V virtual environments in Configuration Manager SP1. New topic that contains information about how to deploy applications to Linux and UNIX servers in Configuration Manager SP1. Updated to add information about the new software update point functionality in Configuration Manager SP1. Updated to include changes to software update point functionality that is introduced in Configuration Manager SP1, such as the ability to install more than one software update point at a site.

How to Deploy Applications in Configuration Manager

How to Create Deployment Types in Configuration Manager

Deploying Software to Linux and UNIX Servers in Configuration Manager

Introduction to Software Updates in Configuration Manager

Planning for Software Updates in Configuration Manager

Configuring Software Updates in Configuration Updated for the new and changed configuration Manager options in Configuration Manager SP1. Prerequisites For Deploying Operating Systems in Configuration Manager Updated the Dependencies External to Configuration Manager section to include new dependencies for Configuration Manager SP1.
107

Topic

More information

This includes details about the Automated Installation Kit (Windows AIK) for Configuration Manager with no service pack, and its replacement by the Windows Assessment and Deployment Kit (Windows ADK) for Configuration Manager SP1. How to Manage Boot Images in Configuration Manager Updated for information about a new setting that lets you configure the Windows PE scratch space in Configuration Manager SP1. New topic that provides information about deploying operating systems when sites in your hierarchy have different versions of Configuration Manager. Updated for the following security improvement in Configuration Manager SP1: When you use bootable media with Configuration Manager SP1, the content is hashed and must be used with the original policy. This help prevents a client from installing content or client policy that has been tampered with. Configuration Manager SP1 uses client authentication to the state migration point by using a Configuration Manager token that is issued by the management point.

Planning for Operating System Deployment Interoperability

Security and Privacy for Deploying Operating Systems in Configuration Manager

Task Sequence Built-in Variables in Configuration Manager

Updated to add the following variables: _SMSTSWTG OSDPreserveDriveLetter SMSTSAssignmentsDownloadInterval SMSTSAssignmentsDownloadRetry SMSTSBootUEFI SMSTSDownloadProgram SMSTSLanguageFolder SMSTSPersistContent SMSTSPostAction

How to Provision Windows To Go in Configuration Manager

New topic that provides information and procedures about how to use Configuration Manager SP1 so that users can boot to
108

Topic

More information

Windows 8 from a USB drive. Prestart Commands for Task Sequence Media New topic that provides information and in Configuration Manager procedures about how to use a script or executable as a prestart command that runs before a task sequence is selected and can interact with the user in Windows PE.

Assets and Compliance in System Center 2012 Configuration Manager The following new or updated topics are from the Assets and Compliance in System Center 2012 Configuration Manager guide.
Topic More information

How to Create Queries in Configuration Manager

Updated for some example WQL queries that you can easily import and modify for your own use. For example, you could create your own collections by using these queries. New topic that explain how to inventory computers in Configuration Manager SP1 that run Linux or UNIX. Updated for information about the new user data and profiles configuration items in Configuration Manager SP1. Updated for the required permissions to manage user data and profiles configuration items in Configuration Manager SP1.

Hardware Inventory for Linux and UNIX in Configuration Manager

Introduction to Compliance Settings in Configuration Manager

Prerequisites for Compliance Settings in Configuration Manager

How to Create Windows Configuration Items for Updated to include more information about how Compliance Settings in Configuration Manager to create Active Directory settings. How to Create User Data and Profiles Configuration Items in Configuration Manager New topic about how to create user data and profiles configuration items in Configuration Manager SP1. New topic that provides information about how to create and deploy configuration items for Mac computers in Configuration Manager SP1. Updated to add a link to the System Center 2012 Configuration Manager Configuration Pack.
109

How to Create Mac Computer Configuration Items in Configuration Manager

How to Import Configuration Data in Configuration Manager

Topic

More information

Security and Privacy for Compliance Settings in Updated for the following security best Configuration Manager practices: Introduction to Endpoint Protection in Configuration Manager Do not configure compliance rules that use data that can be modified by end users. Secure the communication channel when you browse to a reference computer.

Updated for a new workflow diagram that shows the steps and processes required to configure Endpoint Protection in Configuration Manager. New topic that contains information about how to configure update sources for Endpoint Protection definitions. Updated for new information about exclusion settings that you can use to prevent folders from being scanned by Endpoint Protection. Updated for new information about the available management tasks to remediate detected malware. Updated to add a new section named Malware Alert Levels, which contains a description of the various malware alert levels that you might see in the console and reports. New topic that provides an example scenario for how you can implement Endpoint Protection in Configuration Manager to protect computers in an organization from malware attacks.

How to Configure Definition Updates for Endpoint Protection in Configuration Manager

How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager How to Manage Antimalware Policies and Firewall Settings for Endpoint Protection in Configuration Manager How to Monitor Endpoint Protection in Configuration Manager

Example Scenario for Protecting Computers From Malware by Configuring Endpoint Protection in Configuration Manager

Security and Privacy for System Center 2012 Configuration Manager The following new or updated topics are from the Security and Privacy for System Center 2012 Configuration Manager guide.
Topic More information

Security and Privacy for System Center 2012 Configuration Manager

Updated the information about the Security Configuration Wizard (SCW) so that it includes the toolkit for Configuration Manager SP1.

110

Topic

More information

Microsoft System Center 2012 Configuration Manager Privacy Statement

Updated for Configuration Manager SP1. There are no updates for Microsoft System Center 2012 Configuration Manager Privacy Statement - Mobile Device Addendum.

Scenarios and Solutions for System Center 2012 Configuration Manager New guide that contains example scenario and solutions documentation from the other Configuration Manager guides.

See Also
Getting Started with System Center 2012 Configuration Manager

Fundamentals of Configuration Manager

If you are new to Configuration Manager, you can use the following information to learn about the basic concepts for Microsoft System Center 2012 Configuration Manager before you run Setup or read more detailed information. If you are familiar with Configuration Manager 2007, see Whats New in Configuration Manager. For information about supported operating systems and supported environments, hardware requirements, and capacity information, see Supported Configurations for Configuration Manager.

Sites
When you install System Center 2012 Configuration Manager for the first time, you create a Configuration Manager site that is the foundation from which to manage devices and users in your enterprise. This site is either a central administration site or a primary site. A central administration site is suitable for large-scale deployments and provides a central point of administration and the flexibility to support devices that are distributed across a global network infrastructure. A primary site is suitable for smaller deployments and it has fewer options to accommodate any future growth of your enterprise. When you install a central administration site, you must also install at least one primary site to manage users and devices. With this design, you can install additional primary sites to manage more devices and to control network bandwidth when devices are in different geographical locations. You can also install another type of site that is named a secondary site. Secondary sites extend a primary site to manage a few devices that have a slow network connection to the primary site. If you do not install a central administration site, the first site that you install is a stand-alone primary site. By default, you cannot install additional primary sites that can communicate with one another. However, you can still install one or more secondary sites to extend this primary site when you have to manage a few devices that have a slow network connection to the primary site.
111

If you have installed a stand-alone primary site and you later decide to use a central administration site design, Configuration Manager SP1 lets you do this. Configuration Manager without a service pack does not support this design change until you upgrade the site to Configuration Manager SP1. This design change is known as site expansion. When you have more than one site that communicates with one another, you have an arrangement of sites that is known as a hierarchy. The following diagrams show some example site designs.

Publishing Site Information to Active Directory Domain Services If you extend the Active Directory schema for System Center 2012 Configuration Manager, you can publish System Center 2012 Configuration Manager sites to Active Directory Domain Services so that Active Directory computers can securely retrieve System Center 2012 Configuration Manager site information from a trusted source. Although publishing site information to Active Directory Domain Services is not required for basic Configuration Manager functionality, this configuration improves the security of your System Center 2012 Configuration Manager hierarchy and reduces administrative overhead. You can extend the Active Directory schema before or after you install System Center 2012 Configuration Manager. Before you can publish site information, you must also create an Active
112

Directory container named System Management in each domain that contains a System Center 2012 Configuration Manager site. You must also configure the Active Directory permissions so that the site can publish its information to this Active Directory container. As with all schema extensions, you extend the schema for System Center 2012 Configuration Manager one time only per forest. Site System Servers and Site System Roles Configuration Manager uses site system roles to support management operations at each site. When you install a Configuration Manager site, some site system roles are automatically installed and assigned to the server on which Configuration Manager Setup has run successfully. One of these site system roles is the site server, which you cannot transfer to another server or remove without uninstalling the site. You can use other servers to run additional site system roles or to transfer some site system roles from the site server by installing and configuring Configuration Manager site system servers. Each site system role supports different management functions. The site system roles that provide basic management functionality are described in the following table.
Site system role Description

Site server

A computer from which you run Configuration Manager Setup and that provides the core functionality for the site. A server that hosts the SQL Server database, which stores information about Configuration Manager assets and site data. A server that runs Configuration Manager services. When you install all the site system roles except for the distribution point role, Configuration Manager automatically installs the component server.

Site database server

Component server

Management point

A site system role that provides policy and service location information to clients and receives configuration data from clients.

Distribution point

A site system role that contains source files for clients to download, such as application content, software packages, software updates, operating system images, and boot images.

113

Site system role

Description

Reporting services point

A site system role that integrates with SQL Server Reporting Services to create and manage reports for Configuration Manager.

When companies first deploy Configuration Manager in a production environment, they typically run multiple site system roles on the site server and have additional site system servers for distribution points. Then they install additional site system servers and add new site system roles, according to their business requirements and network infrastructure. The additional site system roles that you might need for specific functionality are listed in the following table.
Site system role Description

Application Catalog web service point

A site system role that provides software information to the Application Catalog website from the Software Library. A site system role that provides users with a list of available software from the Application Catalog. A site system role that connects to Microsoft to download Asset Intelligence catalog information and upload uncategorized titles so that they can be considered for future inclusion in the catalog. A site system role that Configuration Manager uses to accept the Endpoint Protection license terms and to configure the default membership for Microsoft Active Protection Service. A site system role that helps you monitor client installation and identify the clients that are unmanaged because they cannot communicate with their management point. A site system role that provisions and configures Intel AMT-based computers for out of band management. A site system role that integrates with Windows Server Update Services (WSUS) to
114

Application Catalog website point

Asset Intelligence synchronization point

Endpoint Protection point

Fallback status point

Out of band service point

Software update point

Site system role

Description

provide software updates to Configuration Manager clients. State migration point A site system role that stores user state data when a computer is migrated to a new operating system. A site system role that validates Configuration Manager Network Access Protection (NAP) policies. It must be installed on a NAP health policy server. A site system role in Configuration Manager SP1 that uses Windows Intune to manage mobile devices in the Configuration Manager console.

System Health Validator point

Windows Intune connector

The following diagram shows these basic and additional site system roles that you can add to the site server computer or distribute by installing additional site system servers.

115

Clients
System Center 2012 Configuration Manager clients are devices such as workstations, laptops, servers, and mobile devices that have the Configuration Manager client software installed so that you can manage them. Management includes operations such as reporting hardware and software inventory information, installing software, and configuring settings that are needed for compliance. Configuration Manager has discovery methods that you can use to find devices on the network to help you install the client software on those devices. Configuration Manager has several options to install the client software on devices. These options include client push installation, software update-based installation, Group Policy, and manual installation. You can also include the client when you deploy an operating system image. Configuration Manager uses collections to group devices so that you can perform management tasks on multiple devices that share a common set of criteria. For example, you might want to
116

install a mobile device application on all mobile devices that are enrolled by Configuration Manager. If this is the case, you could use the All Mobile Devices collection, which automatically excludes computers. You can create your own collections to logically group the devices that you manage, according to your business requirements. User-Centric Management In addition to the collections for devices, there are also user collections that contain users from Active Directory Domain Services. User collections let you install software on all computers that the user logs into, or you can configure user device affinity so that the software installs on only the main devices that the user uses. These main devices are called primary devices. A user can have one or more primary devices. One of the ways in which users can control their software deployment experience is by using the new computer client interface, Software Center. Software Center is automatically installed on client computers and accessed from the users Start menu. This client interface lets users manage their own software, as well as perform the following: Install software Schedule software to automatically install outside working hours Configure when Configuration Manager can install software on their device Configure access settings for remote control, if remote control is enabled in Configuration Manager Configure options for power management if an administrative user has enabled this

A link in Software Center lets users connect to the Application Catalog, where they can browse for, install, and request software. In addition, the Application Catalog lets users configure some preference settings and wipe their mobile devices. Because Application Catalog is a website that is hosted in IIS, users can also access the Application Catalog directly from a browser, from the intranet, or from the Internet. Users can also specify their primary devices from the Application Catalog, if you allow this configuration. Other methods of configuring the user device affinity information include importing the information from a file and automatic generation from usage data. Client Settings When you first install System Center 2012 Configuration Manager, all clients in the hierarchy are configured by using default client settings that you can change. These client settings include configuration options such as how frequently devices communicate with the site, whether the client is enabled for software updates and other management operations, and whether users can enroll their mobile devices to be managed by Configuration Manager. If you need different client settings for groups of users or devices, you can create custom client settings and then assign them to collections. Users or devices that are in the collection will be configured to have the custom settings. You can create multiple custom client settings and they are applied in the order that you specify. When you have multiple custom client settings, they are applied according to their order number. If there are any conflicts, the setting that has the lowest order number overrides the other settings.
117

The following diagram shows an example of how you could create and apply custom client settings.

Limited Management without Clients The System Center 2012 Configuration Manager client software provides full management capability for users and devices. However, there are also two scenarios in which you can manage devices independently from the client software: out of band management, which uses Intel Active Management Technology (AMT), and mobile devices that are connected to an Exchange Server computer. Configuration Manager uses the client software to provision and configure computers for AMT, but when you perform AMT management operations, the client software is not used. Instead, Configuration Manager connects directly to the AMT management controller. This means that you continue to have some management control over computers that are not started or are not responding at the operating system level. For example, you could restart these computers, reimage them, or run diagnostic utilities to help troubleshoot them.
118

When you cannot install the Configuration Manager client software on mobile devices, you can still manage them by using the Exchange Server connector. The connector lets you configure the settings in the Exchange Default ActiveSync mailbox policy. Any settings that are defined in this policy can be configured by Configuration Manager, and this connector also supports remote wipe and Exchange access rules for block and quarantine. Any mobile device that you manage by using the Exchange Server connector displays in the All Mobile Devices collection, even though the device does not have the System Center 2012 Configuration Manager client installed. Because the client is not installed, you cannot deploy software to these devices.

Client Management Tasks

After you have installed Configuration Manager clients, you can perform various client management tasks, which include the following: Deploy applications, software updates, maintenance scripts, and operating systems. You can configure these to be installed by a specified date and time, or make them available for users to install when they are requested, and you can configure applications to be uninstalled. Help protect computers from malware and security threats, and notify you when problems are detected. Define client configuration settings that you want to monitor and remediate if they are out of compliance. Collect hardware and software inventory information, which includes monitoring and reconciling license information from System Center Online. Troubleshoot computers by using remote control or by using AMT operations for AMT-based computers that are not responding. Implement power management settings to manage and monitor the power consumption of computers.

You can use the Configuration Manager console to monitor these operations in near real-time, by using alerts and status information. For capturing data and historical trending, you can use the integrated reporting capabilities of SQL Reporting Services. To help ensure that you continue to manage the System Center 2012 Configuration Manager clients, use the client status information that provides data about the health of the client and client activity. This data helps identify computers that are not responding and in some cases, problems can be automatically remediated. Configuration Manager (Windows Control Panel) When you install the Configuration Manager client, this installs the Configuration Manager client application in Control Panel. Unlike Software Center, this application is designed for the help desk rather than for end users. Some configuration options require local administrative permissions and most options require technical knowledge about how Configuration Manager works. You can use this application to perform the following tasks on a client: View properties about the client, such as the build number, its assigned site, the management point it is communicating with, and whether the client is using a PKI certificate or a self-signed certificate.
119

Confirm that the client has successfully downloaded client policy after the client is installed for the first time and that client settings are enabled or disabled as expected, according to the client settings that are configured in the Configuration Manager console. Start client actions, such as download the client policy if there was a recent change of configuration in the Configuration Manager console and you do not want to wait until the next schedule time. Manually assign a client to a Configuration Manager site or try to find a site, and specify the DNS suffix for management points that publish to DNS. Configure the client cache that temporarily stores files, and delete files in the cache if you require more disk space to install software. Configure settings for Internet-based client management. View configuration baselines that were deployed to the client, initiate compliance evaluation, and view compliance reports.

Security
Security for System Center 2012 Configuration Manager consists of several layers. First, Windows provides many security features for both the operating system and the network, such as the following: File sharing to transfer files between System Center 2012 Configuration Manager components Access Control Lists (ACLs) to help secure files and registry keys IPsec for securing communications Group Policy for setting security policy DCOM permissions for distributed applications, such as the Configuration Manager console Active Directory Domain Services to store security principals Windows account security, including some groups that are created during System Center 2012 Configuration Manager Setup

Then, additional security components, such as firewalls and intrusion detection, help provide defense in depth for the whole environment. Certificates issued by industry standard PKI implementations help provide authentication, signing, and encryption. System Center 2012 Configuration Manager controls access to the Configuration Manager console in several ways. By default, only local Administrators have rights to the files and registry keys required to run the Configuration Manager console on computers where it is installed. The next layer of security is based on access through Windows Management Instrumentation (WMI), specifically the SMS Provider. The SMS Provider is restricted by default to members of the local SMS Admins group. This group at first contains only the user who installed System Center 2012 Configuration Manager. To grant other accounts permission to the Common Information Model (CIM) repository and the SMS Provider, add the other accounts to the SMS Admins group. The final layer of security is based on permissions to objects in the site database. By default, the Local System account and the user account that you used to install System Center 2012
120

Configuration Manager can administer all objects in the site database. You can grant and restrict permissions to additional administrative users in the Configuration Manager console by using role-based administration. Role-Based Administration System Center 2012 Configuration Manager uses role-based administration to help secure objects such as collections, deployments, and sites. This administration model centrally defines and manages hierarchy-wide security access settings for all sites and site settings. Security roles are assigned to administrative users and group permissions to different Configuration Manager object types, such as the permissions to create or change client settings. Security scopes group specific instances of objects that an administrative user is responsible to manage, such as an application that installs Microsoft Office 2010. The combination of security roles, security scopes, and collections define what objects an administrative user can view and manage. System Center 2012 Configuration Manager installs some default security roles for typical management tasks. However, you can create your own security roles to support your specific business requirements. Securing Client Endpoints Client communication to site system roles is secured by using either self-signed certificates, or by using public key infrastructure (PKI) certificates. Computer clients that Configuration Manager detects to be on the Internet and mobile device clients must use PKI certificates so that the client endpoints can be secured by using HTTPS. The site system roles that clients connect to can be configured for either HTTPS or HTTP client communication. Client computers always communicate by using the most secure method that is available and only fall back to using the less secure communication method of HTTP on the intranet if you have site systems roles that allow HTTP communication. Configuration Manager Accounts and Groups System Center 2012 Configuration Manager uses the Local System account for most site operations. However, some management tasks might require creating and maintaining additional accounts. Several default groups and SQL Server roles are created during Setup. However, you might have to manually add computer or user accounts to these default groups and roles. Privacy Although enterprise management products offer many advantages because they can effectively manage lots of clients, you must also be aware of how this software might affect the privacy of users in your organization. System Center 2012 Configuration Manager includes many tools to collect data and monitor devices, some of which could raise privacy concerns. For example, when you install the System Center 2012 Configuration Manager client, many management settings are enabled by default. This results in the client software sending information to the Configuration Manager site. Client information is stored in the Configuration Manager database and the information is not sent to Microsoft. Before you implement System Center 2012 Configuration Manager, consider your privacy requirements.
121

See Also
Getting Started with System Center 2012 Configuration Manager

Supported Configurations for Configuration Manager

Note This topic appears in the Getting Started with System Center 2012 Configuration Manager guide and in the Site Administration for System Center 2012 Configuration Manager guide. This topic specifies the requirements to implement and maintain Microsoft System Center System Center 2012 Configuration Manager in your environment. The following sections list products that are supported with System Center 2012 Configuration Manager. No extension of support for these products beyond their current product life-cycles is implied. Products that are beyond their current support life cycle are not supported for use with Configuration Manager. For more information about Microsoft Support Lifecycles, visit the Microsoft Support Lifecycle website at Microsoft Support Lifecycle. Warning Microsoft provides support for the current service pack and, in some cases, the immediately previous service pack. For more information about Microsoft support lifecycle policy, go to the Microsoft Support Lifecycle Support Policy FAQ website at Microsoft Support Lifecycle Policy FAQ. Products that are not listed in this document are not supported with System Center 2012 Configuration Manager unless they are announced on the System Center Configuration Manager Team Blog. Configuration Manager System Requirements Site and Site System Role Scalability Site System Requirements Prerequisites for Site System Roles Prerequisites for Site System Roles on Windows Server 2012 Minimum Hardware Requirements for Site Systems Operating System Requirements for Site Servers, Database Servers, and the SMS Provider Operating System Requirements for Typical Site System Roles Operating System Requirements for Function-Specific Site System Roles

Computer Client Requirements Mobile Device Requirements Mobile Devices Enrolled by Configuration Manager Mobile Devices Enrolled by Windows Intune Mobile Device Support by Using the Exchange Server Connector Mobile Device Legacy Client
122

Configuration Manager Console Requirements SQL Server Requirements Application Management Operating System Deployment Out of Band Management Remote Control Viewer Software Center and the Application Catalog Active Directory Schema Extensions Disjoint Namespaces Single Label Domains Support for Internet Protocol Version 6 Support for Specialized Storage Technology Support for Computers in Workgroups Support for Virtualization Environments Support for Network Address Translation DirectAccess Feature Support BranchCache Feature Support Fast User Switching Dual Boot Computers Upgrade Configuration Manager Infrastructure Upgrade for Configuration Manager SQL Server Upgrade for the Site Database Server

Configurations for the SQL Server Site Database Function-Specific Requirements

Support for Active Directory Domains

Windows Environment

Supported Upgrade Paths for Configuration Manager

Configuration Manager System Requirements

The following sections specify the hardware and software requirements that you must have to implement and maintain Configuration Manager in your environment. Site and Site System Role Scalability The following table contains information about the support limits at each site type and by each client-facing site system role. This information is based on the recommended hardware for site systems. For information about the recommended hardware for Configuration Manager sites, see Planning for Hardware Configurations for Configuration Manager. For information about the minimum required hardware to run a Configuration Manager site, see Minimum Hardware Requirements for Site Systems, in this topic.
123

Site or site system role

More information

Central administration site

A central administration site can support up to 25 child primary sites. When you use SQL Server Enterprise or Datacenter for the site database at the central administration site, the shared database and hierarchy supports up to 400,000 clients. The maximum number of supported clients per hierarchy depends on the SQL Server edition in the central administration site, and is independent of the SQL Server edition at primary or secondary sites. Note Configuration Manager supports up to 400,000 clients per hierarchy when you use the default settings for all Configuration Manager features.

When you use SQL Server Standard for the site database at the central administration site, the shared database and hierarchy supports up to 50,000 clients. This is because of how the database is partitioned. After you install Configuration Manager, if you then upgrade the edition of SQL Server at the central administration site from Standard to Enterprise or Datacenter, the database does not repartition and this limitation remains. Note You cannot assign Configuration Manager clients to a central administration site. Support for clients applies to clients that are assigned to child primary sites in the hierarchy.

Primary site

Each primary site can support up to 250 secondary sites. Note The number of secondary sites per
124

Site or site system role

More information

primary site is based on continuously connected and reliable wide area network (WAN) connections. For locations that have fewer than 500 clients, consider a distribution point instead of a secondary site. A stand-alone primary site always supports up to 100,000 clients. A Configuration Manager SP1 primary site supports up to 10,000 Windows Embedded devices that have File-Based Write Filters (FBWF) enabled when they are configured for the exceptions listed in the Deploying the Configuration Manager Client to Windows Embedded Devices section in the Introduction to Client Deployment in Configuration Manager topic. Otherwise, all other configurations for write filter-enabled embedded devices limit support to 3,000 embedded devices for a primary site. When write filters are not enabled, the standard number of clients are supported. A Configuration Manager SP1 primary site supports up to 50,000 Mac computers. A child primary site that uses SQL Server installed on the same computer as the site server can support up to 50,000 clients. When you use SQL Server that is installed on a computer that is remote from the site server, the child primary site can support up to 100,000 clients. Note In a hierarchy with a central administration site that uses a standard edition SQL Server, the total number of clients supported in the hierarchy is limited to 50,000. In this hierarchy, a child primary site that uses a remote installation of SQL Server cannot support more
125

Site or site system role

More information

clients than is supported by the hierarchy. The version of SQL Server that is used by a secondary site does not affect the number of clients that the primary site supports. Unlike a central administration site, the edition of SQL Server you use for the primary site database does not affect the maximum number of clients the primary site supports. This is true for both child primary sites, and stand-alone primary sites. Each secondary site can support communications from up to 5,000 clients when you use a secondary site server that has the recommended hardware and a fast and reliable network connection to its primary parent site. A secondary site could support communications from additional clients when its hardware configuration exceeds the recommended hardware configuration. For information about the recommended hardware for Configuration Manager sites, see Planning for Hardware Configurations for Configuration Manager. Management point Primary site: Each primary site management point can support up to 25,000 computer clients. To support 100,000 clients you must have at least four management points. Additional restrictions: Mac computer clients: Up to 10,000. Note Do not position management points across a slow link from their primary site server or from the site database server. Each primary site can support up to 10
126

Secondary site

Site or site system role

More information

management points. Note When you have more than four management points in a primary site, you do not increase the supported client count of the primary site beyond 100,000. Instead, any additional management points provide redundancy for communications from clients. Secondary site: Each secondary site supports a single management point that must be installed on the secondary site server. The secondary site management point supports communications from the same number of clients as supported by the hardware configuration of the secondary site server. Individually, each primary site supports up to 250 distribution points and each distribution point can support up to 4,000 clients. Individually, each secondary site supports up to 250 distribution points and each distribution point can support up to the same number of clients as supported by the hardware configuration of the secondary site server, up to no more than 4,000 clients. Each primary site supports a combined total of up to 5,000 distribution points. This total includes all the distribution points at the primary site and all distribution points that belong to the primary sites child secondary sites. Each distribution point supports a combined total of up to 10,000 packages and applications.
127

Distribution point

Site or site system role

More information

Note The number of clients that one distribution point can support depends on the speed of the network, the disk performance of the distribution point computer, and the application or package size. Software update point For Configuration Manager without service pack, each site supports one active software update point for use on the intranet, and optionally, one software update point for use on the Internet. You can configure each of these software update points as a Network Load Balancing (NLB) cluster. You can have up to four software update points in the NLB cluster. For Configuration Manager SP1, each site supports multiple software update points for use on the intranet and on the Internet. By default, Configuration Manager SP1 does not support configuring software update points as NLB clusters. However, you can use the Configuration Manager SDK to configure a software update point on a NLB cluster. A software update point that is installed on the site server can support up to 25,000 clients. A software update point that is installed on a computer that is remote from the site server can support up to 100,000 clients. Note For more information, see Planning for Software Updates in Configuration Manager. Fallback status point Application Catalog website point Each fallback status point can support up to 100,000 clients. You can install multiple instances of the
128

Site or site system role

More information

Application Catalog website point at primary sites. For improved performance, plan to support up to 50,000 clients per instance. Each instance of this site system role supports up to 400,000 clients, which provides service for the whole hierarchy. Tip As a best practice, install the Application Catalog website point and Application Catalog web service point together on the same site system when they provide service to clients that are on the intranet. Application Catalog web service point You can install multiple instances of the Application Catalog web service point at primary sites. For improved performance, plan to support up to 50,000 clients per instance. Each instance of this site system role supports up to 400,000 clients, which provides service for the whole hierarchy. Tip As a best practice, install the Application Catalog website point and Application Catalog web service point together on the same site system when they provide service to clients that are on the intranet. System Health Validator point Each System Health Validator point can support up to 100,000 clients.

Site System Requirements Each System Center 2012 Configuration Manager site system server must use a 64-bit operating system. The only exception to this is the distribution point site system role which can be installed on limited 32-bit operating system versions. Limitations for site systems:
129

Site systems are not supported on Server Core installations for the following operating systems: Windows Server 2008 or Windows Server 2008 R2 Windows Server 2008 Foundation or Windows Server 2008 R2 Foundation Windows Server 2012 Windows Server 2012 Foundation

It is not supported to change the domain membership or computer name of a Configuration Manager site system after it is installed. Site system roles are not supported on an instance of a Windows Server cluster. The only exception to this is the site database server.

The following sections list the hardware requirements and operating system requirements for System Center 2012 Configuration Manager sites, typical site system roles, and function-specific site system roles. Prerequisites for Site System Roles The following table identifies prerequisites that are required by Configuration Manager for each site system role on supported operating systems other than Windows Server 2012. For information about prerequisites for site system roles on Windows Server 2012, see Prerequisites for Site System Roles on Windows Server 2012. Important Except where specifically noted, prerequisites apply to all versions of System Center 2012 Configuration Manager. Some prerequisites, such as SQL Server for the site database server, or Windows Server Update Services (WSUS) for the software update point, might require additional prerequisites that are not directly required by the site system role. For site system roles that require Internet Information Services (IIS), use a version of IIS that the computer supports that runs the site system role. For information, see the following sections, Operating System Requirements for Typical Site System Roles and Operating System Requirements for Function-Specific Site System Roles, in this topic.
Site system role .NET Framewor k version
1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

Site server

Requires both of the following:

Not applicabl e

Not applicable

Windows feature: Remote Differential Compression By default, a secondary site installs a management point and a distribution point.
130

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

Database server

3.5 SP1 4.0 Not applicabl e Not applicable

Therefore secondary sites must meet the prerequisites for these site system roles.

Not applicable

A version of SQL Server that Configuration Manager supports must be installed on this computer. During installation of the Configuration Manager site, the remote registry service must be enabled on the computer that hosts the site database. When you install SQL Server Express as part of a secondary site installation, the secondary site server computer must meet the requirements for SQL Server Express.

SMS Provider Server Applicatio n Catalog web service point

Not applicable

Not applicabl e Requires the following options for WCF activation : H TTP Activ ation NonHTT P Activ ation

Not applicable

Not applicable

Requires both of the following: 3.5 SP1 4.0

Requires the default IIS configuration with the following additions: Appli cation Develop ment: ASP. NET (and auto

Not applicable

131

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

mati cally selec ted optio ns) IIS 6 Manage ment Compati bility: IIS 6 Meta base Com patib ility Not applicable

Applicatio n Catalog website point

Requires the following: 4.0

Not applicabl e

Requires the default IIS configuration with the following additions: Common HTTP Features : Stati c Cont ent Defa

132

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

ult Docu ment Appli cation Develop ment: ASP. NET (and auto mati cally selec ted optio 3 ns) Security: Wind ows Auth entic ation IIS 6 Manage ment Compati bility: IIS 6 Meta base Com
133

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

patib ility Asset Intelligenc e synchroni zation point Distributio 4 n point Requires the following: 4.0 Not applicabl e Not applicable Not applicable

Not applicable

Not applicabl e

You can use the default IIS configuration , or a custom configuration . To use a custom IIS configuration , you must enable the following options for IIS: Appli cation Develop ment: I SAPI Exte nsio ns Security:

Windows feature: Remote Differential Compression To support PXE or multicast, install and configure the following Windows role: Windows Deployment Services (WDS) Note For Windows Server 2008, Windows Server 2008 R2, WDS is installed and configured automatically when you configure a distribution point to support PXE or Multicast. For Windows Server 2003, you must install and configure WDS manually. For Configuration Manager with no service pack, to support PXE on a distribution point that is on a computer remote from the site server, you should install the following: Microsoft Visual C++ 2008 Redistributable. Note You can run the Microsoft Visual C++ 2008 Redistributable Setup from the Configuration Manager
134

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

Wind ows Auth entic ation IIS 6 Manage ment Compati bility: IIS 6 Meta base Com patib ility IIS 6 WMI Com patib ility

installation at: <ConfigMgrInstallationFolder>\Cl ient\x64\vcredist_x64.exe For Configuration Manager SP1, vcredist_x64.exe is installed automatically when you configure a distribution point to support PXE. With Configuration Manager SP1, you can use a cloud service in Windows Azure to host a distribution point. For more information, see the section Planning for Distribution Points for Windows Azure in the Planning for Content Management in Configuration Manager topic.

When you use a custom IIS configuration , you can remove options that are not required, such as the following: Common HTTP
135

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

Features : HTT P Redi recti on IIS Manage ment Scripts and Tools Not applicable

Endpoint Requires Protection the point following: 3.5 SP1

Not applicabl e

Not applicable

Enrollmen Requires t point the following: 3.5 SP1 for Confi gurati on Mana ger with no servic e pack

Requires the following options for WCF activation : H TTP Activ ation NonHTT P

Requires the default IIS configuration with the following additions: Appli cation Develop ment: ASP. NET

Not applicable

136

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

4.0 for Confi gurati on Mana ger with SP1

Activ ation

(and auto mati cally selec ted optio 3 ns) Requires the default IIS configuration with the following additions: Appli cation Develop ment: ASP. NET (and auto mati cally selec ted optio 3 ns) Not applicable

Enrollmen Requires t proxy the point following: 3.5 SP1 for Confi gurati on Mana ger with no servic e pack 4.0 for Confi gurati on Mana ger with SP1

Requires the following options for WCF activation : H TTP Activ ation NonHTT P Activ ation

Fallback status

Not applicable

Not applicabl

Requires the default IIS

Not applicable

137

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

point

configuration with the following additions: IIS 6 Manage ment Compati bility: IIS 6 Meta base Com patib ility Windows feature: BITS Server Extensions (and automatically selected options), or Background Intelligent Transfer Services (BITS) (and automatically selected options)

Managem ent point

Configurat Not ion applicabl Manager e with no service pack: M anage ment points that suppo rt mobil e devic es requir e the .NET

You can use the default IIS configuration , or a custom configuration 5 . To use a custom IIS configuration , you must enable the following options for IIS: Appli cation Develop ment:

138

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

Fram ework 3.5 5 SP1 Configurat ion Manager with SP1: All mana geme nt points requir e the .NET Fram ework 4

I SAPI Exte nsio ns Security: Wind ows Auth entic ation IIS 6 Manage ment Compati bility: IIS 6 Meta base Com patib ility IIS 6 WMI Com patib ility

When you use a custom IIS configuration you can remove

139

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

options that are not required, such as the following: Common HTTP Features : HTT P Redi recti on IIS Manage ment Scripts and Tools Not applicable

Out of band service point

Requires the following: 4.0

Requires the following options for WCF activation : H TTP Activ ation NonHTT

Not applicable

140

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

P Activ ation Reporting services point Requires the following: 4.0 Not applicabl e Not applicable SQL Server Reporting Services installed and configured to use at least one instance for the reporting services point. The instance you use for SQL Server Reporting Services can be the same instance you use for the site database. Additionally, the instance you use can be shared with other System Center products as long as the other System Center products do not have restrictions for sharing the instance of SQL Server. Windows Server Update Services (WSUS) 3.0 SP2 must be installed on this computer.

Software update point

Requires both of the following: 3.5 SP1 4.0

Not applicabl e

Requires the default IIS configuration

State migration point System Health Validator point Windows Intune connector

Not applicable

Not applicabl e Not applicabl e

Requires the default IIS configuration Not applicable

Not applicable

Not applicable

This site system role is supported only on a NAP health policy server.

Requires the following: 4.0

Not applicabl e

Not applicable

Not applicable

141

Install the full version of the Microsoft.NET Framework before you install the site system roles. For example, see the Microsoft .NET Framework 4 (Stand-Alone Installer). Important The Microsoft .NET Framework 4 Client Profile is insufficient for this requirement.
2

You can configure WCF activation as part of the .NET Framework Windows feature on the site system server. For example, on Windows Server 2008 R2, run the Add Features Wizard to install additional features on the server. On the Select Features page, expand NET Framework 3.5.1 Features, then expand WCF Activation, and then select the check box for both HTTP Activation and Non-HTTP Activation to enable these options.
3

In some scenarios, such as when IIS is installed or reconfigured after the .NET Framework version 4.0 is installed, you must explicitly enable ASP.NET version 4.0. For example, on a 64-bit computer that runs the .NET Framework version 4.0.30319, run the following command: %windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe i enable
4

You must manually install IIS on computers that run a supported version of Windows Server 2003. Additionally, to install IIS and configure the additional Windows features, the computer might require access to the Windows Server 2003 source media.
5

Each management point that you enable to support mobile devices requires the additional IIS configuration for ASP.NET (and its automatically selected options). With this requirement, review note 3 for applicability to your installation. Prerequisites for Site System Roles on Windows Server 2012 For System Center 2012 SP1 only: The following table identifies prerequisites that are required by Configuration Manager site system roles you install on Windows Server 2012. For information about prerequisites for site system roles on supported operating systems prior to Windows Server 2012, see Prerequisites for Site System Roles. Some prerequisites, such as SQL Server for the site database server, or Windows Server Update Services (WSUS) for the software update point, might require additional prerequisites that are not directly required by the site system role. For site system roles that require Internet Information Services (IIS), use a version of IIS that the computer supports that runs the site system role. For information, see the following sections, Operating System Requirements for Typical Site System Roles and Operating System Requirements for Function-Specific Site System Roles, in this topic.
Site system role Windows Server Roles and Features Additional prerequisites

Site server

Features: .NET Framework 3.5 .NET Framework 4 Remote Differential

By default, a secondary site installs a management point and a distribution point. Therefore secondary sites must meet the prerequisites for these site system
142

Site system role

Windows Server Roles and Features

Additional prerequisites

Compression Database server Not applicable

roles. A version of SQL Server that Configuration Manager supports must be installed on this computer. During installation of the Configuration Manager site, the remote registry service must be enabled on the computer that hosts the site database. When you install SQL Server Express as part of a secondary site installation, the secondary site server computer must meet the requirements for SQL Server Express.

SMS Provider Server Application Catalog web service point

Not applicable Features: .NET Framework 3.5 HTTP Activation (and automatically selected options) ASP.NET 4.5

Not applicable Not applicable

.NET Framework 4.5

IIS Configuration: Common HTTP Features: Default Document IIS 6 Management Compatibility: IIS 6 Metabase Compatibility ASP.NET 3.5 (and automatically selected options) .NET Extensibility 3.5 Not applicable

Application Development:

Application Catalog website point

Features: .NET Framework 3.5

143

Site system role

Windows Server Roles and Features

Additional prerequisites

.NET Framework 4.5 ASP.NET 4.5

IIS Configuration: Common HTTP Features: Default Document Static Content ASP.NET 3.5 (and automatically selected options) ASP.NET 4.5 (and automatically selected options) .NET Extensibility 3.5 .NET Extensibility 4.5 Windows Authentication

Application Development:

Security:

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility Not applicable

Asset Intelligence synchronization point Distribution point

Features: .NET Framework 4

Features: Remote Differential Compression Application Development: ISAPI Extensions Windows Authentication Security:

To support PXE or multicast, install and configure the following Windows role: Windows Deployment Services (WDS) Note WDS installs and configures automatically when you configure a distribution point to support PXE or Multicast on Windows Server 2012.
144

IIS Configuration:

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility

Site system role

Windows Server Roles and Features

Additional prerequisites

IIS 6 WMI Compatibility

For Configuration Manager with SP1, to support PXE on a distribution point that is on a computer remote from the site server, install the following: Microsoft Visual C++ 2008 Redistributable. Note For Windows Server 2012, the vcredist_x64.exe is installed automatically when you configure a distribution point to support PXE. PowerShell 3.0 is required on Windows Server 2012 before you install the distribution point.

With Configuration Manager SP1, you can use a cloud service in Windows Azure to host a distribution point. For more information, see the section Planning for Distribution Points for Windows Azure in the Planning for Content Management in Configuration Manager topic. Endpoint Protection point Features: Enrollment point .NET Framework 3.5 SP1 Not applicable Not applicable

Features: .NET Framework 3.5 HTTP Activation ASP.NET 4.5 Default Document .NET Framework 4.5 Common HTTP Features: Application Development:

145

Site system role

Windows Server Roles and Features

Additional prerequisites

ASP.NET 3.5 .NET Extensibility 3.5

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility Not applicable

Enrollment proxy point

Features: .NET Framework 3.5 .NET Framework 4.5 ASP.NET 4.5

IIS Configuration: Common HTTP Features: Default Document Static Content ASP.NET 3.5 (and automatically selected options) ASP.NET 4.5 (and automatically selected options) .NET Extensibility 3.5 .NET Extensibility 4.5 Windows Authentication

Application Development:

Security:

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility Not applicable

Fallback status point

Requires the default IIS configuration with the following additions: IIS Configuration: IIS 6 Management Compatibility: IIS 6 Metabase

146

Site system role

Windows Server Roles and Features

Additional prerequisites

Compatibility Management point Features: .NET Framework 4 BITS Server Extensions (and automatically selected options), or Background Intelligent Transfer Services (BITS) (and automatically selected options) Application Development: ISAPI Extensions Windows Authentication Security: Not applicable

IIS Configuration:

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility IIS 6 WMI Compatibility Not applicable

Out of band service point

Features: .NET Framework 4 HTTP Activation Non-HTTP Activation

Reporting services point

Features: .NET Framework 4

SQL Server Reporting Services installed and configured to use at least one instance for the reporting services point. The instance you use for SQL Server Reporting Services can be the same instance you use for the site database. Additionally, the instance you use can be shared with other System Center products as long as the other System Center products do not have restrictions for sharing
147

Site system role

Windows Server Roles and Features

Additional prerequisites

the instance of SQL Server. Software update point Features: .NET Framework 3.5 SP1 .NET Framework 4 Windows server role: Windows Server Update Services

Requires the default IIS configuration State migration point Requires the default IIS configuration Not applicable Not applicable

System Health Validator point Windows Intune connector

This site system role is supported only on a NAP health policy server. Not applicable

Features: .NET Framework 4

Minimum Hardware Requirements for Site Systems This section identifies the minimum required hardware requirements for Configuration Manager site systems. These requirements are sufficient to support all features of Configuration Manager in an environment with up to 100 clients. This information is suitable for testing environments. For guidance about the recommended hardware for Configuration Manager in full-scale production environments, see Planning for Hardware Configurations for Configuration Manager. The following minimum requirements apply to all site types (central administration site, primary site, secondary site) when you install all available site system roles on the site server computer.
Hardware component Requirement

Processor

Minimum: AMD Opteron, AMD Athlon 64, Intel Xeon with Intel EM64T support, Intel Pentium IV with EM64T support Minimum: 1.4 GHz Minimum: 2 GB Available: 10 GB Total: 50 GB

RAM Free disk space

Operating System Requirements for Site Servers, Database Servers, and the SMS Provider The following table specifies the operating systems that can support System Center 2012 Configuration Manager site servers, the database server, and the SMS Provider site system role. The table also specifies the Configuration Manager versions that support each operating system.
148

Operating system

System architectu re

Central administrati on site

Primary site

Secondary site
1

Site database server

1, 2

SMS Provider

Windows Server 2008 Standard Edition (SP2) Enter prise Edition (SP2) Datac enter Edition (SP2) Windows Server 2008 R2 Standard Edition with no service pack, or with SP1) Enter prise Edition (with no service pack, or with SP1) Datac enter Edition (with no service pack, or with SP1)

x64

Configuratio Configurati n on Manage Manag r with no er with service no pack service pack Configuratio n Manage r with SP1 Configurati on Manag er with SP1

Configurati on Manag er with no service pack Configurati on Manag er with SP1

Configurati on Manag er with no service pack Configurati on Manag er with SP1

Configurati on Manag er with no service pack Configurati on Manag er with SP1

x64

Configuratio Configurati n on Manage Manag r with no er with service no pack service pack Configuratio n Manage r with SP1 Configurati on Manag er with SP1

Configurati on Manag er with no service pack Configurati on Manag er with SP1

Configurati on Manag er with no service pack Configurati on Manag er with SP1

Configurati on Manag er with no service pack Configurati on Manag er with SP1

149

Operating system

System architectu re

Central administrati on site

Primary site

Secondary site
1

Site database server

1, 2

SMS Provider

Windows Server 2012 Datac enter

1

x64

Standard

Configuratio n Manage r with SP1

Configurati on Manag er with SP1

Configurati on Manag er with SP1

Configurati on Manag er with SP1

Configurati on Manag er with SP1

Site database servers are not supported on a read-only domain controller (RODC). For more information, see You may encounter problems when installing SQL Server on a domain controller in the Microsoft Knowledge Base. Additionally, secondary site servers are not supported on any domain controller. 2 For more information about the versions of SQL Server that Configuration Manager supports, see Configurations for the SQL Server Site Database in this topic. Operating System Requirements for Typical Site System Roles The following table specifies the operating systems that can support multi-function site system roles, and the Configuration Manager versions that support each operating system.
Operating system System e Distribution
3

Enrollment point and enrollment proxy point

Fallback status point

Managemen t point

Windows Intune connector

architectur point

Windows Vist a Business Edition (SP1) Enterprise Edition (SP1) Ultimate Edition (with no service pack, or with SP1)

x64

Configuratio Not n supported Manag er with no service 1, 2 pack Configuratio n Manag er with 1, 2 SP1

Not supported

Not supported

Not supported

Windows 7 Profe

x86, x64

Configuratio Not n supported Manag

Not supported

Not supported

Not supported
150

Operating system

System e

Distribution
3

Enrollment point and enrollment proxy point

Fallback status point

Managemen t point

Windows Intune connector

architectur point

ssional (with no service pack, or with SP1) Enterprise Editions (with no service pack, or with SP1) Ultimate Editions (with no service pack, or with SP1) x86, x64

er with no service 1, 2 pack Configuratio n Manag er with 1, 2 SP1

Windows 8 Pro Enterprise

Configuratio Not n supported Manag er with 1, 2 SP1 Configuratio Not n supported Manag er with no service 2 4 pack , Configuratio n Manag er with 2 4 SP1 ,

Not supported

Not supported

Not supported

Windows Server 2003 R2 Standard Edition Enterprise Edition

x86, x64

Not supported

Not supported

Not supported

Windows Server 2003

x86, x64

Configuratio Not n supported Manag

Not supported

Not supported

Not supported
151

Operating system

System e

Distribution
3

Enrollment point and enrollment proxy point

Fallback status point

Managemen t point

Windows Intune connector

architectur point

Standard Edition (SP2) Enterprise Edition (SP2) Datacenter Edition (SP2)

er with no service 2 4 pack , Configuratio n Manag er with 2 4 SP1 ,

Windows Server 2003 Web Edition (SP2) Storage Server Edition (SP2)

x86

Configuratio Not n supported Manag er with no service 2 4 pack , Configuratio n Manag er with 2 4 SP1 ,

Not supported

Not supported

Not supported

Windows Server 2008 Standard Edition (SP2) Enterprise Edition (SP2) Datac enter Edition (SP2)

x86, x64

Configuratio Configuratio Configuratio Configuratio Configuratio n n n n n Manag Manag Manag Manag Manag er with er with er with er with er with no no no no SP1 service service service service 2 4 pack , pack pack pack Configuratio Configuratio Configuratio Configuratio n n n n Manag Manag Manag Manag er with er with er with er with 2 4 SP1 , SP1 SP1 SP1

152

Operating system

System e

Distribution
3

Enrollment point and enrollment proxy point

Fallback status point

Managemen t point

Windows Intune connector

architectur point

Windows Server 2008 R2 Standard Edition (with no service pack, or with SP1) Enterprise Edition (with no service pack, or with SP1) Datac enter Edition (SP1) Windows Storage Server 2008 R2 Work group Standard Enterprise

x64

Configuratio Configuratio Configuratio Configuratio Configuratio n n n n n Manag Manag Manag Manag Manag er with er with er with er with er with no no no no SP1 service service service service pack pack pack pack Configuratio Configuratio Configuratio Configuratio n n n n Manag Manag Manag Manag er with er with er with er with SP1 SP1 SP1 SP1

x64

Configuratio Not n supported Manag er with no service 2 pack Configuratio n Manag er with 2 SP1

Not supported

Not supported

Not supported

Windows Server 2012 Datac Standard

x64

Configuratio Configuratio Configuratio Configuratio Configuratio n n n n n Manag Manag Manag Manag Manag er with er with er with er with er with SP1 SP1 SP1 SP1 SP1

153

Operating system

System e

Distribution
3

Enrollment point and enrollment proxy point

Fallback status point

Managemen t point

Windows Intune connector

architectur point

enter
1 2 3

Distribution points on this operating system are not supported for PXE. Distribution points on this operating system version do not support Multicast.

Unlike other site system roles, distribution points are supported on some 32-bit operating systems. Distribution points also support several different configurations that each have different requirements and in some cases support installation not only on servers, but on client operating systems. For more information about the options available for distribution points, see Prerequisites for Content Management in Configuration Manager in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.
4

Distribution points on this operating system version are supported for PXE, but they do not support network booting of client computers in EFI mode. Client computers with BIOS or with EFI booting in legacy mode are supported. Operating System Requirements for Function-Specific Site System Roles The following table specifies the operating systems that are supported for use with each featurespecific Configuration Manager site system role, and the Configuration Manager versions that support each operating system.
Operatin g system Syste m archite cture Applica tion Catalog web service point and Applica tion Catalog website point Asset Intelligen ce synchro nization point Endpoi nt Protecti on point Out of band service point Reporti ng service s point Softwar e update point State migrati on point System Health Validat or point

Windows x64 Server 2 008 Stan dard

Configu Configur Configu Configu Configu Configu Configu Configu rati ation rati rati rati rati rati rati on Man on on on on on on Ma ager Ma Ma Ma Ma Ma Ma nag with nag nag nag nag nag nag er no er er er er er er wit servi wit wit wit wit wit wit
154

Operatin g system

Syste m archite cture

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intelligen ce synchro nization point

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migrati on point

System Health Validat or point

Editi on (SP2 ) Ente rpris e Editi on (SP2 ) Data cent er Editi on (SP2 ) Windows x64 Server 2 008 R2 Stan dard Editi on (with

h ce h h h h h h no pack no no no no no no ser Configur ser ser ser ser ser ser vic vic vic vic vic vic vic ation e e e e e e e Man pac pac pac pac pac pac pac ager k k k k k k k with Configu SP1 Configu Configu Configu Configu Configu Configu rati rati rati rati rati rati rati on on on on on on on Ma Ma Ma Ma Ma Ma Ma nag nag nag nag nag nag nag er er er er er er er wit wit wit wit wit wit wit h h h h h h h SP SP SP SP SP SP SP 1 1 1 1 1 1 1

Configu Configur Configu Configu Configu Configu Configu Configu rati ation rati rati rati rati rati rati on Man on on on on on on Ma ager Ma Ma Ma Ma Ma Ma nag with nag nag nag nag nag nag er no er er er er er er wit servi wit wit wit wit wit wit h ce h h h h h h no pack no no no no no no
155

Operatin g system

Syste m archite cture

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intelligen ce synchro nization point

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migrati on point

System Health Validat or point

no servi ce pack , or with SP1) Ente rpris e Editi on (with no servi ce pack , or with SP1) Data cent er Editi on (SP1 ) Windows x64

ser Configur ser ser ser ser ser ser vic ation vic vic vic vic vic vic e Man e e e e e e pac ager pac pac pac pac pac pac k with k k k k k k SP1 Configu Configu Configu Configu Configu Configu Configu rati rati rati rati rati rati rati on on on on on on on Ma Ma Ma Ma Ma Ma Ma nag nag nag nag nag nag nag er er er er er er er wit wit wit wit wit wit wit h h h h h h h SP SP SP SP SP SP SP 1 1 1 1 1 1 1

Configu Configur

Configu Configu Configu Configu Configu Configu

156

Operatin g system

Syste m archite cture

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intelligen ce synchro nization point

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migrati on point

System Health Validat or point

Server 2 012 Stan dard Data cent er

rati on Ma nag er wit h SP 1

ation Man ager with SP1

rati on Ma nag er wit h SP 1

rati on Ma nag er wit h SP 1

rati on Ma nag er wit h SP 12

rati on Ma nag er wit h SP 1

rati on Ma nag er wit h SP 1

rati on Ma nag er wit h SP 1

Computer Client Requirements The following sections describe the operating systems and hardware supported for System Center 2012 Configuration Manager computer client installation on Windows-based computers. Make sure that you also review Prerequisites for Windows Client Deployment in Configuration Manager for a list of dependencies for the installation of the Configuration Manager client on computers and mobile devices. Computer Client Hardware Requirements The following are minimum requirements for Windows-based computers that you manage with Configuration Manager.
Requirement Details

Processor and memory

Refer to the processor and RAM requirements for the computers operating system. Note An exception to this is Windows XP and Windows 2003, which both require
157

Requirement

Details

a minimum of 256 MB of RAM. Disk space 500 MB available disk space, with 5 GB recommended for the Configuration Manager client cache. Less disk space is required if you use customized settings to install the Configuration Manager client: Use the CCMSetup command-line property /skippprereq to avoid installing files that the client does not require. For example, CCMSetup.exe /skipprereq:silverlight.exe if the client will not use the Application Catalog. Use the Client.msi property SMSCACHESIZE to set a cache file that is smaller than the default of 5120 MB. The minimum size is 1 MB. For example, CCMSetup.exe SMSCACHESIZE=2.

For more information about these client installation settings, see About Client Installation Properties in Configuration Manager. Tip Installing the client with minimal disk space is useful for Windows Embedded devices that typically have smaller disk sizes than standard Windows computers. The following are additional hardware requirements for optional functionality in Configuration Manager.
Function Minimum hardware requirements

Operating system deployment Software Center

384 MB of RAM 500 MHz processor

Remote Control

Pentium 4 Hyper-Threaded 3 GHz (single core) or comparable CPU, with at least a 1 GB RAM
158

Function

Minimum hardware requirements

for optimal experience. Out of Band Management Desktop or portable computers must have the Intel vPro Technology or Intel Centrino Pro and a supported version of Intel AMT.

Operating System Requirements for Configuration Manager Client Installation The following table specifies the operating systems that are supported for Configuration Manager client installation, and the versions of Configuration Manager that support each operating system. For server platforms, client support is independent of any other service that runs on that server unless noted otherwise. For example, the client is supported on domain controllers and servers that run cluster services or terminal services.
Operating system System architecture System Center 2012 Configuration Manager version

Windows XP Professional (SP3)

x86

Configuration Manager with no service pack Configuration Manager with SP1

Windows XP Professional for 64-bit Systems (SP2)

x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows XP Tablet PC (SP3)

x86

Configuration Manager with no service pack Configuration Manager with SP1

Windows Vista Business Edition (SP2) Enterprise Edition (SP2) Ultimate Edition (SP2)

x86, x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows 7 Professional (with no service pack, or with SP1) Enterprise Editions (with no service pack, or with SP1) Ultimate Editions (with no service pack, or with SP1)

x86, x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows 8 Pro

x86, x64

Configuration Manager with SP1

159

Operating system

System architecture

System Center 2012 Configuration Manager version

Enterprise x86 Configuration Manager with no service pack Configuration Manager with SP1

Windows Server 2003 Web Edition (SP2)

Windows Server 2003 Standard Edition (SP2) Enterprise Edition (SP2) Datacenter Edition (SP2)
1

x86, x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows Server 2003 R2 SP2 Standard Edition Enterprise Edition Datacenter Edition
1

x86, x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows Storage Server 2003 R2 SP2

x86, x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows Server 2008 Standard Edition (SP2) Enterprise Edition (SP2) Datacenter Edition (SP2)
1

x86, x64

Configuration Manager with no service pack Configuration Manager with SP1

The Server Core installation of Windows Server 2008 (SP2)

x86, x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows Storage Server 2008 R2 Workgroup Standard Enterprise

x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows Server 2008 R2 Standard Edition (with no service pack, or with SP1) Enterprise Edition (with no service pack, or with SP1) Datacenter Edition (with no 1 service pack, or with SP1)

x64

Configuration Manager with no service pack Configuration Manager with SP1

160

Operating system

System architecture

System Center 2012 Configuration Manager version

The Server Core installation of Windows Server 2008 R2 (with no service pack, or with SP1) Windows Server 2012
1

x64

Configuration Manager with no service pack Configuration Manager with SP1

x64

Configuration Manager with SP1

Standard Datacenter
1

Datacenter releases are supported but not certified for System Center 2012 Configuration Manager. Hotfix support is not offered for issues specific to Windows Server Datacenter Edition. Embedded Operating System Requirements for Configuration Manager Clients System Center 2012 Configuration Manager and System Center 2012 Endpoint Protection support clients for integration with Windows Embedded. Support limitations for Windows Embedded: All client features are supported natively on supported Windows Embedded systems that do not have write filters enabled. Configuration Manager SP1 clients that use Enhanced Write Filters (EWF) RAM or File Based Write Filters (FBWF) are natively supported for all features except power management. For Configuration Manager with no service pack, Windows Embedded systems that have write filters enabled must use task sequences to deploy to embedded devices, and the task sequences must include steps to disable and then restore the write filters. The Application Catalog is not supported for any Windows Embedded device. Windows Embedded operating systems based on Windows XP are only supported for Endpoint Protection in Configuration Manager SP1. Before you can monitor detected malware on Windows Embedded devices based on Windows XP, you must install the Microsoft Windows WMI scripting package on the embedded device. Use Windows Embedded Target Designer to install this package. The files WBEMDISP.DLL and WBEMDISP.TLB must exist and be registered in the folder %windir%\System32\WBEM on the embedded device to ensure that detected malware is reported. Note In Configuration Manager SP1, new options are added to control the behavior of Windows Embedded write filters when you install the Endpoint Protection client. For more information, see Introduction to Endpoint Protection in Configuration Manager. The following table specifies the Windows Embedded versions that are supported with Configuration Manager and Endpoint Protection, and the versions of Configuration Manager and Endpoint Protection that support each Windows Embedded version.

161

Windows Embedded operating system

Base operating system

System architectur e

System Center 2012 Configuration Manag er version

System Center 2012 Endpoint Protection version

Windows Embedded Standard 2009

Windows X P SP3

x86

Configuration Manager with no service pack Configuration Manager with SP1

Endpoint Prot ection with SP1

Windows XP Embedded SP3

Windows X P SP3

x86

Configuration Manager with no service pack Configuration Manager with SP1

Endpoint Prot ection with SP1

Windows Fundamental Windows X s for Legacy PCs P SP3 (WinFLP)

x86

Configuration Manager with no service pack Configuration Manager with SP1

Endpoint Prot ection with SP1

Windows Embedded POSReady 2009

Windows X P SP3

x86

Configuration Manager with no service pack Configuration Manager with SP1

Endpoint Prot ection with SP1

WEPOS 1.1 with SP3

Windows X P SP3

x86

Configuration Manager with no service pack Configuration Manager with SP1

Endpoint Prot ection with SP1

Windows Embedded Standard 7 with SP1

Windows 7

x86, x64

Configuration Manager with no service pack Configuration Manager with

Endpoint Prot ection with no service pack Endpoint Prot

162

Windows Embedded operating system

Base operating system

System architectur e

System Center 2012 Configuration Manag er version

System Center 2012 Endpoint Protection version

SP1 Windows Embedded POSReady 7 Windows 7 x86, x64 Configuration Manager with no service pack Configuration Manager with SP1 Windows Thin PC Windows 7 x86, x64 Configuration Manager with no service pack Configuration Manager with SP1

ection with SP1 Endpoint Prot ection with no service pack Endpoint Prot ection with SP1 Endpoint Prot ection with no service pack Endpoint Prot ection with SP1

Client Requirements for Mac Computers Note For Configuration Manager SP1 only: The client for Mac is supported only on Mac computers that use an Intel 64-bit chipset. The following operating systems are supported for the Configuration Manager client for Mac computers: Mac OS X 10.6 (Snow Leopard) Mac OS X 10.7 (Lion)

For more information about computers that run Mac OS X, see How to Install Clients on Mac Computers in Configuration Manager. Client Requirements for Linux and UNIX Servers Note For Configuration Manager SP1 only: Use the information in the following sections to identify requirements to support the Configuration Manager client for Linux and UNIX. For more information about computers that run Linux or UNIX, see the Deploying the Configuration Manager Client to Linux and UNIX Servers section in the Introduction to Client Deployment in Configuration Manager topic. Supported Distributions of Linux and UNIX

163

The following table identifies the operating systems that are supported for the Configuration Manager client for Linux and UNIX:
Operating System Version

Red Hat Enterprise Linux (RHEL)

Version 4 (x86 and x64) Version 5 (x86 and x64) Version 6 (x86 and x64) Version 9 (SPARC) Version 10 (x86 and SPARC) Version 9 (x86) Version 10 SP1 (x86 and x64) Version 11 (x86 and x64)

Solaris

SUSE Linux Enterprise Server (SLES)

Hardware and Disk Space Requirements The following are minimum hardware requirements for computers that you manage with the Configuration Manager client for Linux and UNIX.
Requirement Details

Processor and memory

Refer to the processor and RAM requirements for the computers operating system. 500 MB available disk space, with 5 GB recommended for the Configuration Manager client cache. Configuration Manager client computers must have network connectivity to Configuration Manager site systems to enable management.

Disk space

Network connectivity

Mobile Device Requirements The following sections describe the hardware and operating systems that are supported for managing mobile devices in System Center 2012 Configuration Manager. Note The following mobile device clients are not supported in the Configuration Manager hierarchy: Device management clients from System Management Server 2003 and Configuration Manager 2007 Windows CE Platform Builder device management client (any version) System Center Mobile Device Manager VPN connection
164

Mobile Devices Enrolled by Configuration Manager The following sections describe the hardware and operating systems that are supported for the mobile devices enrolled by System Center 2012 Configuration Manager. Enrolled Mobile Device Client Language and Operating System Requirements The following table lists the platforms and languages that support Configuration Manager enrollment and the versions of Configuration Manager that support each platform.
Operating system System Center 2012 Configuration Manager version Supported languages

Windows Mobile 6.1

Configuration Manager with no service pack Configuration Manager with SP1

Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain) Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain) Arabic Basque (Basque) Bulgarian Catalan Chinese (Hong Kong SAR) Chinese (Simplified)
165

Windows Mobile 6.5

Configuration Manager with no service pack Configuration Manager with SP1

Nokia Symbian Belle

Configuration Manager with no service pack Configuration Manager with SP1

Operating system

System Center 2012 Configuration Manager version

Supported languages

Chinese (Traditional) Croatian Czech Danish Dutch English (UK) English (US) Estonian Farsi Finnish French (Canada) French (France) Galician German Greek Hebrew Hungarian Icelandic Indonesian Italian Kazakh Korean Latvian Lithuanian Malay Norwegian Polish Portuguese (Brazil) Portuguese (Portugal) Romanian Russian Serbian (Latin/Cyrillic) Slovak Slovenian Spanish (Latin America)

166

Operating system

System Center 2012 Configuration Manager version

Supported languages

Mobile Devices Enrolled by Windows Intune

Spanish (Spain) Swedish Tagalog (Filipino) Thai Turkish Ukrainian Urdu Vietnamese

For System Center 2012 SP1 only: The following table lists the platforms and languages that are supported for mobile devices that are enrolled by Windows Intune and you use the Windows Intune connector in Configuration Manager. Important You must have a subscription to Windows Intune to manage the following operating systems.
Operating system System Center 2012 Configuration Manager version Company portal supported languages

Windows Phone 8

Configuration Manager with SP1

Chinese (Simplified) Chinese (Traditional) Czech Danish Dutch English (US) Finnish French (France) German Greek Hungarian Italian Japanese Korean Norwegian Polish

167

Operating system

System Center 2012 Configuration Manager version

Company portal supported languages

Windows RT Configuration Manager with SP1 iOS Configuration Manager with SP1

Portuguese (Brazil) Romanian Russian Spanish (Spain) Swedish Turkish Chinese (Simplified) Chinese (Traditional) Czech Danish Dutch English (US) Finnish French (France) German Greek Hungarian Italian Japanese Korean Norwegian Polish Portuguese (Brazil) Romanian Russian Spanish (Spain) Swedish Turkish Chinese (Simplified) Chinese (Traditional) Czech Danish Dutch English (US) Finnish
168

Operating system

System Center 2012 Configuration Manager version

Company portal supported languages

Android Configuration Manager with SP1

French (France) German Greek Hungarian Italian Japanese Korean Norwegian Polish Portuguese (Brazil) Romanian Russian Spanish (Spain) Swedish Turkish Chinese (Simplified) Chinese (Traditional) Czech Danish Dutch English (US) Finnish French (France) German Greek Hungarian Italian Japanese Korean Norwegian Polish Portuguese (Brazil) Romanian Russian Spanish (Spain)
169

Operating system

System Center 2012 Configuration Manager version

Company portal supported languages

Mobile Device Support by Using the Exchange Server Connector

Swedish Turkish

System Center 2012 Configuration Manager offers limited management for mobile devices when you use the Exchange Server connector for Exchange Active Sync (EAS) capable devices that connect to a server running Exchange Server or Exchange Online. For more information about which management functions Configuration Manager supports for mobile devices that the Exchange Server connector manages, see Determine How to Manage Mobile Devices in Configuration Manager. The following table lists the platforms that support the Exchange Server connector and which versions of Configuration Manager support each platform.
Version of Exchange Server System Center 2012 Configuration Manager version

Exchange Server 2010 SP1

Configuration Manager with no service pack Configuration Manager with SP1

Exchange Server 2010 SP2

Configuration Manager with SP1

1

Exchange Server 2013 Exchange Online (Office 365)

Configuration Manager with SP1

Configuration Manager with no service pack Configuration Manager with SP1

Includes Business Productivity Online Standard Suite.

Mobile Device Legacy Client The following sections list the hardware and operating systems that are supported for the mobile device legacy client in System Center 2012 Configuration Manager. Mobile Device Legacy Client Hardware Requirements The mobile device client requires 0.78 MB of storage space to install. In addition, logging on the mobile device can require up to 256 KB of storage space. Mobile Device Legacy Client Operating System Requirements

170

System Center 2012 Configuration Manager supports management for Windows Phone, Windows Mobile, and Windows CE when you install the Configuration Manager mobile device legacy client. Features for these mobile devices vary by platform and client type. For more information about which management functions Configuration Manager supports for the mobile device legacy client, see Determine How to Manage Mobile Devices in Configuration Manager. The following table lists the mobile device platforms that are supported with the mobile device legacy client for Configuration Manager, and the versions of Configuration Manager that support each platform.
Operating system System Center 2012 Configuration Manager version Supported languages

Windows CE 5.0 (Arm and x86 processors)

Configuration Manager with no service pack Configuration Manager with SP1

Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain) Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain) Chinese (Simplified) Chinese (Traditional) English (US) French (France) German
171

Windows CE 6.0 (Arm and x86 processors)

Configuration Manager with no service pack Configuration Manager with SP1

Windows CE 7.0 (Arm and x86 processors)

Configuration Manager with no service pack Configuration Manager with SP1

Operating system

System Center 2012 Configuration Manager version

Supported languages

Windows Mobile 6.0 Configuration Manager with no service pack Configuration Manager with SP1

Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain) Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain)

Configuration Manager Console Requirements The following table lists the operating systems that are supported to run the Configuration Manager console, and the versions of the Configuration Manager console that support each operating system. Each computer that installs the Configuration Manager console requires the Microsoft .NET Framework 4.
Operating system System architecture System Center 2012 Configuration Manager version

Windows XP Professional (SP3)

x86

Configuration Manager with no service pack Configuration Manager with SP1

Windows Vista Business Edition (SP2) Enterprise Edition (SP2) Ultimate Edition (SP2)

x86, x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows 7

x86, x64

Configuration Manager with no

172

Operating system

System architecture

System Center 2012 Configuration Manager version

Professional Edition (with no service pack, or with SP1) Enterprise Edition (with no service pack, or with SP1) Ultimate Edition (with no service pack, or with SP1) x86, x64

service pack Configuration Manager with SP1

Windows 8 Pro Enterprise

Configuration Manager with SP1

Windows Server 2008 Standard Edition (SP2) Enterprise Edition (SP2) Datacenter Edition (SP2)

x86, x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows Server 2008 R2 Standard Edition (with no service pack, or with SP1) Enterprise Edition (with no service pack, or with SP1) Datacenter Edition (with no service pack, or with SP1)

x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows Server 2012 Standard Edition Datacenter Edition

x64

Configuration Manager with SP1

Installing both the System Center 2012 Configuration Manager console and the Configuration Manager 2007 console on the same computer is supported. However, both the console and the site it connects to must both run the same version of Configuration Manager. For example, you cannot use the System Center 2012 Configuration Manager console to manage Configuration Manager 2007 sites. Also, you cannot use a console from System Center 2012 Configuration Manager with SP1 to manage a site that runs System Center 2012 Configuration Manager with no service pack, and vice versa. When a hierarchy contains sites that run System Center 2012 Configuration Manager with no service pack and sites that run System Center 2012 Configuration Manager with SP1, some features that are available in System Center 2012 Configuration Manager with SP1 are not available in the console until all sites in the hierarchy upgrade to SP1.
173

The requirements in the following table apply to each computer that runs Configuration Manager console.
Minimum hardware configuration Screen resolution

1 x Pentium 4 Hyper-Threaded 3 GHz (Intel Pentium 4 HT 630 or comparable CPU) 2 GB of RAM 2 GB of disk space.

DPI setting 96 / 100% 120 /125% 144 / 150% 196 / 200%

Minimum resolution 1024x768 1280x960 1600x1200 2500x1600

For Configuration Manager SP1 only: With Configuration Manager SP1, the Configuration Manager console supports PowerShell. When you install support for PowerShell on a computer that runs the Configuration Manager console, you can run PowerShell cmdlets on that computer to manage Configuration Manager. You can install a supported version of PowerShell before or after the Configuration Manager console installs. The following table lists the minimum required version of PowerShell for each version of Configuration Manager.
PowerShell version System architecture Configuration Manager version

PowerShell 3.0

x86

Configuration Manager SP1

Configurations for the SQL Server Site Database

Each System Center 2012 Configuration Manager site database can be installed on either the default instance or a named instance of a SQL Server installation. The SQL Server instance can be co-located with the site system server, or on a remote computer. When you use a remote SQL Server, the instance of SQL Server used to host the site database can also be configured as a SQL Server failover cluster in a single instance cluster, or a multiple instance configuration. The site database site system role is the only System Center 2012 Configuration Manager site system role supported on an instance of a Windows Server cluster. If you use a SQL Server cluster for the site database, you must add the computer account of the site server to the Local Administrators group of each Windows Server cluster node computer. Note SQL Server database mirroring is not supported for the Configuration Manager site database.

174

When you install a secondary site, you can use an existing instance of SQL Server or allow Setup to install and use an instance of SQL Server Express. Whichever option that you choose, SQL Server must be located on the secondary site server. The version of SQL Server Express that Setup installs depends on the version of Configuration Manager that you use: Configuration Manager without a service pack: SQL Server 2008 Express Configuration Manager with SP1: SQL Server 2012 Express

The following table lists the SQL Server versions that are supported by System Center 2012 Configuration Manager.
SQL Server version SQL Server service pack SQL Server cumulative update Configuration Manager version Configuration Manager site type

SQL Server 2008 Standard

1

SP2

Enterprise Datacenter

Minimum of cumulative update 9

Configuration Manager with no service pack Configuration Manager with SP1

Central administration site Primary site Secondary site

SP3

Minimum of cumulative update 4

Configuration Manager with no service pack Configuration Manager with SP1

Central administration site Primary site Secondary site

SQL Server 2008 R2 Standard

1

SP1

Minimum of cumulative update 6

Enterprise Datacenter

Configuration Manager with no service 2 pack Configuration Manager with SP1

Central administration site Primary site Secondary site

SP2

No cumulative update

Configuration Manager with no service 2 pack Configuration Manager with

Central administration site Primary site Secondary site

175

SQL Server version

SQL Server service pack

SQL Server cumulative update

Configuration Manager version

Configuration Manager site type

SP1 SQL Server 2012 Standard

1

No service pack

Enterprise

Minimum of cumulative update 2

Configuration Manager with SP1

Central administration site Primary site Secondary site

SQL Server Express 2008 R2

SP1

Minimum of cumulative update 6

Configuration Manager with no service pack Configuration Manager with SP1

Secondary site

SP2

No cumulative update

Configuration Manager with no service pack Configuration Manager with SP1

Secondary site

SQL Server 2012 Express

No service pack

Minimum of cumulative update 2

Configuration Manager with SP1

Secondary site

When you use SQL Server Standard for the database at the central administration site, the hierarchy can only support up to 50,000 clients. For more information, see Site and Site System Role Scalability.
2

Configuration Manager with no service pack does not support the site database on any version of a SQL Server 2008 R2 cluster. This includes any service pack version or cumulative update version of SQL Server 2008 R2. With Configuration Manager SP1, the site database is supported on a SQL Server 2008 R2 cluster. SQL Server Requirements The following are required configurations for each database server with a full SQL Server installation, and on each SQL Server Express installation that you manually configure for secondary sites. You do not have to configure SQL Server Express for a secondary site if SQL Server Express is installed by Configuration Manager.
176

Configuration

More information

Database collation

At each site, both the instance of SQL Server that is used for the site database and the site database must use the following collation: SQL_Latin1_General_CP1_CI_AS. Note Configuration Manager supports two exceptions to this collation to meet standards that are defined in GB18030 for use in China. For more information, see Technical Reference for International Support in Configuration Manager.

SQL Server features

Only the Database Engine Services feature is required for each site server. Note Configuration Manager database replication does not require the SQL Server replication feature.

Windows Authentication

Configuration Manager requires Windows authentication to validate connections to the database. You must use a dedicated instance of SQL Server for each site. When you use a database server that is colocated with the site server, limit the memory for SQL Server to 50 to 80 percent of the available addressable system memory. When you use a dedicated SQL Server, limit the memory for SQL Server to 80 to 90 percent of the available addressable system memory. Configuration Manager requires SQL Server to reserve a minimum of 8 gigabytes (GB) of memory in the buffer pool used by an instance of SQL Server for the central administration site and primary site and a minimum of 4 gigabytes (GB) for the secondary site. This memory is reserved by using the Minimum server memory
177

SQL Server instance

SQL Server memory

Configuration

More information

setting under Server Memory Options and is configured by using SQL Server Management Studio. For more information about how to set a fixed amount of memory, see How to: Set a Fixed Amount of Memory (SQL Server Management Studio). Optional SQL Server Configurations The following configurations either support multiple choices or are optional on each database server with a full SQL Server installation.
Configuration More information

SQL Server service

On each database server, you can configure the SQL Server service to run by using a domain local account or the local system account of the computer that is running SQL Server. Use a domain user account as a SQL Server best practice. This kind of account can be more secure than the local system account but might require you to manually register the Service Principle Name (SPN) for the account. Use the local system account of the computer that is running SQL Server to simplify the configuration process. When you use the local system account, Configuration Manager automatically registers the SPN for the SQL Server service. Be aware that using the local system account for the SQL Server service is not a SQL Server best practice.

For information about SQL Server best practices, see the product documentation for the version of Microsoft SQL Server that you are using. For information about SPN configurations for Configuration Manager, see How to Manage the SPN for SQL Server Site Database Servers. For information about how to change the account that is used by the SQL Service, see How to: Change the Service
178

Configuration

More information

Startup Account for SQL Server (SQL Server Configuration Manager). SQL Server Reporting Services Required to install a reporting services point that lets you run reports. For communication to the SQL Server database engine, and for intersite replication, you can use the default SQL Server port configurations or specify custom ports: Intersite communications use the SQL Server Service Broker, which by default uses port TCP 4022. Intrasite communication between the SQL Server database engine and various Configuration Manager site system roles by default use port TCP 1433. The following site system roles communicate directly with the SQL Server database: Management point SMS Provider computer Reporting Services point Site server

SQL Server ports

When a SQL Server hosts a database from more than one site, each database must use a separate instance of SQL Server, and each instance must be configured to use a unique set of ports. Warning Configuration Manager does not support dynamic ports. Because SQL Server named instances by default use dynamic ports for connections to the database engine, when you use a named instance, you must manually configure the static port that you want to use for intrasite communication. If you have a firewall enabled on the computer that is running SQL Server, make sure that it is configured to allow the ports that are being
179

Configuration

More information

used by your deployment and at any locations on the network between computers that communicate with the SQL Server. For an example of how to configure SQL Server to use a specific port, see How to: Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager) in the SQL Server TechNet library.

Function-Specific Requirements
The following sections identify function-specific requirements for Configuration Manager. Application Management For devices that run the Windows Mobile operating system, Configuration Manager only supports the Uninstall action for applications on Windows Mobile 6.1.4 or later versions. Operating System Deployment Configuration Manager requires several prerequisites to support deploying operating systems. The following prerequisites are required on the site server of each central administration site or primary site before you can install the site, even when you do not plan to use operating system deployments: For Configuration Manager with no service pack: Automated Installation Kit (Windows AIK) For Configuration Manager with service pack 1: Windows Assessment and Deployment Kit (Windows ADK)

For more information about prerequisites for operating system deployment, see the Prerequisites For Deploying Operating Systems in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Out of Band Management System Center 2012 Configuration Manager supports out of band management for computers that have the following Intel vPro chip sets and Intel Active Management Technology (Intel AMT) firmware versions: Intel AMT version 3.2 with a minimum revision of 3.2.1 Intel AMT version 4.0, version 4.1, and version 4.2 Intel AMT version 5.0 and version 5.2 with a minimum revision of 5.2.10 Intel AMT version 6.0 and version 6.1 AMT provisioning is not supported on AMT-based computers that are running any version of Windows Server, Windows XP with SP2, or Windows XP Tablet PC Edition.
180

The following limitations apply:

Out of band communication is not supported to an AMT-based computer that is running the Routing and Remote Access service in the client operating system. This service runs when Internet Connection Sharing is enabled, and the service might be enabled by line of business applications. The out of band management console is not supported on workstations running Windows XP on versions earlier than Service Pack 3.

For more information about out of band management in Configuration Manager, see Introduction to Out of Band Management in Configuration Manager. Remote Control Viewer The Configuration Manager remote control viewer is not supported on Windows Server 2003 or Windows Server 2008 operating systems. Software Center and the Application Catalog The minimal screen resolution supported for client computers to run Software Center and the Application Catalog is 1024 by 768. The following web browsers are supported for use with the Software Center and Application Catalog: Internet Explorer 7 Internet Explorer 8 Internet Explorer 9 Internet Explorer 10 Firefox 15 Note The Software Center and Application Catalog do not support web browsers that connect from computers that run Windows Server Core 2008.

Support for Active Directory Domains

All System Center 2012 Configuration Manager site systems must be members of a Windows Active Directory domain that has a domain functional level of Windows 2000, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. Note If you configure discovery to filter and remove stale computer records, the Active Directory domain functional level must be a minimum of Windows Server 2003. This requirement includes site systems that support Internet-based client management in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet). The following are limitations for site systems: Configuration Manager does not support the change of domain membership, domain name, or computer name of a Configuration Manager site system after the site system is installed.

Configuration Manager client computers can be domain members, or workgroup members.

181

The following sections contain additional information about domain structures and requirements for Configuration Manager. Active Directory Schema Extensions Configuration Manager Active Directory schema extensions provide benefits for Configuration Manager sites. However, they are not required for all Configuration Manager functions. For more information about Active Directory schema extension considerations, see Determine Whether to Extend the Active Directory Schema for Configuration Manager. If you have extended your Active Directory schema for Configuration Manager 2007, you do not have to update your schema for System Center 2012 Configuration Manager. You can update the Active Directory schema before or after you install Configuration Manager. Schema updates do not interfere with an existing Configuration Manager 2007 sites or clients. For more information about how to extend the Active Directory schema for System Center 2012 Configuration Manager, see the Prepare Active Directory for Configuration Manager section in the Prepare the Windows Environment for Configuration Manager topic. Disjoint Namespaces Except for out of band management, Configuration Manager supports installing site systems and clients in a domain that has a disjoint namespace. Note For more information about namespace limitations for when you manage AMT-based computers out of band, see Prerequisites for Out of Band Management in Configuration Manager. A disjoint namespace scenario is one in which the primary Domain Name System (DNS) suffix of a computer does not match the Active Directory DNS domain name where that computer resides. The computer that uses the primary DNS suffix that does not match is said to be disjoint. Another disjoint namespace scenario occurs if the NetBIOS domain name of a domain controller does not match the Active Directory DNS domain name. The following table identifies the supported scenarios for a disjoint namespace.
Scenario More information

Scenario 1:

In this scenario, the primary DNS suffix of the The primary DNS suffix of the domain controller domain controller differs from the Active Directory DNS domain name. The domain differs from the Active Directory DNS domain controller is disjoint in this scenario. Computers name. Computers that are members of the that are members of the domain, such as site domain can be either disjoint or not disjoint. servers and computers, can have a primary DNS suffix that either matches the primary DNS suffix of the domain controller or matches the Active Directory DNS domain name. Scenario 2: In this scenario, the primary DNS suffix of a
182

Scenario

More information

A member computer in an Active Directory domain is disjoint, even though the domain controller is not disjoint.

member computer on which a site system is installed differs from the Active Directory DNS domain name, even though the primary DNS suffix of the domain controller is the same as the Active Directory DNS domain name. In this scenario, you have a domain controller that is not disjoint and a member computer that is disjoint. Member computers that are running the Configuration Manager client can have a primary DNS suffix that either matches the primary DNS suffix of the disjoint site system server or matches the Active Directory DNS domain name.

To allow a computer to access domain controllers that are disjoint, you must change the msDSAllowedDNSSuffixes Active Directory attribute on the domain object container. You must add both of the DNS suffixes to the attribute. In addition, to make sure that the DNS suffix search list contains all DNS namespaces that are deployed within the organization, you must configure the search list for each computer in the domain that is disjoint. Include in the list of namespaces the primary DNS suffix of the domain controller, the DNS domain name, and any additional namespaces for other servers with which Configuration Manager might interoperate. You can use the Group Policy Management console to configure the Domain Name System (DNS) suffix search list. Important When you reference a computer in Configuration Manager, enter the computer by using its Primary DNS suffix. This suffix should match the Fully Qualified Domain Name registered as the dnsHostName attribute in the Active Directory domain and the Service Principal Name associated with the system. Single Label Domains Except for out of band management, Configuration Manager supports site systems and clients in a single label domain when the following criteria are met: The single label domain in Active Directory Domain Services must be configured with a disjoint DNS namespace that has a valid top level domain. For example: The single label domain of Contoso is configured to have a disjoint namespace in DNS of contoso.com. Therefore, when you specify the DNS suffix in Configuration Manager for a computer in the Contoso domain, you specify Contoso.com and not Contoso. DCOM connections between site servers in the system context must be successful by using Kerberos authentication. Note
183

For more information about namespace limitations for when you manage AMT-based computers out of band, see Prerequisites for Out of Band Management in Configuration Manager.

Windows Environment
The following sections contain general support configuration information for System Center 2012 Configuration Manager. Support for Internet Protocol Version 6 Configuration Manager supports Internet Protocol version 6 (IPv6) in addition to Internet Protocol version 4 (IPv4). The following table lists the exceptions.
Function Exception to IPv6 support

Network Discovery

IPv4 is required when you configure a DHCP server to search in Network Discovery. IPv4 is required to support out of band management. IPv4 is required to support the Configuration Manager client on Windows CE devices. IPv4 is required to support mobile devices that are enrolled by Windows Intune and the Windows Intune connector. IPv4 is required to support Windows Azure and cloud-based distribution points. IPv4 is required to support the client wake-up proxy packets.

Out of band management

Windows CE

Mobile devices that are enrolled by Windows Intune and the Windows Intune connector Cloud-based distribution points

Wake-up proxy communication

Support for Specialized Storage Technology Configuration Manager works with any hardware that is certified on the Windows Hardware Compatibility List for the version of the operating system that the Configuration Manager component is installed on. Site Server roles require NTFS file systems so that directory and file permissions can be set. Because Configuration Manager assumes that it has complete ownership of a logical drive, site systems that run on separate computers cannot share a logical partition on any storage technology. However, each computer can use a separate logical partition on the same physical partition of a shared storage device. Support considerations for the listed storage technologies: Storage Area Network: A Storage Area Network (SAN) is supported when a supported Windows-based server is attached directly to the volume that is hosted by the SAN.
184

Single Instance Storage: Configuration Manager does not support configuration of distribution point package and signature folders on a Single Instance Storage (SIS)-enabled volume. Additionally, the cache of a Configuration Manager client is not supported on a SIS-enabled volume. Note Single Instance Storage (SIS) is a feature of the Windows Storage Server 2003 R2 operating system.

Removable Disk Drive: Configuration Manager does not support install of Configuration Manager site system or clients on a removable disk drive.

Support for Computers in Workgroups System Center 2012 Configuration Manager provides support for clients in workgroups. Configuration Manager supports moving a client from a workgroup to a domain or from a domain to a workgroup. For more information, see How to Install Configuration Manager Clients on Workgroup Computers All System Center 2012 Configuration Manager site systems must be members of a supported Active Directory domain. This requirement includes site systems that support Internet-based client management in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet). Support for Virtualization Environments Configuration Manager supports client installation and all site server roles in the following virtualization environments:
Virtualization environment Configuration Manager version

Windows Server 2008

Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack
185

Microsoft Hyper-V Server 2008

Windows Server 2008 R2

Microsoft Hyper-V Server 2008 R2

Windows Server 2008

Virtualization environment

Configuration Manager version

Microsoft Hyper-V Server 2008 Windows Server 2012 Microsoft Hyper-V Server 2012

Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with SP1 Configuration Manager with SP1

Each virtual computer that you use must meet or exceed the same hardware and software configuration that you would use for a physical Configuration Manager computer. You can validate that your virtualization environment is supported for Configuration Manager by using the Server Virtualization Validation Program and its online Virtualization Program Support Policy Wizard. For more information about the Server Virtualization Validation Program, see Windows Server Virtualization Validation Program. Note Configuration Manager does not support Virtual PC or Virtual Server guest operating systems that run on a Mac. Configuration Manager cannot manage virtual machines unless they are online. An offline virtual machine image cannot be updated nor can inventory be collected by using the Configuration Manager client on the host computer. No special consideration is given to virtual machines. For example, Configuration Manager might not determine whether an update has to be re-applied to a virtual machine image if the virtual machine is stopped and restarted without saving the state of the virtual machine to which the update was applied. Support for Network Address Translation Network Address Translation (NAT) is not supported in Configuration Manager, unless the site supports clients that are on the Internet and the client detects that it is connected to the Internet. For more information about Internet-based client management, see the Planning for InternetBased Client Management section in the Planning for Communications in Configuration Manager topic. DirectAccess Feature Support Configuration Manager supports the DirectAccess feature in Windows Server 2008 R2 for communication between site system servers and clients. When all the requirements for DirectAccess are met, by using this feature, Configuration Manager clients on the Internet can communicate with their assigned site as if they were on the intranet. For server-initiated actions, such as remote control and client push installation, the initiating computer (such as the site server) must be running IPv6, and this protocol must be supported on all intervening networking devices.
186

Configuration Manager does not support the following over DirectAccess: Deploying operating systems Communication between Configuration Manager sites Communication between Configuration Manager site system servers within a site

BranchCache Feature Support Windows BranchCache is integrated in System Center 2012 Configuration Manager. You can configure the BranchCache settings on a deployment type for applications, on the deployment for a package, and for task sequences. When all the requirements for BranchCache are met, this feature enables clients at remote locations to obtain content from local clients that have a current cache of the content. For example, when the first BranchCache-enabled client computer requests content from a distribution point that is configured as a BranchCache server, the client computer downloads and caches the content. This content is then made available for clients on the same subnet that request this same content, and these clients also cache the content. In this manner, successive clients on the same subnet do not have to download content from the distribution point, and the content is distributed across multiple clients for future transfers. To support BranchCache with Configuration Manager, add the Windows BranchCache feature to the site system server that is configured as a distribution point. System Center 2012 Configuration Manager distribution points on servers configured to support BranchCache require no additional configuration. Note With Configuration Manager SP1, cloud-based distribution points support the download of content by clients that are configured for Windows BranchCache. To use BranchCache, the clients that can support BranchCache must be configured for BranchCache distributed mode, and the operating system setting for BITS client settings must be enabled to support BranchCache. The following table lists the Configuration Manager client operating systems that are supported with Windows BranchCache and identifies for each operating system if BranchCache distributed mode is supported natively by the operating system, or if the operating system requires the addition of the BITS 4.0 release.
Operating system Support details
1

Windows Vista with SP2 Windows 7 with SP1 Windows 8

Requires BITS 4.0 Supported by default Supported by default

1

Windows Server 2008 with SP2

Requires BITS 4.0 Supported by default

187

Windows Server 2008 R2 with no service pack,

Operating system

Support details

with SP1, or with SP2 Windows Server 2012

1

Supported by default

On this operating system, the BranchCache client functionality is not supported for software distribution that is run from the network or for SMB file transfers. Additionally, this operating system cannot use BranchCache functionality with cloud-based distribution points. You can install the BITS 4.0 release on Configuration Manager clients by using software updates or software distribution. For more information about the BITS 4.0 release, see Windows Management Framework. For more information about BranchCache, see BranchCache for Windows in the Windows Server documentation. Fast User Switching Fast User Switching, available in Windows XP in workgroup computers, is not supported in System Center 2012 Configuration Manager. Fast User Switching is supported for computers that are running Windows Vista or later versions. Dual Boot Computers System Center 2012 Configuration Manager cannot manage more than one operating system on a single computer. If there is more than one operating system on a computer that must be managed, adjust the discovery and installation methods that are used to ensure that the Configuration Manager client is installed only on the operating system that has to be managed.

Supported Upgrade Paths for Configuration Manager

The following sections identify the upgrade options for System Center 2012 Configuration Manager, the operating system version of site servers and clients, and the SQL Server version of database servers. Upgrade Configuration Manager The following table lists the versions of System Center 2012 Configuration Manager, and the supported upgrade paths between versions.
Configuration Manager version Release options Supported Upgrade Paths More information

System Center 2012 Configuration Manager

An evaluation release that expires 180 days after installation. A complete

System Center 2012 Configuration Man ager evaluation release

You can install System Center 2012 Configuration Manager as either a full installation, or as a trial installation. If you install
188

Configuration Manager version

Release options

Supported Upgrade Paths

More information

release, to perform a new installation.

Configuration Manager as a trial installation, after 180 days, you can only connect a readonly Configuration Manager console and Configuration Manager functionality is limited. At any time before or after the 180 day period, you have the option to upgrade the trial installation to a full installation. System Center 2012 Configuration Manager supports migration of your Configuration Manager 2007 infrastructure but does not support an inplace upgrade of sites from Configuration Manager 2007. However, migration supports the upgrade of a Configuration Manager 2007 distribution point, or secondary site that is co-located with a distribution point, to a System Center 2012 Configuration Manager distribution point. For more information about migration, see Migrating Hierarchies in System Center 2012 Configuration Manager.
189

Configuration Manager version

Release options

Supported Upgrade Paths

More information

System Center 2012 Configuration Manager SP1

An evaluation release that expires 180 days after installation. A complete release, to perform a new installation. An upgrade from System Center 2012 Configuration M anager.

System Center 2012 Configuration Man ager SP1 evaluation release System Center 2012 Configuration Man ager with no service pack

You can install System Center 2012 Configuration Manager SP1 as a trial installation, a full install, or as an upgrade to existing infrastructure that runs System Center 2012 Configuration Manager with no service pack. However, an upgrade Configuration Manager 2007 to System Center 2012 Configuration Manager SP1 is not supported. If you install Configuration Manager as a trial installation, after 180 days you can only connect a readonly Configuration Manager console and Configuration Manager functionality is limited. At any time before or after the 180 day period, you have the option to upgrade the trial installation to a full installation. System Center 2012 Configuration Manager SP1 supports migration from Configuration Manager 2007 and System Center 2012 Configuration Manager SP1.
190

Configuration Manager version

Release options

Supported Upgrade Paths

More information

For more information about migration, see Migrating Hierarchies in System Center 2012 Configuration Manager.

Infrastructure Upgrade for Configuration Manager In addition to upgrading the version of System Center 2012 Configuration Manager you use for sites, Configuration Manager clients and Configuration Manager consoles, you can upgrade the operating systems that run Configuration Manager site servers, database servers, site system servers, and clients. The information in the following sections can help you upgrade the infrastructure for Configuration Manager. Upgrade of the Site Server Operating System Configuration Manager supports an in-place upgrade of the operating system of the site server in the following situations: In-place upgrade to a higher Windows Server service pack as long as the resulting service pack level remains supported by Configuration Manager. Any version of Windows Server 2008 to any version of Windows Server 2008 R2. Any version of Windows Server 2008 to any version of Windows Server 2012. Any version of Windows Server 2008 R2 to any version of Windows Server 2012.

Configuration Manager does not support the following Windows Server upgrade scenarios.

When a direct operating system upgrade is not supported, perform one of the following procedures after you have installed the new operating system: Install System Center 2012 Configuration Manager with the service pack level that you want, and configure the site according to your requirements. Install System Center 2012 Configuration Manager with the service pack level that you want and perform a site recovery. This scenario requires you to have a site backup that was created by using the Backup Site Server maintenance task on the original Configuration Manager site, and that you use the same installation settings for the new System Center 2012 Configuration Manager site.

Client Operating System Upgrade Configuration Manager supports an in-place upgrade of the operating system for Configuration Manager clients in the following situations: In-place upgrade to a higher Windows Server service pack as long as the resulting service pack level remains supported by Configuration Manager.

191

SQL Server Upgrade for the Site Database Server Configuration Manager supports an in-place upgrade of SQL Server from a supported version of SQL on the site database server. The following sections provide information about the different upgrade scenarios supported by Configuration Manager and any requirements for each scenario. Upgrade of the Service Pack Version of SQL Server Configuration Manager supports the in-place upgrade of SQL Server to a higher service pack as long as the resulting SQL Server service pack level remains supported by Configuration Manager. When you have multiple Configuration Manager sites in a hierarchy, each site can run a different service pack version of SQL Server, and there is no limitation to the order in which sites upgrade the service pack version of SQL Server that is used for the site database. SQL Server 2008 to SQL Server 2008 R2 Configuration Manager supports the in-place upgrade of SQL Server from SQL Server 2008 to SQL Server 2008 R2. When you have multiple Configuration Manager sites in a hierarchy, each site can run a different version of SQL Server, and there is no limitation to the order in which sites upgrade the version of SQL Server in use for the site database. SQL Server 2008 or SQL Server 2008 R2 to SQL Server 2012 For Configuration Manager SP1 only: Configuration Manager with SP1 supports the in-place upgrade of SQL Server 2008 or SQL Server 2008 R2 to SQL Server 2012 with the following limitations: Each Configuration Manager site must run service pack 1 before you can upgrade the version of SQL Server to SQL Server 2012 at any site. When you upgrade the version of SQL Server that hosts the site database at each site to SQL Server 2012, you must upgrade the SQL Server version that is used at sites in the following order: Upgrade SQL Server at the central administration site first. Upgrade secondary sites before you upgrade a secondary sites parent primary site. Upgrade parent primary sites last. This includes both child primary sites that report to a central administration site, and stand-alone primary sites that are the top-level site of a hierarchy. Important Although you upgrade the service pack version of a Configuration Manager site by upgrading the top-tier site first and then upgrading down the hierarchy, when you upgrade SQL Server to SQL Server 2012, you must use the previous sequence, upgrading the primary sites last. This does not apply to upgrades of SQL Server 2008 to SQL Server 2008 R2. To upgrade SQL Server on the site database server 1. Stop all Configuration Manager services at the site. 2. Upgrade SQL Server to a supported version.
192

3. Restart the Configuration Manager services.

See Also
Planning for Configuration Manager Sites and Hierarchy

Frequently Asked Questions for Configuration Manager

Review the following sections for some frequently asked questions about System Center 2012 Configuration Manager: The Configuration Manager Console and Collections Sites and Hierarchies Migration Security and Role-Based Administration Client Deployment and Operations Mobile Devices Remote Control Software Deployment Endpoint Protection

The Configuration Manager Console and Collections

The following frequently asked questions relate to the Configuration Manager console and collections. Does the Configuration Manager console support a 64-bit operating system? Yes. The Configuration Manager console is a 32-bit program that can run on a 32-bit version of Windows and on a 64-bit version of Windows. What is a limiting collection and why would I use it? In System Center 2012 Configuration Manager, all collections must be limited to the membership of another collection. When you create a collection, you must specify a limiting collection. A collection is always a subset of its limiting collection. For more information, see How to Create Collections in Configuration Manager. Can I include or exclude the members of another collection from my collection? Yes. System Center 2012 Configuration Manager includes two new collection rules, the Include Collections rule and the Exclude Collections rule that allow you to include or exclude the membership of specified collections. For more information, see How to Create Collections in Configuration Manager.

193

Are incremental updates supported for all collection types? No. Collections configured by using query rules that use certain classes do not support incremental updates. For a list of these classes, see How to Create Collections in Configuration Manager. What is the All Unknown Computers collection? The All Unknown Computers collection contains two objects that represent records in the Configuration Manager database so that you can deploy operating systems to computers that are not managed by Configuration Manager, and so are unknown to Configuration Manager. These computers can include the following: A computer where the Configuration Manager client is not installed A computer that is not imported into Configuration Manager A computer that is not discovered by Configuration Manager

For more information about how to deploy operating systems to unknown computers, see How to Manage Unknown Computer Deployments in Configuration Manager. Why does Install Client from the ribbon install the client to the whole collection when Ive selected a single computer but installs to the selected computer only if I right-click the computer and then select Install Client? If you choose Install Client from the ribbon when the Collection ribbon tab is selected, the client installs to all computers in the collection rather than to just the selected computer. To install the client to just the selected computer, click the Home tab on the ribbon before you click Install Client from the ribbon, or use the right-click option. How can I create a collection that contains only Mac computers, or only Linux servers? For Configuration Manager SP1 only: Because an ID for each device type (for example Windows computers, Mac computers, or Linux computers) is stored in the Configuration Manager database, you can create a collection that contains a query rule to return only devices with a specified ID. For an example query to use, see the Example WQL Queries section in the How to Create Queries in Configuration Manager topic. For information about how to create collections, see How to Create Collections in Configuration Manager. How can I create a collection of Windows 8 computers that are Always On Always Connected capable? For Configuration Manager SP1 only: Create a collection with a query-based rule. Query the attribute class System Resource and the attribute Connected Standby Capable = Yes to return computers that are Always On Always Connected capable. Why does the Configuration Manager console use HTTP to the Internet and what would stop working if this is blocked by my firewall? The Configuration Manager console uses HTTP to the Internet in two scenarios:
194

When you use the geographical view from the Site Hierarchy node in the Monitoring workspace, which uses Internet Explorer to access Bing Maps. When you use the Configuration Manager help file and click a link to view or search for information on TechNet.

If you do not require these functions, your firewall can block HTTP connections from the console without additional loss of functionality to Configuration Manager. For more information about the geographical view, see the About the Site Hierarchy Node section in the Monitor Configuration Manager Sites and Hierarchy topic.

Sites and Hierarchies

The following frequently asked questions relate to sites and hierarchies in Configuration Manager. Are there new Active Directory schema extensions for System Center 2012 Configuration Manager? No. The Active Directory schema extensions for System Center 2012 Configuration Manager are unchanged from those used by Configuration Manager 2007. If you extended the schema for Configuration Manager 2007, you do not need to extend the schema again for System Center 2012 Configuration Manager or System Center 2012 Configuration Manager SP1. Where is the documentation for Setup? See Install Sites and Create a Hierarchy for Configuration Manager. Can I upgrade a prerelease version of System Center 2012 Configuration Manager to the released version? No. Unless you were in a prerelease program that was supported by Microsoft (such as the Technology Adoption Program or the Community Evaluation Program) there is no supported upgrade path for prerelease versions of System Center 2012 Configuration Manager. For more information, see the Release Notes for System Center 2012 Configuration Manager. Can I manage SMS 2003 clients with System Center 2012 Configuration Manageror migrate SMS 2003 sites and clients to System Center 2012 Configuration Manager? No. SMS 2003 sites and SMS 2003 clients are not supported by System Center 2012 Configuration Manager. You have two choices to move these sites and clients to System Center 2012 Configuration Manager: Upgrade SMS 2003 sites and clients to Configuration Manager 2007 SP2, and then migrate them to System Center 2012 Configuration Manager. Uninstall SMS 2003 sites and clients and then install System Center 2012 Configuration Manager sites and clients.

For more information about supported upgrade paths, see the Supported Upgrade Paths section in the Supported Configurations for Configuration Manager topic.
195

For more information about migrating Configuration Manager 2007 to System Center 2012 Configuration Manager, see the Migrating Hierarchies in System Center 2012 Configuration Manager guide. Can I upgrade an evaluation version of System Center 2012 Configuration Manager? Yes. If the evaluation version is not a prerelease version of System Center 2012 Configuration Manager, you can upgrade it to the full version. For more information, see the Upgrade an Evaluation Installation to a Full Installation section in the Install Sites and Create a Hierarchy for Configuration Manager topic. Have the site types changed from Configuration Manager 2007? System Center 2012 Configuration Manager introduces changes to both primary and secondary sites while the central administration site is new site type. The central administration site replaces the primary site referred to as a central site as the top-level site of a multi-primary site hierarchy. This site does not directly manage clients but does coordinate a shared database across your hierarchy, and it is designed to provide centralized reporting and configurations for your entire hierarchy. Can I join a pre-existing site to another site in System Center 2012 Configuration Manager? In System Center 2012 Configuration Manager with no service pack, you cannot change the parent relationship of an active site. You can only add a site as a child of another site at the time you install the new site. Because the database is shared between all sites, joining a site that has already created default objects or that has custom configurations can result in conflicts with similar objects that already exist in the hierarchy. However, in System Center 2012 Configuration Manager SP1, you can expand a stand-alone primary site into a hierarchy that includes a new central administration site. For more information, see the Planning to Expand a Stand-Alone Primary Site section in the Planning for Sites and Hierarchies in Configuration Manager topic. Why cant I install a primary site as a child of another primary site as I did in Configuration Manager 2007? With System Center 2012 Configuration Manager, primary sites have changed to support only secondary sites as child sites, and the new central administration site as a parent site. Unlike Configuration Manager 2007, primary sites no longer provide a security or configuration boundary. Because of this, you should only need to install additional primary sites to increase the maximum number of clients your hierarchy can support, or to provide a local point of contact for administration. Why does Configuration Manager require SQL Server for my secondary site? In System Center 2012 Configuration Manager, secondary sites require either SQL Server, or SQL Server Express to support database replication with their parent primary site. When you install a secondary site, Setup automatically installs SQL Server Express if a local instance of SQL Server is not already installed.
196

What is database replication? Database replication uses SQL Server to quickly transfer data for settings and configurations to other sites in the Configuration Manager hierarchy. Changes that are made at one site merge with the information stored in the database at other sites. Content for deployments, and other filebased data, still replicate by file-based replication between sites. Database replication configures automatically when you join a new site to an existing hierarchy. How can I monitor and troubleshoot replication in Configuration Manager? See the Monitor Infrastructure for Configuration Manager section in the Monitor Configuration Manager Sites and Hierarchy topic. This section includes information about database replication and how to use the Replication Link Analyzer. What is Active Directory forest discovery? Active Directory Forest discovery is a new discovery method in System Center 2012 Configuration Manager that allows you to discover network locations from multiple Active Directory forests. This discovery method can also create boundaries in Configuration Manager for the discovered network locations and you can publish site data to another Active Directory forest to help support clients, sites, and site system servers in those locations. Can I provide clients with unique client agent configurations without installing additional sites? Yes. System Center 2012 Configuration Manager applies a hierarchy-wide set of default client settings (formerly called client agent settings) that you can then modify on clients by using custom client settings that you assign to collections. This creates a flexible method of delivering customized client settings to any client in your hierarchy, regardless of the site it is assigned to, or where it is located on your network. For more information, see How to Configure Client Settings in Configuration Manager. Can a site or hierarchy span multiple Active Directory forests? Configuration Manager supports site-to-site (intersite) communication when a two-way forest trust exists between the forests. Within a site, Configuration Manager supports placement of site system roles on computers in an untrusted forest. Configuration Manager also supports clients that are in a different forest from their sites site server when the site system role that they connect to is in the same forest as the client. For more information, see the Planning for Communications Across Forests in Configuration Manager section in the Planning for Communications in Configuration Manager topic. To support computers in an untrusted forest, do I have to create a new primary site and configure a two-way forest trust? No. Because System Center 2012 Configuration Manager supports installing most site system roles in untrusted forests, there is no requirement to have a separate site for this scenario, unless you have exceeded the maximum number of supported clients for a site. For more information about communications across forests, see the Planning for Communications Across Forests in Configuration Manager section in the Planning for Communications in Configuration Manager
197

topic. For more information about the number of computers that are supported, see the Site and Site System Role Scalability section in the Supported Configurations for Configuration Manager topic Tip The Application Catalog web service role and the enrollment point must be installed in the same forest as the site server. In this case, you can install the Application Catalog website point and the enrollment proxy point in the other forest, and these site system roles communicate with the site by using the Application Catalog web service role and the enrollment point, respectively. After these site system roles are installed in the other forest, they communicate with their counterpart role by using certificates (self-signed or PKI). For more information about how this communication is secured, see the Cryptographic Controls for Server Communication section in the Technical Reference for Cryptographic Controls Used in Configuration Manager topic. How do clients find management points and has this changed since Configuration Manager 2007? System Center 2012 Configuration Manager clients can find available management points by using the management point that you specify during client deployment, Active Directory Domain Services, DNS, and WINS. Clients can connect to more than one management point in a site, always preferring communication that uses HTTPS, when this is possible because the client and management point uses PKI certificates. There are some changes here since Configuration Manager 2007, which accommodate the change that clients can now communicate with more than one management point in site, and that you can have a mix of HTTPS and HTTP site system roles in the same site. For more information, see the Planning for Service Location by Clients section in the Planning for Communications in Configuration Manager topic. How do I configure my sites for native-mode? System Center 2012 Configuration Manager has replaced the native mode site configuration in Configuration Manager 2007 with individual site system role configurations that accept client communication over HTTPS or HTTP. Because you can have site system roles that support HTTPS and HTTP in the same site, you have more flexibility in how you introduce PKI to secure the intranet client endpoints within the hierarchy. Clients over the Internet and mobile devices must use HTTPS connections. For more information, see the Planning a Transition Strategy for PKI Certificates and InternetBased Client Management section in the Planning for Security in Configuration Manager topic. Where are the supported scenarios and network diagrams for Internet-based client management that you had for Configuration Manager 2007? Unlike Configuration Manager 2007, there are no design restrictions to support clients on the Internet, providing you meet the requirements in the Planning for Internet-Based Client Management section in the Planning for Communications in Configuration Manager topic.
198

Because of the following improvements, you can more easily support clients on the Internet to fit your existing infrastructure: The whole site does not have to be using HTTPS client connections Support for installing most site system roles in another forest Support for multiple management points in a site

If you use multiple management points and dedicate one or more for client connections from the Internet, you might want to consider using database replicas for management points. For more information, see Configure Database Replicas for Management Points. Do I have to configure my site for Internet-based client management before I can use cloud-based distribution points in Configuration Manager SP1? No. Although both configurations use the Internet, they are independent from each other. Clients on the intranet can use cloud-based distribution points and these clients do not require a PKI client certificate. However, you still require PKI certificates if you want to use cloud-based distribution points; one for the Windows Azure management certificate that you install on the site system server that hosts the cloud-based distribution points, and one for the cloud-based distribution point service certificate that you import when you configure the cloud-based distribution point. For more information about the PKI certificate requirements for Internet-based client management and for cloud-based distribution points, see PKI Certificate Requirements for Configuration Manager. For more information about cloud-based distribution points, see the Planning for Cloud-Based Distribution Points section in the Planning for Content Management in Configuration Manager topic. Why isnt the site system role that I want available in the Add Site System Roles Wizard? Configuration Manager supports some site system roles only at specific sites in a hierarchy, and some site system roles have other limitations as to where and when you can install them. When Configuration Manager does not support the installation of a site system role, it is not listed in the wizard. For example, the Endpoint Protection point cannot be installed in a secondary site, or in a primary site if you have a central administration site. So if you have a central administration site, you will not see the Endpoint Protection point listed if you run the Add Site System Roles Wizard on a primary site. Other examples include you cannot add a second management point to a secondary site, and you cannot add a management point or distribution point to a central administration site. In addition, in Configuration Manager SP1, you do not see the Windows Intune connector listed as an available site system role until you have created the Windows Intune subscription. For more information about how to create the subscription, see How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager. For more information about which site system roles can be installed where, see the Planning Where to Install Sites System Roles in the Hierarchy section in the Planning for Site Systems in Configuration Manager topic.
199

Where do I configure the Network Access Account? Use the following procedure to configure the Network Access Account: How to configure the Network Access Account for a site 1. In the Administration workspace, expand Site Configuration, click Sites, and then select the site. 2. On the Settings group, click Configure Site Components, and then click Software Distribution. 3. Click the Network Access Account tab, configure the account, and then click OK. What High Availability does Configuration Manager have? Configuration Manager offers a number of high availability solutions. For information, see Planning for High Availability with Configuration Manager.

Migration
The following frequently asked questions relate to migrating Configuration Manager 2007 to System Center 2012 Configuration Manager. What versions of Configuration Manager, or Systems Management Server are supported for migration? The version of System Center 2012 Configuration Manager that you use to run migration determines the versions of Configuration Manager 2007 or System Center 2012 Configuration Manager that are supported for migration: When you use System Center 2012 Configuration Manager with no service pack, Configuration Manager 2007 sites with SP2 are supported for migration. When you use System Center 2012 Configuration Manager with SP1, Configuration Manager 2007 sites with SP2 and System Center 2012 Configuration Manager sites with SP1 are supported for migration.

Configuration Manager hierarchies that have data you want to migrate are called source hierarchies. The Configuration Manager hierarchy you re migrating data into, is called the destination hierarchy. For more information about prerequisites for Migration, see Prerequisites for Migration in System Center 2012 Configuration Manager. Can I use Configuration Manager SP1 to migrate my existing System Center 2012 Configuration Manager hierarchy with no service pack to a new Configuration Manager SP1 hierarchy? No. The new functionality in Configuration Manager SP1 supports migration from an existing Configuration Manager SP1 hierarchy to another Configuration Manager SP1 hierarchy, in
200

addition to supporting migration from Configuration Manager 2007 SP2 to Configuration Manager SP1. For more information about the new migration functionality, see Introduction to Migration in System Center 2012 Configuration Manager. Why cant I upgrade my existing Configuration Manager 2007 sites to System Center 2012 Configuration Manager sites? Several important changes introduced with System Center 2012 Configuration Manager prevent an in-place upgrade; however, System Center 2012 Configuration Manager does support migration from Configuration Manager 2007 with a side-by-side deployment. For example, System Center 2012 Configuration Manager is native 64 bit application with a database that is optimized for Unicode and that is shared between all sites. Additionally, site types and site relationships have changed. These changes, and others, mean that many existing hierarchy structures cannot be upgraded. For more information, see Migrating Hierarchies in System Center 2012 Configuration Manager. Do I have to migrate my entire Configuration Manager 2007 hierarchy or System Center 2012 Configuration Manager hierarchy at one time? Typically, you will migrate data from a Configuration Manager 2007 or System Center 2012 Configuration Manager hierarchy (the source hierarchy) over a period of time that you define. During the period of migration, you can continue to use your source hierarchy to manage clients that have not migrated to your new System Center 2012 Configuration Manager hierarchy (the destination hierarchy). Additionally if you update an object in the source hierarchy after you have migrated that object to your destination hierarchy, you can re-migrate that object again up until you decide to complete your migration. After I migrate software and packages from a Configuration Manager 2007 hierarchy, do I have to use the new application model? When you migrate a Configuration Manager 2007 package to System Center 2012 Configuration Manager, it remains a package after migration. If you want to deploy the software and packages that migrate from your Configuration Manager 2007 hierarchy by using the new application model, you can use Microsoft System Center Configuration Manager Package Conversion Manager to convert them into System Center 2012 Configuration Manager applications. For more information, see Configuration Manager Package Conversion Manager. Why cant I migrate inventory history or compliance data for my clients? This type of information is easily recreated by an active client when it sends data to its new site in the destination hierarchy. Typically, it is only the current information from each client that provides useful information. To retain access to historical inventory information you can keep a Configuration Manager 2007 or System Center 2012 Configuration Manager source site active until the historical data is no longer required.

201

Why must I assign a site in my new hierarchy as a content owner for migrated content? When you assign a site in the destination hierarchy to own the content, you are selecting the site that maintains that content in the destination hierarchy. Because the site that owns the content is responsible for monitoring the source files for changes, plan to specify a site that is near to the source file location on the network. When you migrate content between a source and destination hierarchy, you are really migrating the metadata about that content. The content itself might remain hosted on a shared distribution point during migration, or on a distribution point that you will upgrade or reassign to the destination hierarchy. What are shared distribution points and why cant I use them after migration has finished? Shared distribution points are distribution points at sites in the source hierarchy that can be used by clients in the destination herarchy during the migration period. A distribution point can be shared only when the source hierarchy that contains the distribution point remains the active source hierarchy and distribution point sharing is enabled for the source site that contains the distribution point. Sharing distribution points ends when you complete migration from the source hierarchy. How can I avoid redistributing content that I migrate to a System Center 2012 Configuration Manager hierarchy? System Center 2012 Configuration Manager can upgrade supported distribution points from Configuration Manager 2007 source hierarchies, and reassign supported distribution points from System Center 2012 Configuration Manager source hierarchies. When you upgrade or reassign a shared distribution point, the distribution point site system role and the distribution point computer are removed from the source hierarchy, and installed as a distribution point at a site you select in the destination hierarchy. This process allows you to maintain your existing distribution points with minimal effort or disruption to your network. For more information, see Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager. You can also use the prestage option for System Center 2012 Configuration Manager distribution points to reduce the transfer of large files across low-bandwidth network connections. For more information, see the Prestaging Content section in the Introduction to Content Management in Configuration Manager topic. Can I perform an in-place upgrade of a Configuration Manager 2007 distribution point (including a branch distribution point) to a System Center 2012 Configuration Manager distribution point? You can perform an in-place upgrade of a Configuration Manager 2007 distribution point that preserves all content during the upgrade. This includes an upgrade of a distribution point on a server share, a branch distributing point, or standard distribution point.

202

Can I perform an in-place upgrade of a Configuration Manager 2007 secondary site to a System Center 2012 Configuration Manager distribution point? You can perform an in-place upgrade of a Configuration Manager 2007 secondary site to a System Center 2012 Configuration Manager distribution point. During the upgrade, all migrated content is preserved. What happens to the content when I upgrade a Configuration Manager 2007 secondary site or distribution point to a System Center 2012 Configuration Manager distribution point? During the upgrade to a System Center 2012 Configuration Manager distribution point, all migrated content is copied and then converted to the single instance store. When you migrate to a hierarchy that runs System Center 2012 Configuration Manager with no service pack, the original Configuration Manager 2007 content remains on the server until it is manually removed. However, when you migrate to a hierarchy that runs System Center 2012 Configuration Manager SP1, the original Configuration Manager 2007 content is removed after the copy of the content is converted. Can I combine more than one Configuration Manager 2007 or System Center 2012 Configuration Manager hierarchy in a single System Center 2012 Configuration Manager hierarchy? You can migrate data from more than one source hierarchy, and the source hierarchies do not need to be the same version as each other. This means you can migrate from one or more Configuration Manager 2007 hierarches, one or more System Center 2012 Configuration Manager hierarchies, and from one or more hierarchies that each run a different version of Configuration Manager. However, you can only migrate from one hierarchy at a time. You can migrate the hierarchies in any order. However, you cannot migrate data from multiple hierarchies that use the same site code. If you try to migrate data from a site that uses the same site code as a migrated site, or that uses the same site code as a site in your destination hierarchy, this corrupts the data in the System Center 2012 Configuration Manager database. What Configuration Manager 2007 hierarchy can I use as a source hierarchy? System Center 2012 Configuration Manager supports migrating a Configuration Manager 2007 environment that is at a minimum of Service Pack 2. For more information, see Prerequisites for Migration in System Center 2012 Configuration Manager. What objects can I migrate? The list of objects you can migrate depends on the version of your source hierarchy. You can migrate most objects from Configuration Manager 2007 to System Center 2012 Configuration Manager, including the following: Advertisements Boundaries Collections Configuration baselines and configuration items Operating system deployment boot images, driver packages, drivers, images, and packages
203

Software distribution packages Software metering rules Software update deployment packages and templates Software update deployments Software update lists Task sequences Virtual application packages

When you migrate between System Center 2012 Configuration Manager hierarchies, the list is similar, and includes objects that are only available in System Center 2012 Configuration Manager, such as Applications. For more information, see Objects That Can Migrate by Migration Job Type Can I migrate maintenance windows? Yes. When a collection migrates, Configuration Manager also migrates collection settings, which includes maintenance windows and collection variables. However, collection settings for AMT provisioning do not migrate. Will advertisements rerun after they are migrated? No. Clients that you upgrade from Configuration Manager 2007 will not rerun advertisements that you migrate. System Center 2012 Configuration Manager retains the Configuration Manager 2007 Package ID for packages you migrate and clients that upgrade retain their advertisement history.

Security and Role-Based Administration

The following frequently asked questions relate to security and role-based administration in Configuration Manager. Where is the documentation for role-based administration? Because role-based administration is integrated into the configuration of the hierarchy and management functions, there is no separate documentation section for role-based administration. Instead, information is integrated throughout the documentation library. For example, information about planning and configuring role-based administration is in the Planning for Security in Configuration Manager topic and the Configuring Security for Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide and the Security and Privacy for System Center 2012 Configuration Manager guide. The Configuration Manager console lists the description of each role-based security role that is installed with Configuration Manager, and the minimum permissions and suitable security roles for each management function is included as a prerequisite in the relevant topic. For example,
204

Prerequisites for Application Management in Configuration Manager in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide list the minimum security permissions to manage and to deploy applications, and the security roles that meet these requirements. What is the minimum I have to configure if I dont want to use rol e-based administration while Im testing System Center 2012 Configuration Manager? If you install System Center 2012 Configuration Manager, there is no additional configuration because the Active Directory user account used to install Configuration Manager is automatically assigned to the Full Administrator security role, assigned to All Scopes, and has access to the All Systems and All Users and User Groups collections. However, if you want to provide full administrative permissions for other Active Directory users to access System Center 2012 Configuration Manager, create new administrative users in Configuration Manager using their Windows accounts and then assign them to the Full Administrator security role. How can I partition security with System Center 2012 Configuration Manager? Unlike Configuration Manager 2007, sites no longer provide a security boundary. Instead, use role-based administration security roles to configure the permissions different administrative users have, and security scopes and collections to define the set of objects they can view and manage. These settings can be configured at a central administration site or any primary site and are enforced at all sites throughout the hierarchy. Should I use security groups or user accounts to specify administrative users? As a best practice, specify a security group rather than user accounts when you configure administrative users for role-based administration. Can I deny access to objects and collections by using role-based administration? Role-based administration does not support an explicit deny action on security roles, security scopes, or collections assigned to an administrative user. Instead, configure security roles, security scopes, and collections to grant permissions to administrative users. If users do not have permissions to objects by use of these role-based administration elements, they might have only partial access to some objects, for example they might be able to view, but not modify specific objects. However, you can use collection membership to exclude collections from a collection that is assigned to an administrative user. How do I find which object types can be assigned to security roles? Run the report Security for a specific or multiple Configuration Manager objects to find the object types that can be assigned to security roles. Additionally you can view the list of objects for a security role by viewing the security roles Properties and selecting the Permissions tab.

205

Can I use security scopes to restrict which distribution points are shown in the Distribution Status node in the Monitoring workspace? No, although you can configure role-based administration and security scopes so that administrative users can distribute content to selected distribution points only, Configuration Manager always displays all distribution points in the Monitoring workspace.

Client Deployment and Operations

The following frequently asked questions relate to deploying and managing clients on computers and mobile devices in Configuration Manager. Does System Center 2012 Configuration Manager support the same client installation methods as Configuration Manager 2007? Yes. System Center 2012 Configuration Manager supports the same client installation methods that Configuration Manager 2007 supports: client push, software update-based, group policy, manual, logon script, and image-based. For more information, see How to Install Clients on Windows-Based Computers in Configuration Manager. Whats the minimum permission an administrative user requires for the Client Push Installation Wizard? To install a Configuration Manager client by using the Client Push Installation Wizard, the administrative user must have at least the Modify resource permission. Whats the difference between upgrading clients by using the supplied package definition file and a package and program, and using automatic client upgrade that also uses a package and program? When you create a package and program to upgrade Configuration Manager clients, this installation method is designed to upgrade existing System Center 2012 Configuration Manager clients. You can control which distribution points hosts the package and the client computers that install the package. This installation method supports only System Center 2012 Configuration Manager clients and cannot upgrade Configuration Manager 2007 clients. In comparison, the automatic client upgrade method automatically creates the client upgrade package and program and this installation method can be used with Configuration Manager 2007 clients as well as System Center 2012 Configuration Manager clients. The package is automatically distributed to all distribution points in the hierarchy and the deployment is sent to all clients in the hierarchy for evaluation. This installation method supports System Center 2012 Configuration Manager clients and Configuration Manager 2007 clients that are assigned to a System Center 2012 Configuration Manager site. Because you cannot restrict which distribution points are sent the upgrade package or which clients are sent the deployment, use automatic client upgrade with caution and do not use it as your main method to deploy the client software.

206

For more information, see How to Upgrade Configuration Manager Clients by Using a Package and Program and How to Automatically Upgrade the Configuration Manager Client for the Hierarchy in the How to Install Clients on Windows-Based Computers in Configuration Manager topic. Do references to devices in System Center 2012 Configuration Manager mean mobile devices? The term device in System Center 2012 Configuration Manager applies to a computer or a mobile device such as a Windows Mobile Phone. How does System Center 2012 Configuration Manager support clients in a VDI environment? For information about supporting clients for a virtual desktop infrastructure (VDI), see the Considerations for Managing the Configuration Manager Client in a Virtual Desktop Infrastructure (VDI) section in the Introduction to Client Deployment in Configuration Manager topic. Why might there be differences between a clients assigned, installed, and resident site values when I look at the client properties in the Configuration Manager console? A clients assigned site is the primary site that creates the client policy to manage the device. Clients are always assigned to primary sites, even if they roam into another primary site or reside within the boundaries of a secondary site. The clients installed site refers to the site that sent the client the client installation files to run CCMSetup.exe. For example, if you used the Client Push Installation Wizard, you can specify Install the client software from a specified site and select any site in the hierarchy. The resident site refers to the site that owns the boundaries that the client currently resides in. For example, this might be a secondary site of the clients primary site. Or, it might be another primary site if the client is roaming and temporarily connected to a network that belongs to another site in the hierarchy. Is it true that System Center 2012 Configuration Manager has a new client health solution? Yes, client status is new in System Center 2012 Configuration Manager and allows you to monitor the activity of clients and check and remediate various problems that can occur. How do I find out what client health checks Configuration Manager makes and can I add my own? Review the checks that client health makes in the section Monitoring the Status of Client Computers in Configuration Manager in the topic Introduction to Client Deployment in Configuration Manager. You can use compliance settings in Configuration Manager to check for additional items that you consider required for the health of your clients. For example, you might check for specific registry key entries, files, and permissions. What improvements have you made for Internet-based client management? Configuration Manager contains many improvements since Configuration Manager 2007 to help you manage clients when they are on the Internet: Configuration Manager supports a gradual transition to using PKI certificates, and not all clients and site systems have to use PKI certificates before you can manage clients on the
207

Internet. For more information, see Planning a Transition Strategy for PKI Certificates and Internet-Based Client Management. The certificate selection process that Configuration Manager uses is improved by using a certificate issuers list. For more information, see Planning for the PKI Trusted Root Certificates and the Certificate Issuers List. Although deploying an operating system is still not supported over the Internet, you can deploy generic task sequences for clients that are on the Internet. If the Internet-based management point can authenticate the user, user polices are now supported when clients are on the Internet. This functionality supports user-centric management and user device affinity for when you deploy applications to users. Configuration Manager Internet-based clients on the Internet first try to download any required software updates from Microsoft Update, rather than from an Internet-based distribution point in their assigned site. Only if this fails, will they then try to download the required software updates from an Internet-based distribution point.

What is the difference between Internet-based client management and DirectAccess? DirectAccess is a Windows solution for managing domain computers when they move from the intranet to the Internet. This solution requires the minimum operating systems of Windows Server 2008 R2 and Windows 7 on clients. Internet-based client management is specific to Configuration Manager, and it allows you to manage computers and mobile devices when they are on the Internet. The Configuration Manager clients can be on workgroup computers and never connect to the intranet, and they can also be mobile devices. The Configuration Manager solution works for all operating system versions that are supported by Configuration Manager. Both solutions require PKI certificates on clients and servers. However, DirectAccess requires a Microsoft enterprise certification authority, whereas Configuration Manager can use any PKI certificate that meets the requirements documented in PKI Certificate Requirements for Configuration Manager. Not all Configuration Manager features are supported for Internet-based client management. For more information, see the Planning for Internet-Based Client Management section in the Planning for Communications in Configuration Manager topic. In comparison, because a client that connects over DirectAccess behaves as if it is on the intranet, all features, with the exception of deploying an operating system, are supported by Configuration Manager. Warning Some Configuration Manager communications are server-initiated, such as client push installation and remote control. For these connections to succeed over DirectAccess, the initiating computer on the intranet and all intervening network devices must support IPv6. For support information about how Configuration Manager supports DirectAccess, see the DirectAccess Feature Support section in the Supported Configurations for Configuration Manager topic.

208

Can I install the Configuration Manager client on my Windows Embedded devices that have very small disks? Probably. You can reduce the disk space required to install the Configuration Manager client by using customized settings, such as excluding installation files that the client does not require and specifying the client cache to be smaller than the default size. For more information, see the Computer Client Hardware Requirements section in the Supported Configurations for Configuration Manager topic. Where can I find information about managing vPro computers? You can manage Intel vPro computers by using out of band management in System Center 2012 Configuration Manager. For more information, see Out of Band Management in Configuration Manager in the Assets and Compliance in System Center 2012 Configuration Manager guide. I want to move my Intel AMT-based computers that I provisioned with Configuration Manager 2007 to System Center 2012 Configuration Manager. Can I use the same Active Directory security group, OU, and web server certificate template? AMT-based computers that were provisioned with Configuration Manager 2007 must have their provisioning data removed before you migrate them to System Center 2012 Configuration Manager, and then provisioned again by System Center 2012 Configuration Manager. Because of functional changes between the versions, the security group, OU, and web server certificate template have different requirements: If you used a security group in Configuration Manager 2007 for 802.1X authentication, you can continue to use this group if it is a universal security group. If it is not a universal group, you must convert it or create a new universal security group for System Center 2012 Configuration Manager. The security permissions of Read Members and Write Members for the site server computer account remain the same. The OU can be used without modification. However, System Center 2012 Configuration Manager no longer requires Full Control to this object and all child objects. You can reduce these permissions to Create Computer Objects and Delete Computer Objects on this object only. The web server certificate template from Configuration Manager 2007 cannot be used in System Center 2012 Configuration Manager without modification. This certificate template no longer uses Supply in the request and the site server computer account no longer requires Read and Enroll permissions.

For more information about the security group and OU, see Step 1 in How to Provision and Configure AMT-Based Computers in Configuration Manager. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager and the example deployment, Deploying the Certificates for AMT. How can I tell which collections of computers have a power plan applied? There is no report in System Center 2012 Configuration Manager that displays which collections of computers have a power plan applied. However, in the Device Collections list, you can select the Power Configurations column to display whether a collection has a power plan applied.

209

Does wake-up proxy have its own service? Yes. Wake-up proxy in Configuration Manager SP1 has its own client service named ConfigMgr Wake-up Proxy that runs separately from the SMS Agent Host (CCMExec.exe). This service is installed when a client is configured for wake-up proxy and then new client checks make sure that this wake-up proxy service is running and that the startup type is automatic. Does disabling the wake-up proxy client setting remove or just stop the wake-up proxy service on clients? If you have enabled the wake-up proxy client setting on Configuration Manager SP1 clients, and then disable it, the ConfigMgr Wake-up Proxy service is removed from clients. Why does my first connection attempt for Remote Desktop always fail to a sleeping a computer when I use wake-up proxy? A manager computer for the sleeping computers subnet responds to the first connection attempt and wakes up the sleeping computer, which then contacts the network switch. After the computer is awake and the network switch is updated, subsequent connection attempts will successfully connect to the destination computer. Most TCP connections automatically retry and you will not see that the first connection (and possibly additional connections) time out. For Remote Desktop connections, however, you are more likely to see an initial failed connection and must manually retry. For computers that must come out of hibernation, you will probably experience a longer delay than for computers that are in other sleep states. Why dont clients run scheduled activities such as inventory, software updates, and application evaluation and installations at the time I schedule them? To better support virtual desktop infrastructure (VDI) environments and large-scale client deployments, System Center 2012 Configuration Manager has a randomization delay for scheduled activities. This means that for scheduled activities, clients are unlikely to run the action at the exact time that you configure. In Configuration Manager SP1 only, you can use client settings to enable or disable the randomization delay for required software updates and required applications. By default, this setting is disabled. For more information, see the Considerations for Managing the Configuration Manager Client in a Virtual Desktop Infrastructure (VDI) section in the Introduction to Client Deployment in Configuration Manager topic. Where is the documentation for the Configuration Manager client for Mac Computers? For Configuration Manager SP1 only: Because the management of computers that run the Mac OS X operating system is similar to managing Windows-based computers in System Center 2012 Configuration Manager, there is no separate documentation section for Mac computers. Instead, information is integrated throughout the documentation library. For example, information about how to install the client on Mac computers is in the Deploying Clients for System Center 2012 Configuration Manager guide, and information about how to deploy software to Mac computers is in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.

210

Some of the main topics that contain information about the Configuration Manager client for Mac computers include the following:
Topic More information

Introduction to Client Deployment in Configuration Manager

See the Deploying the Configuration Manager Client to Mac Computers section in the Introduction to Client Deployment in Configuration Manager topic for information about the Configuration Manager client for Mac computers, which includes the following: Configuration Manager functionality that the client supports

Supported Configurations for Configuration Manager

See the Client Requirements for Mac Computers section in the Supported Configurations for Configuration Manager topic to check whether Configuration Manager can support your version of the Mac OS X operating system. Contains certificate requirements for managing Mac computers in Configuration Manager. Contains information about how to install the Configuration Manager client on Mac computers. Contains information to help you deploy software to Mac computers. Contains information about how to use compliance settings for Mac computers.

PKI Certificate Requirements for Configuration Manager How to Install Clients on Mac Computers in Configuration Manager

How to Create and Deploy Applications for Mac Computers in Configuration Manager How to Create Mac Computer Configuration Items in Configuration Manager

Where is the documentation for the Configuration Manager client for Linux and UNIX? For Configuration Manager SP1 only: Because the management of computers that run Linux and UNIX is similar to managing Windows-based computers in System Center 2012 Configuration Manager, there is no separate documentation section for Linux and UNIX. Instead, information is integrated throughout the documentation library. For example, information about how to install the client on computers that run Linux or UNIX is in the Deploying Clients for System Center 2012 Configuration Manager guide, and information about how to deploy software to computers that run Linux and UNIX computers is in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.

211

Some of the main topics that contain information about the Configuration Manager client for Linux and UNIX include the following:
Topic More information

Introduction to Client Deployment in Configuration Manager

See the Deploying the Configuration Manager Client to Linux and UNIX Servers section in the Introduction to Client Deployment in Configuration Manager topic for information about the Configuration Manager client for Linux and UNIX, which includes: Configuration Manager functionality that the client supports

Supported Configurations for Configuration Manager

See the Client Requirements for Linux and UNIX Servers section Supported Configurations for Configuration Manager topic to check whether Configuration Manager can support your version of Linux or UNIX. Contains certificate requirements for the Configuration Manager client for Linux and UNIX. Contains information about deploying the Configuration Manager client to Linux and UNIX servers. Contains information about installing the Configuration Manager client on Linux and UNIX servers. For information about planning for communications from Linux and UNIX computers to Configuration Manager site system servers, see the Planning for Client Communication in Configuration Manager section of the Planning for Communications in Configuration Manager topic. Contains information about using the following functionality in Configuration Manager to manage clients that run Linux and UNIX: Collections Machine policy Maintenance Windows
212

PKI Certificate Requirements for Configuration Manager

Planning for Client Deployment for Linux and UNIX Servers

How to Install Clients on Linux and UNIX Computers in Configuration Manager

Planning for Communications in Configuration Manager

How to Manage Linux and UNIX Clients in Configuration Manager

Topic

More information

Hardware Inventory for Linux and UNIX in Configuration Manager

Client settings

Contains information about using hardware inventory with clients that run Linux and UNIX, including the following: Configuring inventory Extending hardware inventory Viewing inventory

Deploying Software to Linux and UNIX Servers in Configuration Manager How to Monitor Linux and UNIX Clients in Configuration Manager

Contains information about how to deploying software to Linux and UNIX clients. Contains information about how to monitoring clients that run Linux and UNIX.

Mobile Devices
The following frequently asked questions relate specifically to mobile devices in Configuration Manager. Where is the documentation for mobile devices? Because the management of mobile devices is so similar to managing computers in System Center 2012 Configuration Manager, there is no separate documentation section for mobile devices. Instead, information is integrated throughout the documentation library. For example, information about how to install the Configuration Manager client on mobile devices is in the Deploying Clients for System Center 2012 Configuration Manager guide. Information about how to configure settings for mobile devices, such as password settings, is in the Compliance Settings in Configuration Manager section of the Assets and Compliance in System Center 2012 Configuration Manager guide, and information about how to install applications on mobile devices is in the Application Management in Configuration Manager section of the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Some of the main topics that contain information about mobile devices include the following:
Topic More information

Supported Configurations for Configuration Manager

See the Mobile Device Requirements section to check whether Configuration Manager can support your mobile device environment. Contains certificate requirements if you install
213

PKI Certificate Requirements for Configuration

Topic

More information

Manager

the Configuration Manager client on mobile devices. No certificates are required by Configuration Manager if you manage mobile devices that connect to Exchange Server. Contains information about where to install the site system roles that are required to manage mobile devices. The Deploying the Configuration Manager Client to Mobile Devices section contains introductory information for managing mobile devices and what is new from Configuration Manager 2007.

Planning for Site Systems in Configuration Manager

Introduction to Client Deployment in Configuration Manager

Prerequisites for Windows Client Deployment in The Prerequisites for Mobile Device Clients Configuration Manager section contains information about the dependencies and firewall requirements for when you enroll mobile devices by using Configuration Manager. Determine How to Manage Mobile Devices in Configuration Manager Contains information about the differences between the management options for mobile devices in Configuration Manager. Contains instructions to enroll mobile devices by using Configuration Manager. Contains instructions to install the Exchange Server connector, so that you can manage mobile devices that connect to an Exchange Server. Contains information about to manage mobile devices by using the Windows Intune connector in Configuration Manager SP1. Contains security best practices and privacy information for mobile devices. Contains instructions to configure settings for mobile devices that are enrolled by Configuration Manager. See the Mobile Devices section for the list of log files that are created when you manage mobile devices in Configuration Manager.
214

How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager How to Manage Mobile Devices by Using the Exchange Server Connector in Configuration Manager

How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager Security and Privacy for Clients in Configuration Manager How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager Technical Reference for Log Files in Configuration Manager

If you have mobile device legacy clients in your System Center 2012 Configuration Manager hierarchy, the installation and configuration for these mobile devices is the same as in Configuration Manager 2007. For more information, see Mobile Device Management in Configuration Manager in the Configuration Manager 2007 documentation library. How do I re-enroll mobile devices by using Configuration Manager? When the certificate on the mobile device is due for renewal, users are automatically prompted to accept the new certificate. When they confirm the prompt, Configuration Manager automatically re-enrolls their mobile device. What action must I take if I no longer want a mobile device enrolled by Configuration Manager? You must wipe the mobile device if you no longer want it to be enrolled by System Center 2012 Configuration Manager. When you wipe a mobile device, this action deletes all data that is stored on the mobile device and on any attached memory cards. In addition, the certificate that was issued during enrollment is revoked with the following reason: Cease of Operation. If I wipe a mobile device that is enrolled by Configuration Manager and discovered by the Exchange Server connector, will it be wiped twice? No. In this dual management scenario, Configuration Manager sends the wipe command in the client policy and by using the Exchange Server connector, and then monitors the wipe status for the mobile device. As soon as Configuration Manager receives a wipe confirmation from the mobile device, it cancels the second and pending wipe command so that the mobile device is not wiped twice. Can I configure the Exchange Server connector for read-only mode? Yes, if you only want to find mobile devices and retrieve inventory data from them as a read-only mode of operation, you can do this by granting a subset of the cmdlets that the account uses to connect to the Exchange Client Access server. The required cmdlets for a read-only mode of operation are as follows: Get-ActiveSyncDevice Get-ActiveSyncDeviceStatistics Get-ActiveSyncOrganizationSettings Get-ActiveSyncMailboxPolicy Get-ExchangeServer Get-Recipient Set-ADServerSettings Warning When the Exchange Server connector operates with these limited permissions, you cannot create access rules, or wipe mobile devices, and mobile devices will not be configured with the settings that you define. In addition, Configuration Manager will
215

generate alerts and status messages to notify you that it could not complete operations that are related to the Exchange Server connector. Do I need a Windows Intune organizational account to use the Windows Intune connector? Yes. You must specify a Windows Intune organizational account before you can install the Windows Intune connector in Configuration Manager SP1. Do I need special certificates before I can make applications available to users who have mobile devices that run Windows RT, Windows Phone 8, iOS, and Android? Yes. You require specific application certificates before users can install applications on Windows RT, Windows Phone 8, and iOS. You do not require certificates to make applications available to mobile devices that run Android. For more information about these certificates, see How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager. Do I need a my own PKI to enroll mobile devices by using Windows Intune? No. Although the Windows Intune uses PKI certificates, Windows Intune automatically requests and installs these certificates for you. For more information about these certificates, see PKI Certificate Requirements for Configuration Manager. Does enrolling mobile devices by using the Windows Intune connector install the Configuration Manager client on them? No. Windows RT and Windows Phone 8 includes a management client that Configuration Manager uses, and Configuration Manager manages mobile devices that run iOS by directly calling APIs. Do I need the Windows Intune connector to manage Android devices? No. Without the Windows Intune connector, you can manage these devices by collecting hardware inventory, configure settings such as passwords and roaming, and remotely wipe the device. However, if you want to make company apps available to Android devices, you must install the Windows Intune connector. Can users go to the Application Catalog to install apps on their mobile devices? No. Mobile devices that are enrolled by Configuration Manager support only required apps, so users cannot choose company apps to install. Users who have mobile devices that are enrolled by Windows Intune install company apps from the company portal. However, if these apps require approval, users must first request approval from the Application Catalog.

216

Remote Control
The following frequently asked questions relate to remote control in Configuration Manager. Is remote control enabled by default? By default, remote control is disabled on client computers. Enable remote control as a default client setting for the hierarchy, or by using custom client settings that you apply to selected collections. What ports does remote control use? TCP 2701 is the only port that System Center 2012 Configuration Manager uses for remote control. When you enable remote control as a client setting, you can select one of three firewall profiles that automatically configure this port on Configuration Manager clients: Domain, Private, or Public. What is the difference between a Permitted Viewers List and granting a user the role-based administration security role of Remote Tools Operator? The Permitted Viewers List grants an administrative user the Remote Control permission for a computer, and the role-based administration security role of Remote Tools Operator grants an administrative user the ability to connect a Configuration Manager console to a site so that audit messages are sent when they manage computers by using remote control. Can I send a CTRL+ALT+DEL command to a computer during a remote control session? Yes. In the Configuration Manager remote control window, click Action, and then click Send Ctrl+Alt+Del. How can I find out how the Help Desk is using remote control? You can find this out by using the remote control reports: Remote Control All computers remote controlled by a specific user and Remote Control All remote control information. For more information, see How to Audit Remote Control Usage in Configuration Manager. What happened to the Remote Control program in Control Panel on Configuration Manager clients? The remote control settings for System Center 2012 Configuration Manager clients are now in Software Center, on the Options tab.

Software Deployment
The following frequently asked questions relate to content management, software updates, applications, packages and programs, scripts, and operating system deployment with supporting task sequences and device drivers in Configuration Manager.

217

When distribution points are enabled for bandwidth control, does the site server compress the content that it distributes to them in the same way as site-to-site data is compressed? No, site servers do not compress the content that it distributes to distribution points that are enabled for bandwidth control. Whereas site-to-site transfers potentially resend files that might already be present, only to be discarded by the destination site server, a site server sends only the files that a distribution point requires. With a lower volume of data to transfer, the disadvantages of high CPU processing to compress and decompress the data usually outweigh the advantages of compressing the data. What is an application and why would I use it? System Center 2012 Configuration Manager applications contain the administrative details and Application Catalog information necessary to deploy a software package or software update to a computer or mobile device. What is a deployment type and why would I use one? A deployment type is contained within an application and specifies the installation files and method that Configuration Manager will use to install the software. The deployment type contains rules and settings that control if and how the software is installed on client computers. What is the deployment purpose and why would I use this? The deployment purpose defines what the deployment should do and represents the administrators intent. For example, an administrative user might require the installation of software on client computers or might just make the software available for users to install themselves. A global condition can be set to check regularly that required applications are installed and to reinstall them if they have been removed. What is a global condition and how is it different from a deployment requirement? Global conditions are conditions used by requirement rules. Requirement rules set a value for a deployment type for a global condition. For example, operating system = is a global condition; a requirement rule is operating system = Win7. How do I make an application deployment optional rather than mandatory? To make a deployment optional, configure the deployment purpose as Available in the applications deployment type. Available applications display in the Application Catalog where users can install them. Can users request applications? Yes. Users can browse a list of available software in the Application Catalog. Users can then request an application which, if approved, will be installed on their computer. To make a deployment optional, configure the deployment purpose as Available in the applications deployment type.

218

Why would I use a package and program to deploy software rather than an application deployment? Some scenarios, such as the deployment of a script that runs on a client computer but that does not install software, are more suited to using a package and program rather than an application. Can I deploy Office so that it installs locally on a users main workstation but is available to that user as a virtual application from any computer? Yes. You can configure multiple deployment types for an application. Rules that specify which deployment type is run allows you to specify how the application is made available to the user. Does Configuration Manager help identify which computers a user uses to support the user device affinity feature? Yes. Configuration Manager collects usage statistics from client devices that can be used to automatically define user device affinities or to help you manually create affinities. Can I change a simulated application deployment to a standard application deployment? No. you must create a new deployment that can include extra options that include scheduling and user experience. If the same application is deployed to a user and a device, which one takes priority? In this case, the following rules apply: If both deployments have a purpose of Available, the user deployment will be installed. If both deployments have a purpose of Required, the deployment with the earliest deadline will be installed. If one deployment has a purpose of Available and the other deployment has a purpose of Required, the deployment with the purpose of Required will be installed. Note A deployment to a user that is scheduled to be installed out of business hours is treated as a required deployment. Can I migrate my existing packages and programs from Configuration Manager 2007 to a System Center 2012 Configuration Manager hierarchy? Yes. You can see migrated packages and programs in the Packages node in the Software Library workspace. You can also use the Import Package from Definition Wizard to import Configuration Manager 2007 package definition files into your site. Does the term software include scripts and drivers? Yes. In System Center 2012 Configuration Manager, the term software includes software updates, applications, scripts, task sequences, device drivers, configuration items, and configuration baselines.

219

What does state-based deployment mean in reference to System Center 2012 Configuration Manager? Depending on the deployment purpose you have specified in the deployment type of an application, System Center 2012 Configuration Manager periodically checks that the state of the application is the same as its purpose. For example, if an applications deployment type is specified as Required, Configuration Manager reinstalls the application if it has been removed. Only one deployment type can be created per application and collection pair. Do I have to begin using System Center 2012 Configuration Manager applications immediately after migrating from Configuration Manager 2007? No, you can continue to deploy packages and programs that have been migrated from your Configuration Manager 2007 site. However, packages and programs cannot use some of the new features of System Center 2012 Configuration Manager such as requirement rules, dependencies and supersedence. If an application that has been deployed to a user is installed on multiple devices, how is the deployment summarized for the user? Deployments to users or devices are summarized based on the worst result. For example, if a deployment is successful on one device and the application requirements were not met on another device then the deployment for the user is summarized as Requirements Not Met. If none of the users devices has received the application, the deployment is summarized as Unknown. Is there a quick guide to installing the Application Catalog? If you dont require HTTPS connections (for example, users will not connect from t he Internet), you can use the following the quick guide instructions: 1. Make sure that you have all the prerequisites for the Application Catalog site roles. For more information, see Prerequisites for Application Management in Configuration Manager. 2. Install the following Application Catalog site system roles and select the default options: Application Catalog web service point Application Catalog website point

3. Configure the following Computer Agent device client settings by editing the default client settings, or by creating and assigning custom client settings: Default Application Catalog website point: Automatically detect Add default Application Catalog website to Internet Explorer trusted site zone: True Install Permissions: All users

For full instructions, see Configuring the Application Catalog and Software Center in Configuration Manager. Can I deploy applications by using task sequences? You can use a task sequence to deploy applications. However, when you configure an application deployment rather than use a task sequence, you benefit from the following: You have a richer monitoring and compliance experience.
220

You can supersede a previous version of the application and can uninstall or upgrade the previous version. You can deploy applications to users.

For more information about how to deploy applications, see Introduction to Application Management in Configuration Manager. How often are application deployments summarized? Although you can configure the application deployment summarization interval, by default, the following values apply: Deployments that were modified in the last 30 days 1 hour Deployments that were modified in the last 31 to 90 days 1 day Deployments that were modified over 90 days ago 1 week

You can modify the application deployment summarization intervals from the Status Summarizers dialog box. Click Status Summarizers from the Sites node in the Administration workspace to open this dialog box. How does the processing of requirements differ between a deployment with the action of Install and a deployment with the action of Uninstall? In most cases, a deployment with an action of Uninstall will always uninstall a deployment type if it is detected unless the client type is different. For example, if you deploy a mobile device application with an action of Uninstall to a desktop computer, the deployment will fail with a status of Requirements not met as it is impossible to enforce this uninstall. What happens if a simulated deployment and a standard deployment for the same application are deployed to a computer? Although you cannot deploy a simulated and a standard deployment of an application to the same collection, you can target a computer with both if you deploy them to different collections and the computer is a member of both collections. In this scenario, for both deployments, the computer reports the results of the standard deployment. This explains how you might see deployment states for a simulated deployment that you would usually only see for a standard deployment, such as In Progress and Error. Why do I see an error message about insufficient permissions from a Windows Embedded device when I try to install software from Software Center? You can install applications only when the write filter on the Windows Embedded device is disabled. If you try to install an application on a Windows Embedded device that has write filters enabled, you see an error message that you have insufficient permissions to install the application and the installation fails. Can I use update lists in System Center 2012 Configuration Manager? No. Software update groups are new in System Center 2012 Configuration Manager and replace update lists that were used in Configuration Manager 2007.

221

What is an update group and why would I use one? Software update groups provide a more effective method for you to organize software updates in your environment. You can manually add software updates to a software update group or software updates can be automatically added to a new or existing software update group by using an automatic deployment rule. You can also deploy a software update group manually or automatically by using an automatic deployment rule. After you deploy a software update group, you can add new software updates to the group and they will automatically be deployed. Does System Center 2012 Configuration Manager have automatic approval rules like Windows Server Update Services (WSUS)? Yes. You can create automatic deployment rules to automatically approve and deploy software updates that meet specified search criteria. What changes have been made in System Center 2012 Configuration Manager to manage superseded software updates? In Configuration Manager 2007, superseded software updates are automatically expired during full software updates synchronization. In System Center 2012 Configuration Manager, you can choose to automatically expire superseded software updates during software updates synchronization just as it is in Configuration Manager 2007. Or, you can specify a number of months before a superseded software update is expired. This allows you to deploy a superseded software update for the period of time while you validate and approve the superseding software update in your environment. How are superseded and expired software updates removed in System Center 2012 Configuration Manager? System Center 2012 Configuration Manager might automatically remove expired and superseded software updates. Consider the following scenarios: Expired software updates that are not associated with a deployment are automatically removed up every 7 days by a site maintenance task. Expired software updates that are associated with a deployment are not automatically removed by the site maintenance task. Superseded software updates that you have configured not to expire for a specified period of time are not removed or deleted by the site maintenance task.

You can remove expired software updates from all software update groups and software update deployments so that they are automatically removed. To do this, search for expired software updates, select the returned results, choose edit membership, and remove the expired software updates from any software update group for which they are members. What do the software update group icons represent in Configuration Manager? The software update group icons are different in the following scenarios: When a software update group contains at least one expired software update, the icon for that software update group contains a black X. When a software update group contains no expired software updates, but at least one superseded software update, the icon for that software update group contains a yellow star.
222

When a software update group has no expired or superseded software updates, the icon for that software update group contains a green arrow.

When you view the status of an application deployment in the Deployments node of the Monitoring workspace, how is the displayed Compliance % calculated? The compliance percentage (Compliance %) is calculated by taking the number of users or devices with a deployment state of Success added to the number of devices with a deployment state of Requirements Not Met and then dividing this total by the number of users or devices that the deployment was sent to. While monitoring the deployment of an application, the numbers displayed in the Completion Statistics do not match the numbers displayed in the View Status pane. What reasons might cause this? The following reasons might cause the numbers shown in Completions Statistics and the View Status pane to differ: The completion statistics are summarized and the View Status pane displays live data Select the deployment in the Deployments node of the Monitoring workspace and then, in the Home tab, in the Deployment group, click Run Summarization. Refresh the display in the Configuration Manager console and after summarization completes, the updated completion statistics will display in the Configuration Manager console. An application contains multiple deployment types. The completion statistics display one status for the application; the View Status pane displays status for each deployment type in the application. The client encountered an error. It was able to report status for the application, but not for the deployment types contained in the application. You can use the report Application Infrastructure Errors to troubleshoot this scenario.

Can I deploy operating systems by using a DVD or a flash drive? Yes. You can use media such as a CD, DVD set, or a USB flash drive to capture an operating system image and to deploy an operating system. Deployment media includes bootable media, prestaged media, and stand-alone media. For more information, see Planning for Media Operating System Deployments in Configuration Manager. When I upgrade an operating system, can I retain the users information so that they have all their files, data, and preferences when they log on to the new operating system? Yes. When you deploy an operating system you can add steps to your task sequence that capture and restore the user state. The captured data can be stored on a state migration point or on the computer where the operating system is deployed. For more information, see How to Manage the User State in Configuration Manager. Can I deploy operating systems to computers that are not managed by Configuration Manager? Yes. These types of computers are referred to as unknown computers. For more information about how to deploy operating systems to unknown computers, see How to Manage Unknown Computer Deployments in Configuration Manager.
223

When I deploy an operating system to multiple computers, can I optimize how the operating system image is sent to the destination computers? Yes. Use multicast to simultaneously send data to multiple Configuration Manager clients rather than sending a copy of the data to each client over a separate connection. For more information, see Planning a Multicast Strategy in Configuration Manager.

Endpoint Protection
The following frequently asked questions relate to Endpoint Protection in Configuration Manager. Whats new for Endpoint Protection in System Center 2012 Configuration Manager? Endpoint Protection is fully integrated with System Center 2012 Configuration Manager and no longer requires a separate installation. In addition, there are a number of new features and enhancements in Endpoint Protection. For more information, see the Endpoint Protection section in the Whats New in Configuration Manager topic. Can I deploy definitions by using Configuration Manager distribution points? Yes, you can deploy Endpoint Protection definitions by using Configuration Manager software updates. For more information, see Step 3: Configure Configuration Manager Software Updates to Deliver Definition Updates to Client Computers in the How to Configure Endpoint Protection in Configuration Manager topic. Are malware notifications faster in System Center 2012 Endpoint Protection than in Forefront Endpoint Protection 2010? Yes, System Center 2012 Endpoint Protection uses Configuration Manager alerts to more quickly notify you when malware is detected on client computers. Which antimalware solutions can Endpoint Protection uninstall? For a list of the antimalware solutions that Configuration Manager can automatically uninstall when you install the Endpoint Protection client, see the Endpoint Protection section in the About Client Settings in Configuration Manager topic. For more information about how to configure Endpoint Protection to uninstall these antimalware solutions, see How to Configure Endpoint Protection in Configuration Manager.

See Also
Getting Started with System Center 2012 Configuration Manager

Accessibility Features of Configuration Manager

This topic provides information about features in Microsoft System Center 2012 Configuration Manager that make the product more accessible for people with disabilities.
224

For general information about Microsoft accessibility products and services, visit the Microsoft Accessibility website.

Accessibility Features for the Configuration Manager Console

In addition to accessibility features and tools in Windows, the following features make Configuration Manager more accessible for people with disabilities: To access a workspace, use the following keyboard shortcuts:
Workspace Keyboard shortcut

Assets and Compliance Software Library Monitoring Administration

Ctrl+1 Ctrl+2 Ctrl+3 Ctrl+4

To access a workspace menu, press the Tab key until the Expand/Collapse icon is in focus. Then, press the Down Arrow key to access the workspace menu. To navigate through a workspace menu, use the arrow keys. To access different areas in the workspace, use the Tab key and Shift+Tab keys. To navigate within an area of the workspace, such as the ribbon, use the arrow keys. To access the address bar when your focus is in the tree node, use the back tab 3 times. On a wizard or property page, you can move between the boxes with keyboard shortcuts. Press the Alt key plus the underlined character (Alt+_) to select a specific box. Note The information in this section may apply only to users who license Microsoft products in the United States. If you obtained this product outside of the United States, you can use the subsidiary information card that came with your software package or visit the Microsoft Accessibility website for a list of Microsoft support services telephone numbers and addresses. You can contact your subsidiary to find out whether the type of products and services described in this section are available in your area. Information about accessibility is available in other languages, including Japanese and French.

Accessibility Features for Configuration Manager Help

Configuration Manager Help includes features that make it accessible to a wider range of users, including those who have limited dexterity, low vision, or other disabilities.
To do this Use this keyboard shortcut

Display the Help window.

F1

225

To do this

Use this keyboard shortcut

Move the cursor between the Help topic pane and the navigation pane (the Contents, Search, and Index tabs). Change between tabs (for example, Contents, Search, and Index) while in the navigation pane. Select the next hidden text or hyperlink. Select the previous hidden text or hyperlink. Perform the action for the selected Show All, Hide All, hidden text, or hyperlink. Display the Options menu to access any Help toolbar command. Hide or show the pane containing the Contents, Search, and Index tabs. Display the previously viewed topic. Display the next topic in a previously displayed sequence of topics. Return to the specified home page. Stop the Help window from opening a Help topic, such as to stop a webpage from downloading. Open the Internet Options dialog box for Windows Internet Explorer, where you can change accessibility settings. Refresh the topic, such as a linked webpage. Print all topics in a book or a selected topic only. Close the Help window.

F6

Alt + underlined letter of the tab

Tab Shift+Tab Enter

Alt+O

Alt+O, and then press T

Alt+O, and then press B Alt+O, and then press F

Alt+O, and then press H Alt+O, and then press S

Alt+O, and then press I

Alt+O, and then press R Alt+O, and then press P

Alt+F4

To change the appearance of a Help topic 1. To prepare to customize the colors, font styles, and font sizes in Help, open the Help window. 2. Click Options, and then click Internet Options.
226

3. On the General tab, click Accessibility. Select Ignore colors specified on Web pages, Ignore font styles specified on Web pages, and Ignore font sizes specified on Web pages. You also can choose to use the settings specified in your own style sheet. To change the color of the background or text in Help 1. Open the Help window. 2. Click Options, and then click Internet Options. 3. On the General tab, click Accessibility. Then, select Ignore colors specified on Web pages. You also can choose to use the settings specified in your own style sheet. 4. To customize the colors used in Help, on the General tab, click Colors. Clear the Use Windows Colors check box, and then select the font and background colors that you want to use. Note If you change the background color of the Help topics in the Help window, the change also affects the background color for webpages in Windows Internet Explorer. To change the font in Help 1. Open the Help window. 2. Click Options, and then click Internet Options. 3. On the General tab, click Accessibility. To use the same settings as those used in your instance of Windows Internet Explorer, select Ignore font styles specified on Web pages and Ignore font sizes specified on Web pages. You also can choose to use the settings specified in your own style sheet. 4. To customize the font style used in Help, on the General tab, click Fonts, and then click the font style that you want. Note If you change the font of the Help topics in the Help window, the change also affects the font for webpages in Windows Internet Explorer.

See Also
Getting Started with System Center 2012 Configuration Manager

Information and Support for Configuration Manager

Use the following resources for additional information about System Center 2012 Configuration Manager. To access the most current System Center 2012 Configuration Manager Use the TechNet Documentation Library for System Center 2012 Configuration Manager
227

product documentation: To provide feedback about the documentation or ask a question about the documentation: To receive Twitter feeds from the documentation team (for example, notification of documentation updates): Email [email protected]

See the Configuration Manager Documentation Team Twitter feed

The following sections provide additional information to support Configuration Manager: Search the Configuration Manager Documentation Library The Configuration Manager Product Group Blog Support Options and Community Resources

Search the Configuration Manager Documentation Library

Use this query to find online documentation in the TechNet Library forSystem Center 2012 Configuration Manager. This customized Bing search query scopes your search on TechNet so that you see results from the Documentation Library for System Center 2012 Configuration Manager only. For example, search results do not include topics from Configuration Manager 2007 or from community resources. It uses the placeholder search text Configuration Manager, which you can replace in the search bar with your own search string or strings, and choice of search operators, to help you narrow the search results. Example Searches Use the Find information online link and customize the search by using the following examples. Single search string: To search for topics that contain the search string Endpoint Protection, replace Configuration Manager with Endpoint Protection: ("Endpoint Protection") site:technet.microsoft.com/enus/library meta:search.MSCategory(gg682056) Combining search strings: To search for topics that contain the search strings Endpoint Protection and monitoring, use the AND operator: ("Endpoint Protection") AND ("monitoring") site:technet.microsoft.com/en-us/library meta:search.MSCategory(gg682056) Alternative search strings: To search for topics that contain the search string Endpoint Protection or monitoring, use the OR operator: ("Endpoint Protection" OR "monitoring") site:technet.microsoft.com/en-us/library meta:search.MSCategory(gg682056)

228

Exclude search strings: To search for topics that contain the search string Endpoint Protection and exclude topics about monitoring, use the NOT operator: ("Endpoint Protection)" NOT ("monitoring") site:technet.microsoft.com/en-us/library meta:search.MSCategory(gg682056)

Search Tips Use the following search tips to help you find the information that you need: When you search on a page in TechNet or in the help file (for example, press Ctrl-F1, and enter search terms in the Find box), the results exclude text that is in collapsed sections. To search for text in collapsed sections, expand the sections before you search on the page. Whenever possible, use the TechNet online library rather than downloaded documentation. TechNet contains the most up-to-date information and the information that you are searching for might not be in the downloaded documentation or there might be corrections or additional information online. If you find it easier and faster to search documentation when it is stored locally, you can select multiple topics on TechNet and save them locally. For more information, see the following instructions on the TechNet wiki: How to Build Your Own Custom TechNet Documentation.

The Configuration Manager Product Group Blog

The Configuration Manager product group and partner teams use the System Center Configuration Manager Team Blog to provide you with technical information and other news about Configuration Manager and related technologies. Our blog posts supplement the product documentation and support information.

Support Options and Community Resources

The following links provide information about support options and community resources: System Center Configuration Manager Support Microsoft Help and Support System Center 2012 Configuration Manager Survival Guide Configuration Manager Community Page Configuration Manager Forums Page myITforum System Center Community Support

Note All information and content at myITforum.com is provided by the owner or the users of the website. Microsoft makes no warranties, express, implied or statutory, as to the information on this website.

229

In addition, visit the System Center 2012 TechCenter to find other supporting resources for System Center 2012 Configuration Manager.

See Also
Getting Started with System Center 2012 Configuration Manager

Site Administration for System Center 2012 Configuration Manager

The Site Administration for System Center 2012 Configuration Manager guide provides documentation to help you plan, install, configure, and maintain Microsoft System Center 2012 Configuration Manager. If you are new to Configuration Manager, read Getting Started with System Center 2012 Configuration Manager before you read this guide.

Site Administration Topics

Use the following topics to help you plan, configure, and maintain System Center 2012 Configuration Manager sites: Introduction to Site Administration in Configuration Manager Planning for Configuration Manager Sites and Hierarchy Configuring Sites and Hierarchies in Configuration Manager Operations and Maintenance for Site Administration in Configuration Manager Reporting in Configuration Manager Security and Privacy for Site Administration in Configuration Manager Technical Reference for Site Administration in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Documentation Library for System Center 2012 Configuration Manager

Introduction to Site Administration in Configuration Manager

Site administration in System Center 2012 Configuration Manager refers to the planning, installation, management, and monitoring of a System Center 2012 Configuration Manager hierarchy of sites. A hierarchy of sites can be described by one of three basic configurations: A single stand-alone primary site that has no additional sites. A primary site that has one or more secondary sites. A central administration site as the top-level site that has one or more primary child sites. The primary sites can each support secondary sites.

Several configurations in Configuration Manager apply to objects at every site in the hierarchy. Other configurations are site-specific and require that you configure each site separately. For
230

example, you can configure most site system roles at a primary site, but some site system roles can only be installed at the top-level site of a hierarchy, which might be a primary site in one hierarchy and a central administration site in another hierarchy. Your available network infrastructure, the network and geographical locations of the resources that you manage, and the management features that you use can influence your hierarchy design and approach to administration. Use the following sections for more information about planning, configuring, and managing your Configuration Manager site or hierarchy: Plan and Deploy a Hierarchy of Sites Deploy Site Systems at Sites Configure Hierarchy-Wide and Site-Specific Options Monitor and Maintain the Hierarchy

Plan and Deploy a Hierarchy of Sites

Before you deploy your first site, review the planning information for Configuration Manager. The type of site that you first deploy can define the structure for your hierarchy. For example, if the first site that you install is a primary site because you do not expect to manage a complex or geographically dispersed environment, your hierarchy is initially limited to a single primary site. This primary site can support secondary sites and in the future can expand by adding a central administration site, when the primary site runs Configuration Manager SP1. However, if you deploy a central administration site as your first site, you have the option to add more primary sites as child sites to the central administration site in the future. This provides you with the flexibility to expand your hierarchy as your company grows and when management requirements change. For more information about sites and hierarchies, see Planning for Sites and Hierarchies in Configuration Manager. When you plan your hierarchy, consider the external dependencies of Configuration Manager, such as a public key infrastructure (PKI) if you plan to use certificates, or your Active Directory domain structure. Determine whether you manage resources in untrusted forests or resources that are on the Internet, and determine how Configuration Manager will support these scenarios. These factors and other considerations can influence your hierarchy design and site and site system role placement. For more information, see PKI Certificate Requirements for Configuration Manager and Identify Your Network and Business Requirements to Plan a Configuration Manager Hierarchy.

Deploy Site Systems at Sites

In each site that you install, you must install and configure site system roles to support management operations. If you plan to install more than a single primary site, review the site system roles and if you can deploy them at different sites. Some site system roles, which include the Endpoint Protection point, require that you install just one instance in the hierarchy to provide a service to all sites in the hierarchy. Other site system roles, which include the Application Catalog web service point, must be installed at each site where you require them to provide a
231

service to that site. Finally, some site system roles, which include the management point and distribution point, support the installation of multiple instances at a site. Refer to the site system role requirements to help you identify the best locations to place the site system roles at each site. For example: For central administration sites, you can deploy site system roles that are useful for hierarchy-wide monitoring, such as the reporting services point. You can also deploy site system roles that provide services to the whole hierarchy, such as the Endpoint Protection point. Some roles, such as the software update point, must be installed in the central administration site, but you can also install them in primary and secondary sites. In this scenario, the software update point in the central administration site provides the other software update points with a central location to synchronize software updates. For primary sites, you must have site system roles for client communication, such as management points and software update points. Review your network infrastructure and the locations of computers and users on your network to ensure that you put these client-facing site systems in the best locations to optimize network connectivity. For secondary sites, you can install a limited set of site system roles. Additionally, if content distribution to a remote network location is your main concern, you might decide to install distribution points from a primary site instead of installing a secondary site.

For more information about site systems, see Planning for Site Systems in Configuration Manager.

Configure Hierarchy-Wide and Site-Specific Options

After you deploy your first site, you can configure settings that apply across the hierarchy and settings that are specific to individual sites. Regardless of when you configure sites or hierarchywide settings, plan to periodically revisit these tasks to adjust configurations to meet changing business requirements. Hierarchy-wide and site-specific configurations affect how sites operate and how client management tasks in each site function. Some of the hierarchy-wide configurations that you can set include the following: Role-based administration, which includes the following: Identify administrative users who manage your Configuration Manager infrastructure and assign them security roles, security scopes, and collections to manage their permissions to objects, and the objects that they can interact with. Create custom security roles and security scopes that you require to help partition security and administrative user access to different objects.

Discovery to locate resources that you can manage. Boundaries and boundary groups to control client site assignment, and the site system servers from which clients can obtain content such as applications or operating system deployments. Client settings to specify how and when Configuration Manager clients perform various operations, which includes when to check for new applications or to submit hardware or software inventory data to their assigned site.

Some of the site-specific configurations that you can set include the following:
232

Communication settings for site system roles that control how clients communicate with the site system roles at that site. Settings to specify how sites summarize status message details that are collected from clients and site system servers. Site maintenance tasks and schedules to help maintain the local Configuration Manager database. Site component configurations that control how site system roles operate in a site.

For more information about how to configure sites and hierarchy-wide settings, see Configure Sites and the Hierarchy in Configuration Manager, and Operations and Maintenance for Site Administration in Configuration Manager.

Monitor and Maintain the Hierarchy

You must monitor and maintain the health of the hierarchy and individual site systems. Over time, conditions in your environment can change. These changes might include network issues that decrease the replication performance between sites, the number of clients that report to a site and that might affect site system role performance, and an increase in the amount of data that is stored in the Configuration Manager database that can decrease data processing and site performance. To keep your site systems, intersite data replication, and the database healthy, you must monitor your hierarchy for problems and take actions to maintain these systems to prevent critical problems. You can monitor the health of your hierarchy by using the Monitoring workspace in the Configuration Manager console. Additionally, you can configure site maintenance tasks at each site to help maintain the operational efficiency of the database, and to remove aged data that you no longer require. Periodically review the configurations and operational settings for site system roles to ensure that they continue to provide a service to your clients, and review the frequency and extent of the data that you collect from clients to ensure that you collect only the data that you really require. Configuration Manager provides built-in functionality that you can use to monitor and maintain your infrastructure. For example, you can do the following: Run reports that inform you about the success or failure of typical Configuration Manager tasks and that summarize the operational status of your sites and hierarchy. View status messages and receive alerts that can help you identify current or emerging problems, which include information about application deployments or site and hierarchy infrastructure problems. View the status of clients, which includes clients that are inactive, and view the status of Endpoint Protection clients. Configure more than 30 site maintenance tasks to help maintain the health of the Configuration Manager database.

233

For more information about monitoring, see Monitor Configuration Manager Sites and Hierarchy, and Reporting in Configuration Manager. For more information about site maintenance tasks, see Configure Maintenance Tasks for Configuration Manager Sites.

See Also
Site Administration for System Center 2012 Configuration Manager

Planning for Configuration Manager Sites and Hierarchy

You can install Microsoft System Center 2012 Configuration Manager by using many different design configurations that range from a single site to multiple sites that span diverse geographical network locations. Even single site designs often use multiple Windows servers to provide services to users and devices on your network. When you install multiple System Center 2012 Configuration Manager sites, they form a hierarchy of sites that share information by using a distributed database. Sites communicate with each other and share information by using database replication that is based on SQL Server replication and file-based transfers. Sites in a hierarchy use parent-child relationships to define communication paths. Because the data that is transferred between computers within a site and between different Configuration Manager sites can significantly affect the efficiency of your network, plan your site or hierarchy before you install any Configuration Manager site.

Planning Topics
Use the following topics to help you plan for sites and hierarchies by gathering the information that you will need to plan the design of your System Center 2012 Configuration Manager deployment to best meet your business requirements and make efficient use of your network infrastructure. Supported Configurations for Configuration Manager Interoperability between Different Versions of Configuration Manager Planning for Hardware Configurations for Configuration Manager PKI Certificate Requirements for Configuration Manager Identify Your Network and Business Requirements to Plan a Configuration Manager Hierarchy Determine Whether to Migrate Configuration Manager 2007 Data to System Center 2012 Configuration Manager Determine Whether to Extend the Active Directory Schema for Configuration Manager Planning for Sites and Hierarchies in Configuration Manager Planning to Upgrade System Center 2012 Configuration Manager Planning for Publishing of Site Data to Active Directory Domain Services Planning for Discovery in Configuration Manager Planning for Client Settings in Configuration Manager
234

Planning for Site Systems in Configuration Manager Planning for Cloud Services in Configuration Manager Planning for Content Management in Configuration Manager Planning for Boundaries and Boundary Groups in Configuration Manager Planning for Security in Configuration Manager Planning for Communications in Configuration Manager Planning for Site Operations in Configuration Manager Planning for High Availability with Configuration Manager Example Scenarios for Planning a Simplified Hierarchy with Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Site Administration for System Center 2012 Configuration Manager

Supported Configurations for Configuration Manager

Note This topic appears in the Getting Started with System Center 2012 Configuration Manager guide and in the Site Administration for System Center 2012 Configuration Manager guide. This topic specifies the requirements to implement and maintain Microsoft System Center System Center 2012 Configuration Manager in your environment. The following sections list products that are supported with System Center 2012 Configuration Manager. No extension of support for these products beyond their current product life-cycles is implied. Products that are beyond their current support life cycle are not supported for use with Configuration Manager. For more information about Microsoft Support Lifecycles, visit the Microsoft Support Lifecycle website at Microsoft Support Lifecycle. Warning Microsoft provides support for the current service pack and, in some cases, the immediately previous service pack. For more information about Microsoft support lifecycle policy, go to the Microsoft Support Lifecycle Support Policy FAQ website at Microsoft Support Lifecycle Policy FAQ. Products that are not listed in this document are not supported with System Center 2012 Configuration Manager unless they are announced on the System Center Configuration Manager Team Blog. Configuration Manager System Requirements Site and Site System Role Scalability Site System Requirements Prerequisites for Site System Roles
235

Prerequisites for Site System Roles on Windows Server 2012 Minimum Hardware Requirements for Site Systems Operating System Requirements for Site Servers, Database Servers, and the SMS Provider Operating System Requirements for Typical Site System Roles Operating System Requirements for Function-Specific Site System Roles

Computer Client Requirements Mobile Device Requirements Mobile Devices Enrolled by Configuration Manager Mobile Devices Enrolled by Windows Intune Mobile Device Support by Using the Exchange Server Connector Mobile Device Legacy Client

Configuration Manager Console Requirements SQL Server Requirements Application Management Operating System Deployment Out of Band Management Remote Control Viewer Software Center and the Application Catalog Active Directory Schema Extensions Disjoint Namespaces Single Label Domains Support for Internet Protocol Version 6 Support for Specialized Storage Technology Support for Computers in Workgroups Support for Virtualization Environments Support for Network Address Translation DirectAccess Feature Support BranchCache Feature Support Fast User Switching Dual Boot Computers Upgrade Configuration Manager Infrastructure Upgrade for Configuration Manager
236

Configurations for the SQL Server Site Database Function-Specific Requirements

Support for Active Directory Domains

Windows Environment

Supported Upgrade Paths for Configuration Manager

SQL Server Upgrade for the Site Database Server

Configuration Manager System Requirements

The following sections specify the hardware and software requirements that you must have to implement and maintain Configuration Manager in your environment. Site and Site System Role Scalability The following table contains information about the support limits at each site type and by each client-facing site system role. This information is based on the recommended hardware for site systems. For information about the recommended hardware for Configuration Manager sites, see Planning for Hardware Configurations for Configuration Manager. For information about the minimum required hardware to run a Configuration Manager site, see Minimum Hardware Requirements for Site Systems, in this topic.
Site or site system role More information

Central administration site

A central administration site can support up to 25 child primary sites. When you use SQL Server Enterprise or Datacenter for the site database at the central administration site, the shared database and hierarchy supports up to 400,000 clients. The maximum number of supported clients per hierarchy depends on the SQL Server edition in the central administration site, and is independent of the SQL Server edition at primary or secondary sites. Note Configuration Manager supports up to 400,000 clients per hierarchy when you use the default settings for all Configuration Manager features.

When you use SQL Server Standard for the site database at the central administration site, the shared database and hierarchy supports up to 50,000 clients. This is because of how the database is partitioned. After you install Configuration Manager, if you then upgrade the edition of SQL Server at the central administration site from
237

Site or site system role

More information

Standard to Enterprise or Datacenter, the database does not repartition and this limitation remains. Note You cannot assign Configuration Manager clients to a central administration site. Support for clients applies to clients that are assigned to child primary sites in the hierarchy. Primary site Each primary site can support up to 250 secondary sites. Note The number of secondary sites per primary site is based on continuously connected and reliable wide area network (WAN) connections. For locations that have fewer than 500 clients, consider a distribution point instead of a secondary site. A stand-alone primary site always supports up to 100,000 clients. A Configuration Manager SP1 primary site supports up to 10,000 Windows Embedded devices that have File-Based Write Filters (FBWF) enabled when they are configured for the exceptions listed in the Deploying the Configuration Manager Client to Windows Embedded Devices section in the Introduction to Client Deployment in Configuration Manager topic. Otherwise, all other configurations for write filter-enabled embedded devices limit support to 3,000 embedded devices for a primary site. When write filters are not enabled, the standard number of clients are supported. A Configuration Manager SP1 primary site supports up to 50,000 Mac computers. A child primary site that uses SQL Server
238

Site or site system role

More information

installed on the same computer as the site server can support up to 50,000 clients. When you use SQL Server that is installed on a computer that is remote from the site server, the child primary site can support up to 100,000 clients. Note In a hierarchy with a central administration site that uses a standard edition SQL Server, the total number of clients supported in the hierarchy is limited to 50,000. In this hierarchy, a child primary site that uses a remote installation of SQL Server cannot support more clients than is supported by the hierarchy. The version of SQL Server that is used by a secondary site does not affect the number of clients that the primary site supports. Unlike a central administration site, the edition of SQL Server you use for the primary site database does not affect the maximum number of clients the primary site supports. This is true for both child primary sites, and stand-alone primary sites. Each secondary site can support communications from up to 5,000 clients when you use a secondary site server that has the recommended hardware and a fast and reliable network connection to its primary parent site. A secondary site could support communications from additional clients when its hardware configuration exceeds the recommended hardware configuration. For information about the recommended hardware for Configuration Manager sites, see Planning for Hardware Configurations
239

Secondary site

Site or site system role

More information

for Configuration Manager. Management point Primary site: Each primary site management point can support up to 25,000 computer clients. To support 100,000 clients you must have at least four management points. Additional restrictions: Mac computer clients: Up to 10,000. Note Do not position management points across a slow link from their primary site server or from the site database server. Each primary site can support up to 10 management points. Note When you have more than four management points in a primary site, you do not increase the supported client count of the primary site beyond 100,000. Instead, any additional management points provide redundancy for communications from clients. Secondary site: Each secondary site supports a single management point that must be installed on the secondary site server. The secondary site management point supports communications from the same number of clients as supported by the hardware configuration of the secondary site server. Individually, each primary site supports up to 250 distribution points and each distribution point can support up to 4,000 clients.
240

Distribution point

Site or site system role

More information

Individually, each secondary site supports up to 250 distribution points and each distribution point can support up to the same number of clients as supported by the hardware configuration of the secondary site server, up to no more than 4,000 clients. Each primary site supports a combined total of up to 5,000 distribution points. This total includes all the distribution points at the primary site and all distribution points that belong to the primary sites child secondary sites. Each distribution point supports a combined total of up to 10,000 packages and applications. Note The number of clients that one distribution point can support depends on the speed of the network, the disk performance of the distribution point computer, and the application or package size.

Software update point

For Configuration Manager without service pack, each site supports one active software update point for use on the intranet, and optionally, one software update point for use on the Internet. You can configure each of these software update points as a Network Load Balancing (NLB) cluster. You can have up to four software update points in the NLB cluster. For Configuration Manager SP1, each site supports multiple software update points for use on the intranet and on the Internet. By default, Configuration Manager SP1 does not support configuring software update points as NLB clusters. However, you can use the Configuration Manager SDK to configure a software update point on a NLB
241

Site or site system role

More information

cluster. A software update point that is installed on the site server can support up to 25,000 clients. A software update point that is installed on a computer that is remote from the site server can support up to 100,000 clients. Note For more information, see Planning for Software Updates in Configuration Manager. Fallback status point Application Catalog website point Each fallback status point can support up to 100,000 clients. You can install multiple instances of the Application Catalog website point at primary sites. For improved performance, plan to support up to 50,000 clients per instance. Each instance of this site system role supports up to 400,000 clients, which provides service for the whole hierarchy. Tip As a best practice, install the Application Catalog website point and Application Catalog web service point together on the same site system when they provide service to clients that are on the intranet. Application Catalog web service point You can install multiple instances of the Application Catalog web service point at primary sites. For improved performance, plan to support up to 50,000 clients per instance. Each instance of this site system role supports up to 400,000 clients, which provides service for the whole hierarchy. Tip
242

Site or site system role

More information

As a best practice, install the Application Catalog website point and Application Catalog web service point together on the same site system when they provide service to clients that are on the intranet. System Health Validator point Each System Health Validator point can support up to 100,000 clients.

Site System Requirements Each System Center 2012 Configuration Manager site system server must use a 64-bit operating system. The only exception to this is the distribution point site system role which can be installed on limited 32-bit operating system versions. Limitations for site systems: Site systems are not supported on Server Core installations for the following operating systems: Windows Server 2008 or Windows Server 2008 R2 Windows Server 2008 Foundation or Windows Server 2008 R2 Foundation Windows Server 2012 Windows Server 2012 Foundation

It is not supported to change the domain membership or computer name of a Configuration Manager site system after it is installed. Site system roles are not supported on an instance of a Windows Server cluster. The only exception to this is the site database server.

The following sections list the hardware requirements and operating system requirements for System Center 2012 Configuration Manager sites, typical site system roles, and function-specific site system roles. Prerequisites for Site System Roles The following table identifies prerequisites that are required by Configuration Manager for each site system role on supported operating systems other than Windows Server 2012. For information about prerequisites for site system roles on Windows Server 2012, see Prerequisites for Site System Roles on Windows Server 2012. Important Except where specifically noted, prerequisites apply to all versions of System Center 2012 Configuration Manager.

243

Some prerequisites, such as SQL Server for the site database server, or Windows Server Update Services (WSUS) for the software update point, might require additional prerequisites that are not directly required by the site system role. For site system roles that require Internet Information Services (IIS), use a version of IIS that the computer supports that runs the site system role. For information, see the following sections, Operating System Requirements for Typical Site System Roles and Operating System Requirements for Function-Specific Site System Roles, in this topic.
Site system role .NET Framewor k version
1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

Site server

Requires both of the following: 3.5 SP1 4.0

Not applicabl e

Not applicable

Windows feature: Remote Differential Compression By default, a secondary site installs a management point and a distribution point. Therefore secondary sites must meet the prerequisites for these site system roles.

Database server

Not applicable

Not applicabl e

Not applicable

A version of SQL Server that Configuration Manager supports must be installed on this computer. During installation of the Configuration Manager site, the remote registry service must be enabled on the computer that hosts the site database. When you install SQL Server Express as part of a secondary site installation, the secondary site server computer must meet the requirements for SQL Server Express.

SMS Provider Server Applicatio n Catalog web service

Not applicable

Not applicabl e Requires the following options

Not applicable

Not applicable

Requires both of the following:

Requires the default IIS configuration with the

Not applicable

244

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

point

3.5 SP1 4.0

for WCF activation : H TTP Activ ation NonHTT P Activ ation

following additions: Appli cation Develop ment: ASP. NET (and auto mati cally selec ted optio ns) IIS 6 Manage ment Compati bility: IIS 6 Meta base Com patib ility Not applicable

Applicatio n Catalog website point

Requires the following: 4.0

Not applicabl e

Requires the default IIS configuration with the following additions:

245

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

Common HTTP Features : Stati c Cont ent Defa ult Docu ment

Appli cation Develop ment: ASP. NET (and auto mati cally selec ted optio 3 ns) Security: Wind
246

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

ows Auth entic ation IIS 6 Manage ment Compati bility: IIS 6 Meta base Com patib ility Not applicable

Asset Intelligenc e synchroni zation point Distributio 4 n point

Requires the following: 4.0

Not applicabl e

Not applicable

Not applicable

Not applicabl e

You can use the default IIS configuration , or a custom configuration . To use a custom IIS configuration , you must enable the following options for

Windows feature: Remote Differential Compression To support PXE or multicast, install and configure the following Windows role: Windows Deployment Services (WDS) Note For Windows Server 2008, Windows Server 2008 R2, WDS is installed and configured automatically when you configure a distribution point to support PXE or Multicast. For Windows Server 2003, you must
247

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

IIS: Appli cation Develop ment: I SAPI Exte nsio ns Security: Wind ows Auth entic ation IIS 6 Manage ment Compati bility: IIS 6 Meta base Com patib ility IIS 6 WMI Com patib ility

install and configure WDS manually. For Configuration Manager with no service pack, to support PXE on a distribution point that is on a computer remote from the site server, you should install the following: Microsoft Visual C++ 2008 Redistributable. Note You can run the Microsoft Visual C++ 2008 Redistributable Setup from the Configuration Manager installation at: <ConfigMgrInstallationFolder>\Cl ient\x64\vcredist_x64.exe For Configuration Manager SP1, vcredist_x64.exe is installed automatically when you configure a distribution point to support PXE. With Configuration Manager SP1, you can use a cloud service in Windows Azure to host a distribution point. For more information, see the section Planning for Distribution Points for Windows Azure in the Planning for Content Management in Configuration Manager topic.

248

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

When you use a custom IIS configuration , you can remove options that are not required, such as the following: Common HTTP Features : HTT P Redi recti on IIS Manage ment Scripts and Tools Not applicable

Endpoint Requires Protection the point following: 3.5 SP1

Not applicabl e

Not applicable

Enrollmen Requires t point the

Requires the

Requires the default IIS

Not applicable

249

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

following: 3.5 SP1 for Confi gurati on Mana ger with no servic e pack 4.0 for Confi gurati on Mana ger with SP1

following options for WCF activation : H TTP Activ ation NonHTT P Activ ation

configuration with the following additions: Appli cation Develop ment: ASP. NET (and auto mati cally selec ted optio 3 ns)

Enrollmen Requires t proxy the point following: 3.5 SP1 for Confi gurati on Mana ger with no servic

Requires the following options for WCF activation : H TTP Activ ation Non-

Requires the default IIS configuration with the following additions: Appli cation Develop ment:

Not applicable

250

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

e pack 4.0 for Confi gurati on Mana ger with SP1

HTT P Activ ation

ASP. NET (and auto mati cally selec ted optio 3 ns)

Fallback status point

Not applicable

Not applicabl e

Requires the default IIS configuration with the following additions: IIS 6 Manage ment Compati bility: IIS 6 Meta base Com patib ility

Not applicable

Managem ent point

Configurat Not ion applicabl Manager e with no service pack:

You can use the default IIS configuration , or a custom configuration 5 .

Windows feature: BITS Server Extensions (and automatically selected options), or Background Intelligent Transfer Services (BITS) (and automatically selected options)

251

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

M anage ment points that suppo rt mobil e devic es requir e the .NET Fram ework 3.5 5 SP1 Configurat ion Manager with SP1: All mana geme nt points requir e the .NET Fram ework 4

To use a custom IIS configuration , you must enable the following options for IIS: Appli cation Develop ment: I SAPI Exte nsio ns Security: Wind ows Auth entic ation IIS 6 Manage ment Compati bility: IIS 6 Meta base Com
252

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

patib ility IIS 6 WMI Com patib ility

When you use a custom IIS configuration you can remove options that are not required, such as the following: Common HTTP Features : HTT P Redi recti on IIS Manage ment Scripts and Tools Not applicable
253

Out of

Requires

Requires

Not

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

band service point

the following: 4.0

the following options for WCF activation : H TTP Activ ation NonHTT P Activ ation

applicable

Reporting services point

Requires the following: 4.0

Not applicabl e

Not applicable

SQL Server Reporting Services installed and configured to use at least one instance for the reporting services point. The instance you use for SQL Server Reporting Services can be the same instance you use for the site database. Additionally, the instance you use can be shared with other System Center products as long as the other System Center products do not have restrictions for sharing the instance of SQL Server. Windows Server Update Services (WSUS) 3.0 SP2 must be installed on this computer.

Software update point

Requires both of the following: 3.5 SP1 4.0

Not applicabl e

Requires the default IIS configuration

State

Not

Not

Requires the

Not applicable
254

Site system role

.NET Framewor k version

1

Windows Communi cation n (WCF) activation

2

Role services for the web server (IIS)

Additional prerequisites

Foundatio role

migration point System Health Validator point Windows Intune connector

applicable

applicabl e Not applicabl e

default IIS configuration Not applicable This site system role is supported only on a NAP health policy server.

Not applicable

Requires the following: 4.0

Not applicabl e

Not applicable

Not applicable

Install the full version of the Microsoft.NET Framework before you install the site system roles. For example, see the Microsoft .NET Framework 4 (Stand-Alone Installer). Important The Microsoft .NET Framework 4 Client Profile is insufficient for this requirement.
2

You can configure WCF activation as part of the .NET Framework Windows feature on the site system server. For example, on Windows Server 2008 R2, run the Add Features Wizard to install additional features on the server. On the Select Features page, expand NET Framework 3.5.1 Features, then expand WCF Activation, and then select the check box for both HTTP Activation and Non-HTTP Activation to enable these options.
3

In some scenarios, such as when IIS is installed or reconfigured after the .NET Framework version 4.0 is installed, you must explicitly enable ASP.NET version 4.0. For example, on a 64-bit computer that runs the .NET Framework version 4.0.30319, run the following command: %windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe i enable
4

You must manually install IIS on computers that run a supported version of Windows Server 2003. Additionally, to install IIS and configure the additional Windows features, the computer might require access to the Windows Server 2003 source media.
5

Each management point that you enable to support mobile devices requires the additional IIS configuration for ASP.NET (and its automatically selected options). With this requirement, review note 3 for applicability to your installation. Prerequisites for Site System Roles on Windows Server 2012 For System Center 2012 SP1 only:
255

The following table identifies prerequisites that are required by Configuration Manager site system roles you install on Windows Server 2012. For information about prerequisites for site system roles on supported operating systems prior to Windows Server 2012, see Prerequisites for Site System Roles. Some prerequisites, such as SQL Server for the site database server, or Windows Server Update Services (WSUS) for the software update point, might require additional prerequisites that are not directly required by the site system role. For site system roles that require Internet Information Services (IIS), use a version of IIS that the computer supports that runs the site system role. For information, see the following sections, Operating System Requirements for Typical Site System Roles and Operating System Requirements for Function-Specific Site System Roles, in this topic.
Site system role Windows Server Roles and Features Additional prerequisites

Site server

Features: .NET Framework 3.5 .NET Framework 4 Remote Differential Compression

By default, a secondary site installs a management point and a distribution point. Therefore secondary sites must meet the prerequisites for these site system roles. A version of SQL Server that Configuration Manager supports must be installed on this computer. During installation of the Configuration Manager site, the remote registry service must be enabled on the computer that hosts the site database. When you install SQL Server Express as part of a secondary site installation, the secondary site server computer must meet the requirements for SQL Server Express.

Database server

Not applicable

SMS Provider Server Application Catalog web service point

Not applicable Features: .NET Framework 3.5 HTTP Activation (and automatically selected options)

Not applicable Not applicable

256

Site system role

Windows Server Roles and Features

Additional prerequisites

.NET Framework 4.5 ASP.NET 4.5

IIS Configuration: Common HTTP Features: Default Document IIS 6 Management Compatibility: IIS 6 Metabase Compatibility ASP.NET 3.5 (and automatically selected options) .NET Extensibility 3.5 Not applicable

Application Development:

Application Catalog website point

Features: .NET Framework 3.5 .NET Framework 4.5 ASP.NET 4.5

IIS Configuration: Common HTTP Features: Default Document Static Content ASP.NET 3.5 (and automatically selected options) ASP.NET 4.5 (and automatically selected options) .NET Extensibility 3.5 .NET Extensibility 4.5 Windows Authentication

Application Development:

Security:

IIS 6 Management Compatibility: IIS 6 Metabase

257

Site system role

Windows Server Roles and Features

Additional prerequisites

Compatibility Asset Intelligence synchronization point Distribution point Features: .NET Framework 4 To support PXE or multicast, install and configure the following Windows role: Windows Deployment Services (WDS) Note WDS installs and configures automatically when you configure a distribution point to support PXE or Multicast on Windows Server 2012. For Configuration Manager with SP1, to support PXE on a distribution point that is on a computer remote from the site server, install the following: Microsoft Visual C++ 2008 Redistributable. Note For Windows Server 2012, the vcredist_x64.exe is installed automatically when you configure a distribution point to support PXE. PowerShell 3.0 is required on Windows Server 2012 before you install the distribution point. Not applicable

Features: Remote Differential Compression Application Development: ISAPI Extensions Windows Authentication Security:

IIS Configuration:

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility IIS 6 WMI Compatibility

With Configuration Manager SP1, you can use a cloud service in Windows Azure to host a distribution point. For more
258

Site system role

Windows Server Roles and Features

Additional prerequisites

information, see the section Planning for Distribution Points for Windows Azure in the Planning for Content Management in Configuration Manager topic. Endpoint Protection point Features: Enrollment point .NET Framework 3.5 SP1 Not applicable Not applicable

Features: .NET Framework 3.5 HTTP Activation ASP.NET 4.5 Default Document ASP.NET 3.5 .NET Extensibility 3.5 .NET Framework 4.5 Common HTTP Features: Application Development:

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility Not applicable

Enrollment proxy point

Features: .NET Framework 3.5 .NET Framework 4.5 ASP.NET 4.5

IIS Configuration: Common HTTP Features: Default Document Static Content ASP.NET 3.5 (and automatically selected options) ASP.NET 4.5 (and automatically selected options)
259

Application Development:

Site system role

Windows Server Roles and Features

Additional prerequisites

.NET Extensibility 3.5 .NET Extensibility 4.5 Windows Authentication

Security:

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility Not applicable

Fallback status point

Requires the default IIS configuration with the following additions: IIS Configuration: IIS 6 Management Compatibility: IIS 6 Metabase Compatibility

Management point

Features: .NET Framework 4 BITS Server Extensions (and automatically selected options), or Background Intelligent Transfer Services (BITS) (and automatically selected options) Application Development: ISAPI Extensions Windows Authentication Security:

Not applicable

IIS Configuration:

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility IIS 6 WMI Compatibility

260

Site system role

Windows Server Roles and Features

Additional prerequisites

Out of band service point

Features: .NET Framework 4 HTTP Activation Non-HTTP Activation

Not applicable

Reporting services point

Features: .NET Framework 4

SQL Server Reporting Services installed and configured to use at least one instance for the reporting services point. The instance you use for SQL Server Reporting Services can be the same instance you use for the site database. Additionally, the instance you use can be shared with other System Center products as long as the other System Center products do not have restrictions for sharing the instance of SQL Server. Windows server role: Windows Server Update Services

Software update point

Features: .NET Framework 3.5 SP1 .NET Framework 4

Requires the default IIS configuration State migration point Requires the default IIS configuration Not applicable Not applicable

System Health Validator point Windows Intune connector

This site system role is supported only on a NAP health policy server. Not applicable

Features: .NET Framework 4

Minimum Hardware Requirements for Site Systems This section identifies the minimum required hardware requirements for Configuration Manager site systems. These requirements are sufficient to support all features of Configuration Manager in an environment with up to 100 clients. This information is suitable for testing environments. For guidance about the recommended hardware for Configuration Manager in full-scale production environments, see Planning for Hardware Configurations for Configuration Manager.

261

The following minimum requirements apply to all site types (central administration site, primary site, secondary site) when you install all available site system roles on the site server computer.
Hardware component Requirement

Processor

Minimum: AMD Opteron, AMD Athlon 64, Intel Xeon with Intel EM64T support, Intel Pentium IV with EM64T support Minimum: 1.4 GHz Minimum: 2 GB Available: 10 GB Total: 50 GB

RAM Free disk space

Operating System Requirements for Site Servers, Database Servers, and the SMS Provider The following table specifies the operating systems that can support System Center 2012 Configuration Manager site servers, the database server, and the SMS Provider site system role. The table also specifies the Configuration Manager versions that support each operating system.
Operating system System architectu re Central administrati on site Primary site Secondary site
1

Site database server

1, 2

SMS Provider

Windows Server 2008 Standard Edition (SP2) Enter prise Edition (SP2) Datac enter Edition (SP2) Windows Server 2008 R2 Standard Edition

x64

Configuratio Configurati n on Manage Manag r with no er with service no pack service pack Configuratio n Manage r with SP1 Configurati on Manag er with SP1

Configurati on Manag er with no service pack Configurati on Manag er with SP1

Configurati on Manag er with no service pack Configurati on Manag er with SP1

Configurati on Manag er with no service pack Configurati on Manag er with SP1

x64

Configuratio Configurati n on Manage Manag r with no er with service no

Configurati on Manag er with no

Configurati on Manag er with no

Configurati on Manag er with no

262

Operating system

System architectu re

Central administrati on site

Primary site

Secondary site
1

Site database server

1, 2

SMS Provider

with no service pack, or with SP1) Enter prise Edition (with no service pack, or with SP1) Datac enter Edition (with no service pack, or with SP1) Windows Server 2012 Datac enter
1

pack Configuratio n Manage r with SP1

service pack Configurati on Manag er with SP1

service pack Configurati on Manag er with SP1

service pack Configurati on Manag er with SP1

service pack Configurati on Manag er with SP1

x64

Standard

Configuratio n Manage r with SP1

Configurati on Manag er with SP1

Configurati on Manag er with SP1

Configurati on Manag er with SP1

Configurati on Manag er with SP1

Site database servers are not supported on a read-only domain controller (RODC). For more information, see You may encounter problems when installing SQL Server on a domain controller in the Microsoft Knowledge Base. Additionally, secondary site servers are not supported on any domain controller. 2 For more information about the versions of SQL Server that Configuration Manager supports, see Configurations for the SQL Server Site Database in this topic. Operating System Requirements for Typical Site System Roles The following table specifies the operating systems that can support multi-function site system roles, and the Configuration Manager versions that support each operating system.

263

Operating system

System e

Distribution
3

Enrollment point and enrollment proxy point

Fallback status point

Managemen t point

Windows Intune connector

architectur point

Windows Vist a Business Edition (SP1) Enterprise Edition (SP1) Ultimate Edition (with no service pack, or with SP1)

x64

Configuratio Not n supported Manag er with no service 1, 2 pack Configuratio n Manag er with 1, 2 SP1

Not supported

Not supported

Not supported

Windows 7 Profe ssional (with no service pack, or with SP1) Enterprise Editions (with no service pack, or with SP1) Ultimate Editions (with no service pack, or with SP1)

x86, x64

Configuratio Not n supported Manag er with no service 1, 2 pack Configuratio n Manag er with 1, 2 SP1

Not supported

Not supported

Not supported

Windows 8 Pro Enterprise

x86, x64

Configuratio Not n supported Manag er with

Not supported

Not supported

Not supported

264

Operating system

System e

Distribution
3

Enrollment point and enrollment proxy point

Fallback status point

Managemen t point

Windows Intune connector

architectur point

SP1 Windows Server 2003 R2 Standard Edition Enterprise Edition x86, x64

1, 2

Configuratio Not n supported Manag er with no service 2 4 pack , Configuratio n Manag er with 2 4 SP1 ,

Not supported

Not supported

Not supported

Windows Server 2003 Standard Edition (SP2) Enterprise Edition (SP2) Datacenter Edition (SP2)

x86, x64

Configuratio Not n supported Manag er with no service 2 4 pack , Configuratio n Manag er with 2 4 SP1 ,

Not supported

Not supported

Not supported

Windows Server 2003 Web Edition (SP2) Storage Server Edition (SP2)

x86

Configuratio Not n supported Manag er with no service 2 4 pack , Configuratio n

Not supported

Not supported

Not supported

265

Operating system

System e

Distribution
3

Enrollment point and enrollment proxy point

Fallback status point

Managemen t point

Windows Intune connector

architectur point

Manag er with 2 4 SP1 ,

Windows Server 2008 Standard Edition (SP2) Enterprise Edition (SP2) Datac enter Edition (SP2) Windows Server 2008 R2 Standard Edition (with no service pack, or with SP1) Enterprise Edition (with no service pack, or with SP1) Datac enter Edition (SP1)

x86, x64

Configuratio Configuratio Configuratio Configuratio Configuratio n n n n n Manag Manag Manag Manag Manag er with er with er with er with er with no no no no SP1 service service service service 2 4 pack , pack pack pack Configuratio Configuratio Configuratio Configuratio n n n n Manag Manag Manag Manag er with er with er with er with 2 4 SP1 , SP1 SP1 SP1

x64

Configuratio Configuratio Configuratio Configuratio Configuratio n n n n n Manag Manag Manag Manag Manag er with er with er with er with er with no no no no SP1 service service service service pack pack pack pack Configuratio Configuratio Configuratio Configuratio n n n n Manag Manag Manag Manag er with er with er with er with SP1 SP1 SP1 SP1

266

Operating system

System e

Distribution
3

Enrollment point and enrollment proxy point

Fallback status point

Managemen t point

Windows Intune connector

architectur point

Windows Storage Server 2008 R2 Work group Standard Enterprise

x64

Configuratio Not n supported Manag er with no service 2 pack Configuratio n Manag er with 2 SP1

Not supported

Not supported

Not supported

Windows Server 2012 Datac enter

1 2 3

x64

Standard

Configuratio Configuratio Configuratio Configuratio Configuratio n n n n n Manag Manag Manag Manag Manag er with er with er with er with er with SP1 SP1 SP1 SP1 SP1

Distribution points on this operating system are not supported for PXE. Distribution points on this operating system version do not support Multicast.

Unlike other site system roles, distribution points are supported on some 32-bit operating systems. Distribution points also support several different configurations that each have different requirements and in some cases support installation not only on servers, but on client operating systems. For more information about the options available for distribution points, see Prerequisites for Content Management in Configuration Manager in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.
4

Distribution points on this operating system version are supported for PXE, but they do not support network booting of client computers in EFI mode. Client computers with BIOS or with EFI booting in legacy mode are supported. Operating System Requirements for Function-Specific Site System Roles The following table specifies the operating systems that are supported for use with each featurespecific Configuration Manager site system role, and the Configuration Manager versions that support each operating system.

267

Operatin g system

Syste m archite cture

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intelligen ce synchro nization point

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migrati on point

System Health Validat or point

Windows x64 Server 2 008 Stan dard Editi on (SP2 ) Ente rpris e Editi on (SP2 ) Data cent er Editi on (SP2 ) Windows x64 Server 2

Configu Configur Configu Configu Configu Configu Configu Configu rati ation rati rati rati rati rati rati on Man on on on on on on Ma ager Ma Ma Ma Ma Ma Ma nag with nag nag nag nag nag nag er no er er er er er er wit servi wit wit wit wit wit wit h ce h h h h h h no pack no no no no no no ser Configur ser ser ser ser ser ser vic vic vic vic vic vic vic ation e e e e e e e Man pac pac pac pac pac pac pac ager k k k k k k k with Configu SP1 Configu Configu Configu Configu Configu Configu rati rati rati rati rati rati rati on on on on on on on Ma Ma Ma Ma Ma Ma Ma nag nag nag nag nag nag nag er er er er er er er wit wit wit wit wit wit wit h h h h h h h SP SP SP SP SP SP SP 1 1 1 1 1 1 1

Configu Configur Configu Configu Configu Configu Configu Configu rati ation rati rati rati rati rati rati
268

Operatin g system

Syste m archite cture

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intelligen ce synchro nization point

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migrati on point

System Health Validat or point

008 R2 Stan dard Editi on (with no servi ce pack , or with SP1) Ente rpris e Editi on (with no servi ce pack , or with SP1)

on Man on on on on on on Ma ager Ma Ma Ma Ma Ma Ma nag with nag nag nag nag nag nag er no er er er er er er wit servi wit wit wit wit wit wit h ce h h h h h h no pack no no no no no no ser Configur ser ser ser ser ser ser vic vic vic vic vic vic vic ation e e e e e e e Man pac pac pac pac pac pac pac ager k k k k k k k with Configu SP1 Configu Configu Configu Configu Configu Configu rati rati rati rati rati rati rati on on on on on on on Ma Ma Ma Ma Ma Ma Ma nag nag nag nag nag nag nag er er er er er er er wit wit wit wit wit wit wit h h h h h h h SP SP SP SP SP SP SP 1 1 1 1 1 1 1

269

Operatin g system

Syste m archite cture

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intelligen ce synchro nization point

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migrati on point

System Health Validat or point

Data cent er Editi on (SP1 ) Windows x64 Server 2 012 Stan dard Data cent er Configu Configur Configu Configu Configu Configu Configu Configu rati ation rati rati rati rati rati rati on Man on on on on on on Ma ager Ma Ma Ma Ma Ma Ma nag with nag nag nag nag nag nag er SP1 er er er er er er wit wit wit wit wit wit wit h h h h h h h SP SP SP SP SP SP SP 1 1 1 12 1 1 1

Computer Client Requirements The following sections describe the operating systems and hardware supported for System Center 2012 Configuration Manager computer client installation on Windows-based computers. Make sure that you also review Prerequisites for Windows Client Deployment in Configuration Manager for a list of dependencies for the installation of the Configuration Manager client on computers and mobile devices. Computer Client Hardware Requirements The following are minimum requirements for Windows-based computers that you manage with Configuration Manager.
270

Requirement

Details

Processor and memory

Refer to the processor and RAM requirements for the computers operating system. Note An exception to this is Windows XP and Windows 2003, which both require a minimum of 256 MB of RAM.

Disk space

500 MB available disk space, with 5 GB recommended for the Configuration Manager client cache. Less disk space is required if you use customized settings to install the Configuration Manager client: Use the CCMSetup command-line property /skippprereq to avoid installing files that the client does not require. For example, CCMSetup.exe /skipprereq:silverlight.exe if the client will not use the Application Catalog. Use the Client.msi property SMSCACHESIZE to set a cache file that is smaller than the default of 5120 MB. The minimum size is 1 MB. For example, CCMSetup.exe SMSCACHESIZE=2.

For more information about these client installation settings, see About Client Installation Properties in Configuration Manager. Tip Installing the client with minimal disk space is useful for Windows Embedded devices that typically have smaller disk sizes than standard Windows computers. The following are additional hardware requirements for optional functionality in Configuration Manager.

271

Function

Minimum hardware requirements

Operating system deployment Software Center

384 MB of RAM 500 MHz processor

Remote Control

Pentium 4 Hyper-Threaded 3 GHz (single core) or comparable CPU, with at least a 1 GB RAM for optimal experience. Desktop or portable computers must have the Intel vPro Technology or Intel Centrino Pro and a supported version of Intel AMT.

Out of Band Management

Operating System Requirements for Configuration Manager Client Installation The following table specifies the operating systems that are supported for Configuration Manager client installation, and the versions of Configuration Manager that support each operating system. For server platforms, client support is independent of any other service that runs on that server unless noted otherwise. For example, the client is supported on domain controllers and servers that run cluster services or terminal services.
Operating system System architecture System Center 2012 Configuration Manager version

Windows XP Professional (SP3)

x86

Configuration Manager with no service pack Configuration Manager with SP1

Windows XP Professional for 64-bit Systems (SP2)

x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows XP Tablet PC (SP3)

x86

Configuration Manager with no service pack Configuration Manager with SP1

Windows Vista Business Edition (SP2) Enterprise Edition (SP2) Ultimate Edition (SP2)

x86, x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows 7 Professional (with no service pack, or with SP1)

x86, x64

Configuration Manager with no service pack Configuration Manager with SP1

272

Operating system

System architecture

System Center 2012 Configuration Manager version

Enterprise Editions (with no service pack, or with SP1) Ultimate Editions (with no service pack, or with SP1) x86, x64 Configuration Manager with SP1

Windows 8 Pro Enterprise

Windows Server 2003 Web Edition (SP2)

x86

Configuration Manager with no service pack Configuration Manager with SP1

Windows Server 2003 Standard Edition (SP2) Enterprise Edition (SP2) Datacenter Edition (SP2)
1

x86, x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows Server 2003 R2 SP2 Standard Edition Enterprise Edition Datacenter Edition
1

x86, x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows Storage Server 2003 R2 SP2

x86, x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows Server 2008 Standard Edition (SP2) Enterprise Edition (SP2) Datacenter Edition (SP2)
1

x86, x64

Configuration Manager with no service pack Configuration Manager with SP1

The Server Core installation of Windows Server 2008 (SP2)

x86, x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows Storage Server 2008 R2 Workgroup Standard Enterprise

x64

Configuration Manager with no service pack Configuration Manager with SP1

273

Operating system

System architecture

System Center 2012 Configuration Manager version

Windows Server 2008 R2 Standard Edition (with no service pack, or with SP1) Enterprise Edition (with no service pack, or with SP1) Datacenter Edition (with no 1 service pack, or with SP1)

x64

Configuration Manager with no service pack Configuration Manager with SP1

The Server Core installation of Windows Server 2008 R2 (with no service pack, or with SP1) Windows Server 2012
1

x64

Configuration Manager with no service pack Configuration Manager with SP1

x64

Configuration Manager with SP1

Standard Datacenter
1

Datacenter releases are supported but not certified for System Center 2012 Configuration Manager. Hotfix support is not offered for issues specific to Windows Server Datacenter Edition. Embedded Operating System Requirements for Configuration Manager Clients System Center 2012 Configuration Manager and System Center 2012 Endpoint Protection support clients for integration with Windows Embedded. Support limitations for Windows Embedded: All client features are supported natively on supported Windows Embedded systems that do not have write filters enabled. Configuration Manager SP1 clients that use Enhanced Write Filters (EWF) RAM or File Based Write Filters (FBWF) are natively supported for all features except power management. For Configuration Manager with no service pack, Windows Embedded systems that have write filters enabled must use task sequences to deploy to embedded devices, and the task sequences must include steps to disable and then restore the write filters. The Application Catalog is not supported for any Windows Embedded device. Windows Embedded operating systems based on Windows XP are only supported for Endpoint Protection in Configuration Manager SP1. Before you can monitor detected malware on Windows Embedded devices based on Windows XP, you must install the Microsoft Windows WMI scripting package on the embedded device. Use Windows Embedded Target Designer to install this package. The files WBEMDISP.DLL and WBEMDISP.TLB must exist and be registered in the folder %windir%\System32\WBEM on the embedded device to ensure that detected malware is reported. Note
274

In Configuration Manager SP1, new options are added to control the behavior of Windows Embedded write filters when you install the Endpoint Protection client. For more information, see Introduction to Endpoint Protection in Configuration Manager. The following table specifies the Windows Embedded versions that are supported with Configuration Manager and Endpoint Protection, and the versions of Configuration Manager and Endpoint Protection that support each Windows Embedded version.
Windows Embedded operating system Base operating system System architectur e System Center 2012 Configuration Manag er version System Center 2012 Endpoint Protection version

Windows Embedded Standard 2009

Windows X P SP3

x86

Configuration Manager with no service pack Configuration Manager with SP1

Endpoint Prot ection with SP1

Windows XP Embedded SP3

Windows X P SP3

x86

Configuration Manager with no service pack Configuration Manager with SP1

Endpoint Prot ection with SP1

Windows Fundamental Windows X s for Legacy PCs P SP3 (WinFLP)

x86

Configuration Manager with no service pack Configuration Manager with SP1

Endpoint Prot ection with SP1

Windows Embedded POSReady 2009

Windows X P SP3

x86

Configuration Manager with no service pack Configuration Manager with SP1

Endpoint Prot ection with SP1

WEPOS 1.1 with SP3

Windows X P SP3

x86

Configuration Manager with no service pack Configuration Manager with

Endpoint Prot ection with SP1

275

Windows Embedded operating system

Base operating system

System architectur e

System Center 2012 Configuration Manag er version

System Center 2012 Endpoint Protection version

SP1 Windows Embedded Standard 7 with SP1 Windows 7 x86, x64 Configuration Manager with no service pack Configuration Manager with SP1 Windows Embedded POSReady 7 Windows 7 x86, x64 Configuration Manager with no service pack Configuration Manager with SP1 Windows Thin PC Windows 7 x86, x64 Configuration Manager with no service pack Configuration Manager with SP1 Endpoint Prot ection with no service pack Endpoint Prot ection with SP1 Endpoint Prot ection with no service pack Endpoint Prot ection with SP1 Endpoint Prot ection with no service pack Endpoint Prot ection with SP1

Client Requirements for Mac Computers Note For Configuration Manager SP1 only: The client for Mac is supported only on Mac computers that use an Intel 64-bit chipset. The following operating systems are supported for the Configuration Manager client for Mac computers: Mac OS X 10.6 (Snow Leopard) Mac OS X 10.7 (Lion)

For more information about computers that run Mac OS X, see How to Install Clients on Mac Computers in Configuration Manager. Client Requirements for Linux and UNIX Servers Note For Configuration Manager SP1 only:
276

Use the information in the following sections to identify requirements to support the Configuration Manager client for Linux and UNIX. For more information about computers that run Linux or UNIX, see the Deploying the Configuration Manager Client to Linux and UNIX Servers section in the Introduction to Client Deployment in Configuration Manager topic. Supported Distributions of Linux and UNIX The following table identifies the operating systems that are supported for the Configuration Manager client for Linux and UNIX:
Operating System Version

Red Hat Enterprise Linux (RHEL)

Version 4 (x86 and x64) Version 5 (x86 and x64) Version 6 (x86 and x64) Version 9 (SPARC) Version 10 (x86 and SPARC) Version 9 (x86) Version 10 SP1 (x86 and x64) Version 11 (x86 and x64)

Solaris

SUSE Linux Enterprise Server (SLES)

Hardware and Disk Space Requirements The following are minimum hardware requirements for computers that you manage with the Configuration Manager client for Linux and UNIX.
Requirement Details

Processor and memory

Refer to the processor and RAM requirements for the computers operating system. 500 MB available disk space, with 5 GB recommended for the Configuration Manager client cache. Configuration Manager client computers must have network connectivity to Configuration Manager site systems to enable management.

Disk space

Network connectivity

Mobile Device Requirements The following sections describe the hardware and operating systems that are supported for managing mobile devices in System Center 2012 Configuration Manager. Note
277

The following mobile device clients are not supported in the Configuration Manager hierarchy: Device management clients from System Management Server 2003 and Configuration Manager 2007 Windows CE Platform Builder device management client (any version) System Center Mobile Device Manager VPN connection

Mobile Devices Enrolled by Configuration Manager The following sections describe the hardware and operating systems that are supported for the mobile devices enrolled by System Center 2012 Configuration Manager. Enrolled Mobile Device Client Language and Operating System Requirements The following table lists the platforms and languages that support Configuration Manager enrollment and the versions of Configuration Manager that support each platform.
Operating system System Center 2012 Configuration Manager version Supported languages

Windows Mobile 6.1

Configuration Manager with no service pack Configuration Manager with SP1

Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain) Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain)

Windows Mobile 6.5

Configuration Manager with no service pack Configuration Manager with SP1

278

Operating system

System Center 2012 Configuration Manager version

Supported languages

Nokia Symbian Belle

Configuration Manager with no service pack Configuration Manager with SP1

Arabic Basque (Basque) Bulgarian Catalan Chinese (Hong Kong SAR) Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English (UK) English (US) Estonian Farsi Finnish French (Canada) French (France) Galician German Greek Hebrew Hungarian Icelandic Indonesian Italian Kazakh Korean Latvian Lithuanian Malay Norwegian Polish Portuguese (Brazil)

279

Operating system

System Center 2012 Configuration Manager version

Supported languages

Mobile Devices Enrolled by Windows Intune

Portuguese (Portugal) Romanian Russian Serbian (Latin/Cyrillic) Slovak Slovenian Spanish (Latin America) Spanish (Spain) Swedish Tagalog (Filipino) Thai Turkish Ukrainian Urdu Vietnamese

For System Center 2012 SP1 only: The following table lists the platforms and languages that are supported for mobile devices that are enrolled by Windows Intune and you use the Windows Intune connector in Configuration Manager. Important You must have a subscription to Windows Intune to manage the following operating systems.
Operating system System Center 2012 Configuration Manager version Company portal supported languages

Windows Phone 8

Configuration Manager with SP1

Chinese (Simplified) Chinese (Traditional) Czech Danish Dutch English (US) Finnish French (France) German

280

Operating system

System Center 2012 Configuration Manager version

Company portal supported languages

Windows RT Configuration Manager with SP1

Greek Hungarian Italian Japanese Korean Norwegian Polish Portuguese (Brazil) Romanian Russian Spanish (Spain) Swedish Turkish Chinese (Simplified) Chinese (Traditional) Czech Danish Dutch English (US) Finnish French (France) German Greek Hungarian Italian Japanese Korean Norwegian Polish Portuguese (Brazil) Romanian Russian Spanish (Spain) Swedish Turkish
281

Operating system

System Center 2012 Configuration Manager version

Company portal supported languages

iOS

Configuration Manager with SP1

Chinese (Simplified) Chinese (Traditional) Czech Danish Dutch English (US) Finnish French (France) German Greek Hungarian Italian Japanese Korean Norwegian Polish Portuguese (Brazil) Romanian Russian Spanish (Spain) Swedish Turkish Chinese (Simplified) Chinese (Traditional) Czech Danish Dutch English (US) Finnish French (France) German Greek Hungarian Italian Japanese
282

Android

Configuration Manager with SP1

Operating system

System Center 2012 Configuration Manager version

Company portal supported languages

Mobile Device Support by Using the Exchange Server Connector

Korean Norwegian Polish Portuguese (Brazil) Romanian Russian Spanish (Spain) Swedish Turkish

System Center 2012 Configuration Manager offers limited management for mobile devices when you use the Exchange Server connector for Exchange Active Sync (EAS) capable devices that connect to a server running Exchange Server or Exchange Online. For more information about which management functions Configuration Manager supports for mobile devices that the Exchange Server connector manages, see Determine How to Manage Mobile Devices in Configuration Manager. The following table lists the platforms that support the Exchange Server connector and which versions of Configuration Manager support each platform.
Version of Exchange Server System Center 2012 Configuration Manager version

Exchange Server 2010 SP1

Configuration Manager with no service pack Configuration Manager with SP1

Exchange Server 2010 SP2

Configuration Manager with SP1

Exchange Server 2013 Exchange Online (Office 365)

1

Configuration Manager with SP1

Configuration Manager with no service pack Configuration Manager with SP1

Includes Business Productivity Online Standard Suite.

Mobile Device Legacy Client

283

The following sections list the hardware and operating systems that are supported for the mobile device legacy client in System Center 2012 Configuration Manager. Mobile Device Legacy Client Hardware Requirements The mobile device client requires 0.78 MB of storage space to install. In addition, logging on the mobile device can require up to 256 KB of storage space. Mobile Device Legacy Client Operating System Requirements System Center 2012 Configuration Manager supports management for Windows Phone, Windows Mobile, and Windows CE when you install the Configuration Manager mobile device legacy client. Features for these mobile devices vary by platform and client type. For more information about which management functions Configuration Manager supports for the mobile device legacy client, see Determine How to Manage Mobile Devices in Configuration Manager. The following table lists the mobile device platforms that are supported with the mobile device legacy client for Configuration Manager, and the versions of Configuration Manager that support each platform.
Operating system System Center 2012 Configuration Manager version Supported languages

Windows CE 5.0 (Arm and x86 processors)

Configuration Manager with no service pack Configuration Manager with SP1

Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain) Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian
284

Windows CE 6.0 (Arm and x86 processors)

Configuration Manager with no service pack Configuration Manager with SP1

Operating system

System Center 2012 Configuration Manager version

Supported languages

Windows CE 7.0 (Arm and x86 processors) Configuration Manager with no service pack Configuration Manager with SP1 Windows Mobile 6.0 Configuration Manager with no service pack Configuration Manager with SP1

Spanish (Spain) Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain) Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain)

Configuration Manager Console Requirements The following table lists the operating systems that are supported to run the Configuration Manager console, and the versions of the Configuration Manager console that support each operating system. Each computer that installs the Configuration Manager console requires the Microsoft .NET Framework 4.
Operating system System architecture System Center 2012 Configuration Manager version

Windows XP Professional (SP3)

x86

Configuration Manager with no service pack Configuration Manager with SP1

285

Operating system

System architecture

System Center 2012 Configuration Manager version

Windows Vista Business Edition (SP2) Enterprise Edition (SP2) Ultimate Edition (SP2)

x86, x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows 7 Professional Edition (with no service pack, or with SP1) Enterprise Edition (with no service pack, or with SP1) Ultimate Edition (with no service pack, or with SP1)

x86, x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows 8 Pro Enterprise

x86, x64

Configuration Manager with SP1

Windows Server 2008 Standard Edition (SP2) Enterprise Edition (SP2) Datacenter Edition (SP2)

x86, x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows Server 2008 R2 Standard Edition (with no service pack, or with SP1) Enterprise Edition (with no service pack, or with SP1) Datacenter Edition (with no service pack, or with SP1)

x64

Configuration Manager with no service pack Configuration Manager with SP1

Windows Server 2012 Standard Edition Datacenter Edition

x64

Configuration Manager with SP1

Installing both the System Center 2012 Configuration Manager console and the Configuration Manager 2007 console on the same computer is supported. However, both the console and the site it connects to must both run the same version of Configuration Manager. For example, you cannot use the System Center 2012 Configuration Manager console to manage Configuration
286

Manager 2007 sites. Also, you cannot use a console from System Center 2012 Configuration Manager with SP1 to manage a site that runs System Center 2012 Configuration Manager with no service pack, and vice versa. When a hierarchy contains sites that run System Center 2012 Configuration Manager with no service pack and sites that run System Center 2012 Configuration Manager with SP1, some features that are available in System Center 2012 Configuration Manager with SP1 are not available in the console until all sites in the hierarchy upgrade to SP1. The requirements in the following table apply to each computer that runs Configuration Manager console.
Minimum hardware configuration Screen resolution

1 x Pentium 4 Hyper-Threaded 3 GHz (Intel Pentium 4 HT 630 or comparable CPU) 2 GB of RAM 2 GB of disk space.

DPI setting 96 / 100% 120 /125% 144 / 150% 196 / 200%

Minimum resolution 1024x768 1280x960 1600x1200 2500x1600

For Configuration Manager SP1 only: With Configuration Manager SP1, the Configuration Manager console supports PowerShell. When you install support for PowerShell on a computer that runs the Configuration Manager console, you can run PowerShell cmdlets on that computer to manage Configuration Manager. You can install a supported version of PowerShell before or after the Configuration Manager console installs. The following table lists the minimum required version of PowerShell for each version of Configuration Manager.
PowerShell version System architecture Configuration Manager version

PowerShell 3.0

x86

Configuration Manager SP1

Configurations for the SQL Server Site Database

Each System Center 2012 Configuration Manager site database can be installed on either the default instance or a named instance of a SQL Server installation. The SQL Server instance can be co-located with the site system server, or on a remote computer. When you use a remote SQL Server, the instance of SQL Server used to host the site database can also be configured as a SQL Server failover cluster in a single instance cluster, or a multiple instance configuration. The site database site system role is the only System Center 2012
287

Configuration Manager site system role supported on an instance of a Windows Server cluster. If you use a SQL Server cluster for the site database, you must add the computer account of the site server to the Local Administrators group of each Windows Server cluster node computer. Note SQL Server database mirroring is not supported for the Configuration Manager site database. When you install a secondary site, you can use an existing instance of SQL Server or allow Setup to install and use an instance of SQL Server Express. Whichever option that you choose, SQL Server must be located on the secondary site server. The version of SQL Server Express that Setup installs depends on the version of Configuration Manager that you use: Configuration Manager without a service pack: SQL Server 2008 Express Configuration Manager with SP1: SQL Server 2012 Express

The following table lists the SQL Server versions that are supported by System Center 2012 Configuration Manager.
SQL Server version SQL Server service pack SQL Server cumulative update Configuration Manager version Configuration Manager site type

SQL Server 2008 Standard

1

SP2

Enterprise Datacenter

Minimum of cumulative update 9

Configuration Manager with no service pack Configuration Manager with SP1

Central administration site Primary site Secondary site

SP3

Minimum of cumulative update 4

Configuration Manager with no service pack Configuration Manager with SP1

Central administration site Primary site Secondary site

SQL Server 2008 R2 Standard

1

SP1

Minimum of cumulative update 6

Enterprise Datacenter

Configuration Manager with no service 2 pack Configuration Manager with SP1

Central administration site Primary site Secondary site

288

SQL Server version

SQL Server service pack

SQL Server cumulative update

Configuration Manager version

Configuration Manager site type

SP2

No cumulative update

Configuration Manager with no service 2 pack Configuration Manager with SP1

Central administration site Primary site Secondary site

SQL Server 2012 Standard

1

No service pack

Enterprise

Minimum of cumulative update 2

Configuration Manager with SP1

Central administration site Primary site Secondary site

SQL Server Express 2008 R2

SP1

Minimum of cumulative update 6

Configuration Manager with no service pack Configuration Manager with SP1

Secondary site

SP2

No cumulative update

Configuration Manager with no service pack Configuration Manager with SP1

Secondary site

SQL Server 2012 Express

No service pack

Minimum of cumulative update 2

Configuration Manager with SP1

Secondary site

When you use SQL Server Standard for the database at the central administration site, the hierarchy can only support up to 50,000 clients. For more information, see Site and Site System Role Scalability.
2

Configuration Manager with no service pack does not support the site database on any version of a SQL Server 2008 R2 cluster. This includes any service pack version or cumulative update

289

version of SQL Server 2008 R2. With Configuration Manager SP1, the site database is supported on a SQL Server 2008 R2 cluster. SQL Server Requirements The following are required configurations for each database server with a full SQL Server installation, and on each SQL Server Express installation that you manually configure for secondary sites. You do not have to configure SQL Server Express for a secondary site if SQL Server Express is installed by Configuration Manager.
Configuration More information

Database collation

At each site, both the instance of SQL Server that is used for the site database and the site database must use the following collation: SQL_Latin1_General_CP1_CI_AS. Note Configuration Manager supports two exceptions to this collation to meet standards that are defined in GB18030 for use in China. For more information, see Technical Reference for International Support in Configuration Manager.

SQL Server features

Only the Database Engine Services feature is required for each site server. Note Configuration Manager database replication does not require the SQL Server replication feature.

Windows Authentication

Configuration Manager requires Windows authentication to validate connections to the database. You must use a dedicated instance of SQL Server for each site. When you use a database server that is colocated with the site server, limit the memory for SQL Server to 50 to 80 percent of the available addressable system memory. When you use a dedicated SQL Server, limit the memory for SQL Server to 80 to 90 percent
290

SQL Server instance

SQL Server memory

Configuration

More information

of the available addressable system memory. Configuration Manager requires SQL Server to reserve a minimum of 8 gigabytes (GB) of memory in the buffer pool used by an instance of SQL Server for the central administration site and primary site and a minimum of 4 gigabytes (GB) for the secondary site. This memory is reserved by using the Minimum server memory setting under Server Memory Options and is configured by using SQL Server Management Studio. For more information about how to set a fixed amount of memory, see How to: Set a Fixed Amount of Memory (SQL Server Management Studio). Optional SQL Server Configurations The following configurations either support multiple choices or are optional on each database server with a full SQL Server installation.
Configuration More information

SQL Server service

On each database server, you can configure the SQL Server service to run by using a domain local account or the local system account of the computer that is running SQL Server. Use a domain user account as a SQL Server best practice. This kind of account can be more secure than the local system account but might require you to manually register the Service Principle Name (SPN) for the account. Use the local system account of the computer that is running SQL Server to simplify the configuration process. When you use the local system account, Configuration Manager automatically registers the SPN for the SQL Server service. Be aware that using the local system account for the SQL Server service is not a SQL Server best practice.

For information about SQL Server best

291

Configuration

More information

practices, see the product documentation for the version of Microsoft SQL Server that you are using. For information about SPN configurations for Configuration Manager, see How to Manage the SPN for SQL Server Site Database Servers. For information about how to change the account that is used by the SQL Service, see How to: Change the Service Startup Account for SQL Server (SQL Server Configuration Manager). SQL Server Reporting Services Required to install a reporting services point that lets you run reports. For communication to the SQL Server database engine, and for intersite replication, you can use the default SQL Server port configurations or specify custom ports: Intersite communications use the SQL Server Service Broker, which by default uses port TCP 4022. Intrasite communication between the SQL Server database engine and various Configuration Manager site system roles by default use port TCP 1433. The following site system roles communicate directly with the SQL Server database: Management point SMS Provider computer Reporting Services point Site server

SQL Server ports

When a SQL Server hosts a database from more than one site, each database must use a separate instance of SQL Server, and each instance must be configured to use a unique set of ports. Warning Configuration Manager does not support dynamic ports. Because SQL Server named instances by default use dynamic ports for
292

Configuration

More information

connections to the database engine, when you use a named instance, you must manually configure the static port that you want to use for intrasite communication. If you have a firewall enabled on the computer that is running SQL Server, make sure that it is configured to allow the ports that are being used by your deployment and at any locations on the network between computers that communicate with the SQL Server. For an example of how to configure SQL Server to use a specific port, see How to: Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager) in the SQL Server TechNet library.

Function-Specific Requirements
The following sections identify function-specific requirements for Configuration Manager. Application Management For devices that run the Windows Mobile operating system, Configuration Manager only supports the Uninstall action for applications on Windows Mobile 6.1.4 or later versions. Operating System Deployment Configuration Manager requires several prerequisites to support deploying operating systems. The following prerequisites are required on the site server of each central administration site or primary site before you can install the site, even when you do not plan to use operating system deployments: For Configuration Manager with no service pack: Automated Installation Kit (Windows AIK) For Configuration Manager with service pack 1: Windows Assessment and Deployment Kit (Windows ADK)

For more information about prerequisites for operating system deployment, see the Prerequisites For Deploying Operating Systems in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Out of Band Management System Center 2012 Configuration Manager supports out of band management for computers that have the following Intel vPro chip sets and Intel Active Management Technology (Intel AMT) firmware versions:
293

Intel AMT version 3.2 with a minimum revision of 3.2.1 Intel AMT version 4.0, version 4.1, and version 4.2 Intel AMT version 5.0 and version 5.2 with a minimum revision of 5.2.10 Intel AMT version 6.0 and version 6.1 AMT provisioning is not supported on AMT-based computers that are running any version of Windows Server, Windows XP with SP2, or Windows XP Tablet PC Edition. Out of band communication is not supported to an AMT-based computer that is running the Routing and Remote Access service in the client operating system. This service runs when Internet Connection Sharing is enabled, and the service might be enabled by line of business applications. The out of band management console is not supported on workstations running Windows XP on versions earlier than Service Pack 3.

The following limitations apply:

For more information about out of band management in Configuration Manager, see Introduction to Out of Band Management in Configuration Manager. Remote Control Viewer The Configuration Manager remote control viewer is not supported on Windows Server 2003 or Windows Server 2008 operating systems. Software Center and the Application Catalog The minimal screen resolution supported for client computers to run Software Center and the Application Catalog is 1024 by 768. The following web browsers are supported for use with the Software Center and Application Catalog: Internet Explorer 7 Internet Explorer 8 Internet Explorer 9 Internet Explorer 10 Firefox 15 Note The Software Center and Application Catalog do not support web browsers that connect from computers that run Windows Server Core 2008.

Support for Active Directory Domains

All System Center 2012 Configuration Manager site systems must be members of a Windows Active Directory domain that has a domain functional level of Windows 2000, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. Note

294

If you configure discovery to filter and remove stale computer records, the Active Directory domain functional level must be a minimum of Windows Server 2003. This requirement includes site systems that support Internet-based client management in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet). The following are limitations for site systems: Configuration Manager does not support the change of domain membership, domain name, or computer name of a Configuration Manager site system after the site system is installed.

Configuration Manager client computers can be domain members, or workgroup members. The following sections contain additional information about domain structures and requirements for Configuration Manager. Active Directory Schema Extensions Configuration Manager Active Directory schema extensions provide benefits for Configuration Manager sites. However, they are not required for all Configuration Manager functions. For more information about Active Directory schema extension considerations, see Determine Whether to Extend the Active Directory Schema for Configuration Manager. If you have extended your Active Directory schema for Configuration Manager 2007, you do not have to update your schema for System Center 2012 Configuration Manager. You can update the Active Directory schema before or after you install Configuration Manager. Schema updates do not interfere with an existing Configuration Manager 2007 sites or clients. For more information about how to extend the Active Directory schema for System Center 2012 Configuration Manager, see the Prepare Active Directory for Configuration Manager section in the Prepare the Windows Environment for Configuration Manager topic. Disjoint Namespaces Except for out of band management, Configuration Manager supports installing site systems and clients in a domain that has a disjoint namespace. Note For more information about namespace limitations for when you manage AMT-based computers out of band, see Prerequisites for Out of Band Management in Configuration Manager. A disjoint namespace scenario is one in which the primary Domain Name System (DNS) suffix of a computer does not match the Active Directory DNS domain name where that computer resides. The computer that uses the primary DNS suffix that does not match is said to be disjoint. Another disjoint namespace scenario occurs if the NetBIOS domain name of a domain controller does not match the Active Directory DNS domain name. The following table identifies the supported scenarios for a disjoint namespace.
Scenario More information

Scenario 1:

In this scenario, the primary DNS suffix of the

295

Scenario

More information

The primary DNS suffix of the domain controller differs from the Active Directory DNS domain name. Computers that are members of the domain can be either disjoint or not disjoint.

domain controller differs from the Active Directory DNS domain name. The domain controller is disjoint in this scenario. Computers that are members of the domain, such as site servers and computers, can have a primary DNS suffix that either matches the primary DNS suffix of the domain controller or matches the Active Directory DNS domain name. In this scenario, the primary DNS suffix of a member computer on which a site system is installed differs from the Active Directory DNS domain name, even though the primary DNS suffix of the domain controller is the same as the Active Directory DNS domain name. In this scenario, you have a domain controller that is not disjoint and a member computer that is disjoint. Member computers that are running the Configuration Manager client can have a primary DNS suffix that either matches the primary DNS suffix of the disjoint site system server or matches the Active Directory DNS domain name.

Scenario 2: A member computer in an Active Directory domain is disjoint, even though the domain controller is not disjoint.

To allow a computer to access domain controllers that are disjoint, you must change the msDSAllowedDNSSuffixes Active Directory attribute on the domain object container. You must add both of the DNS suffixes to the attribute. In addition, to make sure that the DNS suffix search list contains all DNS namespaces that are deployed within the organization, you must configure the search list for each computer in the domain that is disjoint. Include in the list of namespaces the primary DNS suffix of the domain controller, the DNS domain name, and any additional namespaces for other servers with which Configuration Manager might interoperate. You can use the Group Policy Management console to configure the Domain Name System (DNS) suffix search list. Important When you reference a computer in Configuration Manager, enter the computer by using its Primary DNS suffix. This suffix should match the Fully Qualified Domain Name registered as the dnsHostName attribute in the Active Directory domain and the Service Principal Name associated with the system.

296

Single Label Domains Except for out of band management, Configuration Manager supports site systems and clients in a single label domain when the following criteria are met: The single label domain in Active Directory Domain Services must be configured with a disjoint DNS namespace that has a valid top level domain. For example: The single label domain of Contoso is configured to have a disjoint namespace in DNS of contoso.com. Therefore, when you specify the DNS suffix in Configuration Manager for a computer in the Contoso domain, you specify Contoso.com and not Contoso. DCOM connections between site servers in the system context must be successful by using Kerberos authentication. Note For more information about namespace limitations for when you manage AMT-based computers out of band, see Prerequisites for Out of Band Management in Configuration Manager.

Windows Environment
The following sections contain general support configuration information for System Center 2012 Configuration Manager. Support for Internet Protocol Version 6 Configuration Manager supports Internet Protocol version 6 (IPv6) in addition to Internet Protocol version 4 (IPv4). The following table lists the exceptions.
Function Exception to IPv6 support

Network Discovery

IPv4 is required when you configure a DHCP server to search in Network Discovery. IPv4 is required to support out of band management. IPv4 is required to support the Configuration Manager client on Windows CE devices. IPv4 is required to support mobile devices that are enrolled by Windows Intune and the Windows Intune connector. IPv4 is required to support Windows Azure and cloud-based distribution points. IPv4 is required to support the client wake-up proxy packets.

Out of band management

Windows CE

Mobile devices that are enrolled by Windows Intune and the Windows Intune connector Cloud-based distribution points

Wake-up proxy communication

297

Support for Specialized Storage Technology Configuration Manager works with any hardware that is certified on the Windows Hardware Compatibility List for the version of the operating system that the Configuration Manager component is installed on. Site Server roles require NTFS file systems so that directory and file permissions can be set. Because Configuration Manager assumes that it has complete ownership of a logical drive, site systems that run on separate computers cannot share a logical partition on any storage technology. However, each computer can use a separate logical partition on the same physical partition of a shared storage device. Support considerations for the listed storage technologies: Storage Area Network: A Storage Area Network (SAN) is supported when a supported Windows-based server is attached directly to the volume that is hosted by the SAN. Single Instance Storage: Configuration Manager does not support configuration of distribution point package and signature folders on a Single Instance Storage (SIS)-enabled volume. Additionally, the cache of a Configuration Manager client is not supported on a SIS-enabled volume. Note Single Instance Storage (SIS) is a feature of the Windows Storage Server 2003 R2 operating system. Removable Disk Drive: Configuration Manager does not support install of Configuration Manager site system or clients on a removable disk drive.

Support for Computers in Workgroups System Center 2012 Configuration Manager provides support for clients in workgroups. Configuration Manager supports moving a client from a workgroup to a domain or from a domain to a workgroup. For more information, see How to Install Configuration Manager Clients on Workgroup Computers All System Center 2012 Configuration Manager site systems must be members of a supported Active Directory domain. This requirement includes site systems that support Internet-based client management in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet). Support for Virtualization Environments Configuration Manager supports client installation and all site server roles in the following virtualization environments:
Virtualization environment Configuration Manager version

Windows Server 2008

Configuration Manager with no service pack Configuration Manager with SP1

298

Virtualization environment

Configuration Manager version

Microsoft Hyper-V Server 2008

Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with SP1 Configuration Manager with SP1

Windows Server 2008 R2

Microsoft Hyper-V Server 2008 R2

Windows Server 2008

Microsoft Hyper-V Server 2008

Windows Server 2012 Microsoft Hyper-V Server 2012

Each virtual computer that you use must meet or exceed the same hardware and software configuration that you would use for a physical Configuration Manager computer. You can validate that your virtualization environment is supported for Configuration Manager by using the Server Virtualization Validation Program and its online Virtualization Program Support Policy Wizard. For more information about the Server Virtualization Validation Program, see Windows Server Virtualization Validation Program. Note Configuration Manager does not support Virtual PC or Virtual Server guest operating systems that run on a Mac. Configuration Manager cannot manage virtual machines unless they are online. An offline virtual machine image cannot be updated nor can inventory be collected by using the Configuration Manager client on the host computer. No special consideration is given to virtual machines. For example, Configuration Manager might not determine whether an update has to be re-applied to a virtual machine image if the virtual machine is stopped and restarted without saving the state of the virtual machine to which the update was applied.

299

Support for Network Address Translation Network Address Translation (NAT) is not supported in Configuration Manager, unless the site supports clients that are on the Internet and the client detects that it is connected to the Internet. For more information about Internet-based client management, see the Planning for InternetBased Client Management section in the Planning for Communications in Configuration Manager topic. DirectAccess Feature Support Configuration Manager supports the DirectAccess feature in Windows Server 2008 R2 for communication between site system servers and clients. When all the requirements for DirectAccess are met, by using this feature, Configuration Manager clients on the Internet can communicate with their assigned site as if they were on the intranet. For server-initiated actions, such as remote control and client push installation, the initiating computer (such as the site server) must be running IPv6, and this protocol must be supported on all intervening networking devices. Configuration Manager does not support the following over DirectAccess: Deploying operating systems Communication between Configuration Manager sites Communication between Configuration Manager site system servers within a site

BranchCache Feature Support Windows BranchCache is integrated in System Center 2012 Configuration Manager. You can configure the BranchCache settings on a deployment type for applications, on the deployment for a package, and for task sequences. When all the requirements for BranchCache are met, this feature enables clients at remote locations to obtain content from local clients that have a current cache of the content. For example, when the first BranchCache-enabled client computer requests content from a distribution point that is configured as a BranchCache server, the client computer downloads and caches the content. This content is then made available for clients on the same subnet that request this same content, and these clients also cache the content. In this manner, successive clients on the same subnet do not have to download content from the distribution point, and the content is distributed across multiple clients for future transfers. To support BranchCache with Configuration Manager, add the Windows BranchCache feature to the site system server that is configured as a distribution point. System Center 2012 Configuration Manager distribution points on servers configured to support BranchCache require no additional configuration. Note With Configuration Manager SP1, cloud-based distribution points support the download of content by clients that are configured for Windows BranchCache.

300

To use BranchCache, the clients that can support BranchCache must be configured for BranchCache distributed mode, and the operating system setting for BITS client settings must be enabled to support BranchCache. The following table lists the Configuration Manager client operating systems that are supported with Windows BranchCache and identifies for each operating system if BranchCache distributed mode is supported natively by the operating system, or if the operating system requires the addition of the BITS 4.0 release.
Operating system Support details
1

Windows Vista with SP2 Windows 7 with SP1 Windows 8

Requires BITS 4.0 Supported by default Supported by default

1

Windows Server 2008 with SP2

Requires BITS 4.0 Supported by default

Windows Server 2008 R2 with no service pack, with SP1, or with SP2 Windows Server 2012
1

Supported by default

On this operating system, the BranchCache client functionality is not supported for software distribution that is run from the network or for SMB file transfers. Additionally, this operating system cannot use BranchCache functionality with cloud-based distribution points. You can install the BITS 4.0 release on Configuration Manager clients by using software updates or software distribution. For more information about the BITS 4.0 release, see Windows Management Framework. For more information about BranchCache, see BranchCache for Windows in the Windows Server documentation. Fast User Switching Fast User Switching, available in Windows XP in workgroup computers, is not supported in System Center 2012 Configuration Manager. Fast User Switching is supported for computers that are running Windows Vista or later versions. Dual Boot Computers System Center 2012 Configuration Manager cannot manage more than one operating system on a single computer. If there is more than one operating system on a computer that must be managed, adjust the discovery and installation methods that are used to ensure that the Configuration Manager client is installed only on the operating system that has to be managed.

301

Supported Upgrade Paths for Configuration Manager

The following sections identify the upgrade options for System Center 2012 Configuration Manager, the operating system version of site servers and clients, and the SQL Server version of database servers. Upgrade Configuration Manager The following table lists the versions of System Center 2012 Configuration Manager, and the supported upgrade paths between versions.
Configuration Manager version Release options Supported Upgrade Paths More information

System Center 2012 Configuration Manager

An evaluation release that expires 180 days after installation. A complete release, to perform a new installation.

System Center 2012 Configuration Man ager evaluation release

You can install System Center 2012 Configuration Manager as either a full installation, or as a trial installation. If you install Configuration Manager as a trial installation, after 180 days, you can only connect a readonly Configuration Manager console and Configuration Manager functionality is limited. At any time before or after the 180 day period, you have the option to upgrade the trial installation to a full installation. System Center 2012 Configuration Manager supports migration of your Configuration Manager 2007 infrastructure but does not support an inplace upgrade of sites from Configuration Manager 2007. However, migration
302

Configuration Manager version

Release options

Supported Upgrade Paths

More information

supports the upgrade of a Configuration Manager 2007 distribution point, or secondary site that is co-located with a distribution point, to a System Center 2012 Configuration Manager distribution point. For more information about migration, see Migrating Hierarchies in System Center 2012 Configuration Manager. System Center 2012 Configuration Manager SP1 An evaluation release that expires 180 days after installation. A complete release, to perform a new installation. An upgrade from System Center 2012 Configuration M anager. System Center 2012 Configuration Man ager SP1 evaluation release System Center 2012 Configuration Man ager with no service pack You can install System Center 2012 Configuration Manager SP1 as a trial installation, a full install, or as an upgrade to existing infrastructure that runs System Center 2012 Configuration Manager with no service pack. However, an upgrade Configuration Manager 2007 to System Center 2012 Configuration Manager SP1 is not supported. If you install Configuration Manager as a trial installation, after 180 days you can only connect a readonly Configuration Manager console and Configuration Manager
303

Configuration Manager version

Release options

Supported Upgrade Paths

More information

functionality is limited. At any time before or after the 180 day period, you have the option to upgrade the trial installation to a full installation. System Center 2012 Configuration Manager SP1 supports migration from Configuration Manager 2007 and System Center 2012 Configuration Manager SP1. For more information about migration, see Migrating Hierarchies in System Center 2012 Configuration Manager.

Infrastructure Upgrade for Configuration Manager In addition to upgrading the version of System Center 2012 Configuration Manager you use for sites, Configuration Manager clients and Configuration Manager consoles, you can upgrade the operating systems that run Configuration Manager site servers, database servers, site system servers, and clients. The information in the following sections can help you upgrade the infrastructure for Configuration Manager. Upgrade of the Site Server Operating System Configuration Manager supports an in-place upgrade of the operating system of the site server in the following situations: In-place upgrade to a higher Windows Server service pack as long as the resulting service pack level remains supported by Configuration Manager. Any version of Windows Server 2008 to any version of Windows Server 2008 R2. Any version of Windows Server 2008 to any version of Windows Server 2012. Any version of Windows Server 2008 R2 to any version of Windows Server 2012.

Configuration Manager does not support the following Windows Server upgrade scenarios.

When a direct operating system upgrade is not supported, perform one of the following procedures after you have installed the new operating system:
304

Install System Center 2012 Configuration Manager with the service pack level that you want, and configure the site according to your requirements. Install System Center 2012 Configuration Manager with the service pack level that you want and perform a site recovery. This scenario requires you to have a site backup that was created by using the Backup Site Server maintenance task on the original Configuration Manager site, and that you use the same installation settings for the new System Center 2012 Configuration Manager site.

Client Operating System Upgrade Configuration Manager supports an in-place upgrade of the operating system for Configuration Manager clients in the following situations: In-place upgrade to a higher Windows Server service pack as long as the resulting service pack level remains supported by Configuration Manager.

SQL Server Upgrade for the Site Database Server Configuration Manager supports an in-place upgrade of SQL Server from a supported version of SQL on the site database server. The following sections provide information about the different upgrade scenarios supported by Configuration Manager and any requirements for each scenario. Upgrade of the Service Pack Version of SQL Server Configuration Manager supports the in-place upgrade of SQL Server to a higher service pack as long as the resulting SQL Server service pack level remains supported by Configuration Manager. When you have multiple Configuration Manager sites in a hierarchy, each site can run a different service pack version of SQL Server, and there is no limitation to the order in which sites upgrade the service pack version of SQL Server that is used for the site database. SQL Server 2008 to SQL Server 2008 R2 Configuration Manager supports the in-place upgrade of SQL Server from SQL Server 2008 to SQL Server 2008 R2. When you have multiple Configuration Manager sites in a hierarchy, each site can run a different version of SQL Server, and there is no limitation to the order in which sites upgrade the version of SQL Server in use for the site database. SQL Server 2008 or SQL Server 2008 R2 to SQL Server 2012 For Configuration Manager SP1 only: Configuration Manager with SP1 supports the in-place upgrade of SQL Server 2008 or SQL Server 2008 R2 to SQL Server 2012 with the following limitations: Each Configuration Manager site must run service pack 1 before you can upgrade the version of SQL Server to SQL Server 2012 at any site. When you upgrade the version of SQL Server that hosts the site database at each site to SQL Server 2012, you must upgrade the SQL Server version that is used at sites in the following order: Upgrade SQL Server at the central administration site first. Upgrade secondary sites before you upgrade a secondary sites parent primary site.
305

Upgrade parent primary sites last. This includes both child primary sites that report to a central administration site, and stand-alone primary sites that are the top-level site of a hierarchy. Important Although you upgrade the service pack version of a Configuration Manager site by upgrading the top-tier site first and then upgrading down the hierarchy, when you upgrade SQL Server to SQL Server 2012, you must use the previous sequence, upgrading the primary sites last. This does not apply to upgrades of SQL Server 2008 to SQL Server 2008 R2.

To upgrade SQL Server on the site database server 1. Stop all Configuration Manager services at the site. 2. Upgrade SQL Server to a supported version. 3. Restart the Configuration Manager services.

See Also
Planning for Configuration Manager Sites and Hierarchy

Interoperability between Different Versions of Configuration Manager

It is supported to install and operate multiple, independent hierarchies of System Center 2012 Configuration Manager on the same network. However, because different hierarchies of Configuration Manager do not interoperate outside of migration, each hierarchy requires configurations to prevent conflicts between them. Additionally, you can make certain configurations to help resources that you manage to interact with the site systems from the correct hierarchy. The following sections provide information about using different versions of Configuration Manager on the same network.

Interoperability between System Center 2012 Configuration Manager and Configuration Manager 2007
A System Center 2012 Configuration Manager site or hierarchy cannot interoperate with a Configuration Manager 2007 site or hierarchy. A Configuration Manager 2007 site cannot report to a System Center 2012 Configuration Manager parent site, and you cannot upgrade a Configuration Manager 2007 site to a System Center 2012 Configuration Manager site. Instead of an in-place upgrade, you use System Center 2012 Configuration Manager migration to migrate your Configuration Manager 2007 SP2 objects and data to System Center 2012
306

Configuration Manager. For information about migrating from Configuration Manager 2007 SP2 to System Center 2012 Configuration Manager, see Migrating Hierarchies in System Center 2012 Configuration Manager. Because you can deploy a System Center 2012 Configuration Manager site or hierarchy side-byside with a Configuration Manager 2007 site or hierarchy, take action to prevent clients from either version from trying to join a site from the other Configuration Manager version. For example, if your Configuration Manager hierarchies have overlapping boundaries, including the same network locations, you might assign each new client to a specific site instead of using automatic site assignment. For information about automatic site assignment in System Center 2012 Configuration Manager, see How to Assign Clients to a Site in Configuration Manager. Additionally, it is not supported to install a client from Configuration Manager 2007 on a computer that hosts a site system role from System Center 2012 Configuration Manager, nor to install a System Center 2012 Configuration Manager client on a computer that hosts a site system role from Configuration Manager 2007. System Center 2012 Configuration Manager supports only System Center 2012 Configuration Manager device and mobile device clients. The following clients and the following Virtual Private Network (VPN) connection are not supported: Any Configuration Manager 2007 or earlier computer client version Any Configuration Manager 2007 or earlier device management client Windows CE Platform Builder device management client (any version) System Center Mobile Device Manager VPN connection

Client Site Assignment Considerations

System Center 2012 Configuration Manager clients can be assigned to only one site. When automatic site assignment is used to assign clients to a site during client installation, and more than one boundary group includes the same boundary, and the boundary groups have different assigned sites, the actual site assignment of a client cannot be predicted. If boundaries overlap across multiple System Center 2012 Configuration Manager and Configuration Manager 2007 site hierarchies, clients might not get assigned to the correct site hierarchy or might not get assigned to a site at all. System Center 2012 Configuration Manager clients check the version of the Configuration Manager site before they complete site assignment and cannot assign to a Configuration Manager 2007 site if boundaries overlap. However, Configuration Manager 2007 clients do not check for the site version and can incorrectly be assigned to a System Center 2012 Configuration Manager site. To prevent Configuration Manager 2007 clients from unintentionally being assigned to a System Center 2012 Configuration Manager site when the two hierarchies have overlapping boundaries, configure Configuration Manager 2007 client installation parameters to assign clients to a specific site.

307

Interoperability between Sites with Different Service Pack Versions in System Center 2012 Configuration Manager
System Center 2012 Configuration Manager requires that each site in a hierarchy be of the same service pack level. However, while you are actively upgrading a hierarchy to a new service pack, different sites in the hierarchy upgrade at different times. Therefore, to support the upgrade process, Configuration Manager supports limited interactions between different service pack versions in a single hierarchy.

Limitations to Configuration Manager Capabilities in a MixedVersion Hierarchy

When different sites in a single hierarchy use different service pack versions, some Configuration Manager functionality is not available. This can affect how you manage Configuration Manager objects in the Configuration Manager console, and what functionality is available to clients. Typically, functionality from the newer service pack version of Configuration Manager is not accessible at sites or to clients that run a lower service pack version. The following table lists objects and functionality that are affected when you have sites in a hierarchy with different service pack versions, and provides details about the limitations for those objects.
Object Details

Endpoint Protection and anti-malware policies

The following are limitations for using Endpoint Protection and anti-malware policies in a hierarchy with sites that use different service pack versions: Anti-malware polices that you create when you use a Configuration Manager console that connects to a Configuration Manager SP1 site apply only to clients that run Configuration Manager SP1. Clients that run Configuration Manager with no service pack do not receive these new policies until they upgrade to SP1. Anti-malware policies that are created on a site that runs Configuration Manager SP1 cannot be viewed on a Configuration Manager console that connects to a Configuration Manager site with no service pack unless the user who runs the console is associated with the All security scope. If the user is not associated with this security
308

Object

Details

scope, grant the user the necessary security scope or manage anti-malware policies from the central administration site until all sites in the hierarchy update to Configuration Manager SP1. To initiate a malware scan on a Configuration Manager SP1 client, you must use a Configuration Manager console that connects to a Configuration Manager SP1 site. You cannot add new alerts for Endpoint Protection until all sites in the hierarchy have been upgraded to Configuration Manager SP1.

New deployment types in Configuration Manager SP1

Due to the global data replication, new deployment types that are available with Configuration Manager cannot be created nor used until all sites in the hierarchy run Configuration Manager SP1. These deployment types include the following: Mac OS X Microsoft Application Virtualization (App-V) 5 Windows app package Windows app package (in the Windows Store) Windows Phone 8 Windows Phone 8 deeepLink iOS (all) Android (all)

For information about deployment types, see How to Create Deployment Types in Configuration Manager. App-V virtual environments You cannot configure, nor use App-V virtual environments until all sites in the hierarchy run Configuration Manager SP1. For more information about App-V virtual environments, see the App-V Virtual Environments section in the Introduction to Application Management in Configuration
309

Object

Details

Manager topic. Boot images for operating system deployment The default boot images are automatically updated to Windows ADK-based boot images, which use Windows PE 4, when the top-level site is upgraded to Configuration Manager SP1. Use these boot images only for deployments to clients at Configuration Manager SP1 sites. For more information, see Planning for Operating System Deployment Interoperability. A Configuration Manager client that communicates with a management point from a site that runs a lower service pack version than the client can only use functionality that the down-level version of Configuration Manager supports. For example, if you deploy content from a Configuration Manager SP1 site to a Configuration Manager SP1 client that communicates with a management point that is installed at a secondary site that has not yet upgraded to SP1, that client cannot use new functionality from SP1. This includes receiving new deployment types that are available in SP1, or receiving a cloud-based distribution point as a content location. Configuration Manager clients require Microsoft Silverlight 5 to use an Application Catalog website point from a Configuration Manager SP1 site. When a computer that runs the Configuration Manager client with no service pack and that does not have Silverlight 5 installed connects to an Application Catalog website point from a Configuration Manager SP1 site, the client is prompted to install Silverlight 5. When a computer that runs the Configuration Manager SP1 client connects to an Application Catalog website point from a Configuration Manager site with no service pack, the end user can view the application list, but cannot request or install applications. Additionally, the
310

Client to down-level management point communications

Client to up-level Application Catalog website point

Client to down-level Application Catalog website point

Object

Details

end user cannot configure the setting I regularly use this computer to do my work on the My Devices tab.

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for Hardware Configurations for Configuration Manager

This topic identifies recommended hardware configurations for System Center 2012 Configuration Manager site system servers, clients, and the Configuration Manager console. Use these recommendations as guidelines when you plan to scale your Configuration Manager environment to support more than a very basic deployment of sites, site systems, and clients. Use the information in this topic as a guide for the hardware to use when you run Configuration Manager at scale. For information about supported configurations for Configuration Manager, see Supported Configurations for Configuration Manager. These recommendations are not intended to cover each possible site and hierarchy configuration. Instead, use this information as a guide to help you plan for hardware that can meet the processing loads for clients and sites that use the available Configuration Manager features with the default configurations. Configuration Manager Site Systems Site Servers Disk Space Configurations Remote Site System Servers

Configuration Manager Site Systems

This section identifies recommended hardware configurations for Configuration Manager site systems. In general, the key factors that limit performance of the overall system include the following, in order: 1. Disk I/O performance 2. Available memory 3. CPU For best performance, use RAID 10 configurations for all data drives and 1Gbps Ethernet network connectivity between site system servers, including the database server.
311

Site Servers
Use the following recommendations for each Configuration Manager site server. For information about the disk space requirements, see Disk Space Configurations.
Site details Suggested minimum configuration

Central administration site with the Standard edition of SQL Server SQL Server is located on the site server computer. This configuration supports a hierarchy with up to 50,000 clients Note Database replication represents the largest processing load on the central administration site. Central administration site with the Enterprise or Datacenter edition of SQL Server SQL Server is located on the site server computer This configuration supports a hierarchy with up to 400,000 clients Note Database replication represents the largest processing load on the central administration site. Stand-alone primary site Up to 100,000 clients SQL Server is installed on the site server computer

8 cores (Intel Xeon 5504 or comparable CPU) 32 GB of RAM 300 GB of disk space for the operating system, Configuration Manager, SQL Server, and all database files.

16 cores (Intel Xeon L5520 or comparable CPU) 64 GB of RAM 1.5 TB of disk space for the operating system, Configuration Manager, SQL Server, and all database files.

8 cores (Intel Xeon E5504 or comparable CPU) 32 GB of RAM 550 GB hard disk space for the operating system, SQL Server, and all database files 4 cores (Intel Xeon 5140 or comparable CPU) 16 GB of RAM 300 GB of hard disk space for the operating system, Configuration Manager, SQL Server, and all database files.

Primary site in a hierarchy Up to 50,000 clients SQL Server is installed on the site server computer

Primary site in a hierarchy Up to 100,000 clients

Site Server: 4 cores (Intel Xeon 5140 or comparable

312

Site details

Suggested minimum configuration

SQL Server is remote from the site server computer

CPU) 8GB of RAM 200 GB of disk space for the operating system and Configuration Manager. 8 cores (Intel Xeon E5504 or comparable CPU) 32 GB of RAM 550 GB of hard disk space for the operating system, SQL Server, and all database files. 4 cores (Intel Xeon 5140 or comparable CPU) 8 GB of RAM 100 GB of hard disk space for the operating system, Configuration Manager, SQL Server, and all database files.

Remote SQL Server: Secondary site Communications from up to 5,000 clients SQL Server must be installed on the site server computer

Disk Space Configurations

Because disk allocation and configuration contributes to the performance of System Center 2012 Configuration Manager, disk space requirements can be greater than for previous product versions. Use the following information as guidelines when you determine the amount of disk space Configuration Manager requires. Because each Configuration Manager environment is different, these values can vary from the following guidance. For the best performance, place each object on a separate, dedicated RAID volume. For all data volumes (Configuration Manager and its database files), use RAID 10 for the best performance.
Data usage Minimum disk space
1

25,000 clients

50,000 clients

100,000 clients

Operating system

See guidance for See guidance for See guidance for See guidance for the operating the operating the operating the operating system. system. system. system. 25 GB 50 GB 100 GB 200 GB

Configuration Manager Application and Log Files Site database .mdf file

75 GB for every 25,000 clients

75 GB

150 GB

300 GB

313

Data usage

Minimum disk space

1

25,000 clients

50,000 clients

100,000 clients

Site database .ldf file

25 GB for every 25,000 clients

25 GB

50 GB

100 GB

Temp database files As needed (.mdf and .ldf) Content (distribution point shares)
1

As needed

As needed

As needed

As needed

As needed

As needed

As needed

The minimum disk space does not include the space required for source content that is located on the site server. In addition to the preceding guidance, consider the following general guidelines when you plan for disk space requirements: Each client requires approximately 3 MB of space in the database When planning for the size of the Temp database for a primary site, plan for a size that is 25% to 30% of the site database .mdf file. The actual size can be significantly smaller, or larger, and depends on the performance of the site server and the volume of incoming data over both short and long periods of time. The Temp database size for a central administration site is typically much smaller than that for a primary site. The secondary site database is limited in size to the following: SQL Server 2008 Express: 4 GB SQL Server 2008 R2 Express: 10 GB

Remote Site System Servers

Use the following as recommended hardware configurations for computers that run the following site system roles. These recommendations are for computers that hold a single site system role and you should make adjustments when you install multiple site system roles on the same computer. For more information about the disk space requirements, see Disk Space Configurations in this topic.
Site system role Suggested minimum configuration

Management point

4 cores (Intel Xeon 5140 or comparable CPU) 8 GB of RAM 50 GB of disk space for the operating system and Configuration Manager. Note
314

Site system role

Suggested minimum configuration

Management point performance relies most on memory and processor capacity. Distribution point 2 cores (Intel Xeon 5140 or comparable CPU) 8 GB of RAM Disk space as required for the operating system and content you deploy to the distribution point. Note Distribution point performance relies most on network I/O and disk I/O. Application Catalog, with the web service and website on the site system computer All other site system roles 4 cores (Intel Xeon 5140 or comparable CPU) 16 GB of RAM 50 GB of disk space for the operating system and Configuration Manager. 4 cores (Intel Xeon 5140 or comparable CPU) 8 GB of RAM 50 GB of disk space for the operating system and Configuration Manager.

See Also
Planning for Configuration Manager Sites and Hierarchy

PKI Certificate Requirements for Configuration Manager

The public key infrastructure (PKI) certificates that you might require for System Center 2012 Configuration Manager are listed in the following tables. This information assumes basic knowledge of PKI certificates. For step-by-step guidance for an example deployment of these certificates, see Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority. For more information about Active Directory Certificate Services, see Active Directory Certificate Services in Windows Server 2008.
315

With the exception of the client certificates that Configuration Manager enrolls on mobile devices and Mac computers, the certificates that Windows Intune automatically creates for managing mobile devices, and the certificates that Configuration Manager installs on AMT-based computers, you can use any PKI to create, deploy, and manage the following certificates. However, when you use Active Directory Certificate Services and certificate templates, this Microsoft PKI solution can ease the management of the certificates. Use the Microsoft certificate template to use column in the following tables to identify the certificate template that most closely matches the certificate requirements. Template-based certificates can be issued only by an enterprise certification authority running on the Enterprise Edition or Datacenter Edition of the server operating system, such as Windows Server 2008 Enterprise and Windows Server 2008 Datacenter. Important When you use an enterprise certification authority and certificate templates, do not use the version 3 templates (Windows Server 2008, Enterprise Edition). These certificate templates create certificates that are incompatible with Configuration Manager. Use the following sections to view the certificate requirements.

PKI Certificates for Servers

Configuratio n Manager component Certificate purpose Microsoft certificate template to use Specific information in the certificate How the certificate is used in Configuration Manager

Site systems Server that run authenticat Internet ion Information Services (IIS) and that are configured for HTTPS client connections: Man agement point Distr ibution

Web Server

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1). If the site system accepts connections from the Internet, the Subject Name or Subject Alternative Name must contain the Internet fully qualified domain name (FQDN).

This certificate must reside in the Personal store in the Computer certificate store.

This web server certificate is used to authenticate these servers to the client and to encrypt all data If the site system accepts connections from the intranet, the transferred between the client Subject Name or Subject and these servers Alternative Name must contain by using Secure either the intranet FQDN (recommended) or the computer's Sockets Layer name, depending on how the site (SSL).
316

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

point Software update point State migratio n point Enro llment point Enro llment proxy point Appl ication Catalog web service point Appl ication Catalog website point Cloud-based distribution point Server authenticat ion Web Server

system is configured. If the site system accepts connections from both the Internet and the intranet, both the Internet FQDN and the intranet FQDN (or computer name) must be specified by using the ampersand (&) symbol delimiter between the two names. Important When the software update point accepts client connections from the Internet only, the certificate must contain both the Internet FQDN and the intranet FQDN. SHA-1 and SHA-2 hash algorithms are supported. Configuration Manager does not specify a maximum supported key length for this certificate. Consult your PKI and IIS documentation for any key-size related issues for this certificate.

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1). The Subject Name must contain a customer-defined service name and domain name in an FQDN format as the Common Name for the specific instance of the cloud-

For Configuration Manager SP1 only: This service certificate is used to authenticate the cloud-based distribution point service to Configuration
317

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

based distribution point. The private key must be exportable. SHA-1 and SHA-2 hash algorithms are supported. Supported key lengths: 2048 bits.

Manager clients and to encrypt all data transferred between them by using Secure Sockets Layer (SSL). This certificate must be exported in a Public Key Certificate Standard (PKCS #12) format, and the password must be known so that it can be imported when you create a cloud-based distribution point. Note This certificate is used in conjunctio n with the Windows Azure managem ent certificate. For more informatio n about this certificate, see How to Create
318

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

a Managem ent Certificate and How to Add a Managem ent Certificate to a Windows Azure Subscripti on in the Windows Azure Platform section of the MSDN Library. Network Load Balancing (NLB) cluster for a software update point Server authenticat ion Web server Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1). 1. The FQDN of the NLB cluster in the Subject Name field, or Subject Alternative Name field: For network load balancing servers that support Internet-based client management, use the Internet NLB FQDN. For network load balancing servers that support intranet clients, use the intranet NLB FQDN. For System Center 20 12 Configuration Man ager with no service pack: This certificate is used to authenticate the network load balancing software update point to the client, and to encrypt all data transferred between the client and these servers by using SSL.
319

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

2. The computer name of the site system in the NLB cluster in the Subject Name field or Subject Alternative Name field. This server name must be specified after the NLB cluster name and the ampersand (&) symbol delimiter: For site systems on the intranet, use the intranet FQDN if you specify them (recommended) or the computer NetBIOS name. For site systems supporting Internet-based client management, use the Internet FQDN.

SHA-1 and SHA-2 hash algorithms are supported.

Note This certificate is applicable to Configurat ion Manager with no service pack only because NLB software update points are not supported in Configurat ion Manager SP1. This certificate must reside in the Personal store in the Computer certificate store and Configuration Manager automatically copies it to the Trusted People Store for servers in the Configuration Manager
320

Site system Server servers that authenticat run Microsoft ion SQL Server

Web server

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1). The Subject Name must contain the intranet fully qualified domain name (FQDN). SHA-1 and SHA-2 hash algorithms are supported. Maximum supported key length is 2048 bits.

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

hierarchy that might have to establish trust with the server. These certificates are used for server-to-server authentication. SQL Server Server cluster: Site authenticat system ion servers that run Microsoft SQL Server Web server Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1). The Subject Name must contain the intranet fully qualified domain name (FQDN) of the cluster. The private key must be exportable. The certificate must have a validity period of at least two years when you configure Configuration Manager to use the SQL Server cluster. SHA-1 and SHA-2 hash algorithms are supported. Maximum supported key length is 2048 bits. After you have requested and installed this certificate on one node in the cluster, export the certificate and import it to each additional node in the SQL Server cluster. This certificate must reside in the Personal store in the Computer certificate store and Configuration Manager automatically copies it to the Trusted People Store for servers in the Configuration Manager hierarchy that might have to establish trust with the server.

321

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

These certificates are used for server-to-server authentication. Site system Client monitoring authenticat for the ion following site system roles: Man agement point State migratio n point Workstatio n Authenticat ion Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2). This certificate is required on the listed site system servers, even if the Computers must have a unique value in the Subject Name field or System Center 20 12 in the Subject Alternative Name Configuration Man field. ager client is not Note installed, so that If you are using multiple the health of values for the Subject these site system Alternative Name, only roles can be the first value is used. monitored and reported to the SHA-1 and SHA-2 hash site. algorithms are supported. Maximum supported key length is 2048 bits. The certificate for these site systems must reside in the Personal store of the Computer certificate store. This certificate has two purposes: It authenticates the distribution point to an HTTPSenabled management point before
322

Site systems Client that have a authenticat distribution ion point installed

Workstatio n Authenticat ion

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2). There are no specific requirements for the certificate Subject or Subject Alternative Name (SAN), and you can use the same certificate for multiple distribution points.

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

The private key must be exportable. SHA-1 and SHA-2 hash algorithms are supported. Maximum supported key length is 2048 bits.

the distribution point sends status messages. When the Enable PXE support for clients distribution point option is selected, the certificate is sent to computers that so that if task sequences in the operating system deployment process include client actions such as client policy retrieval or sending inventory information, the client computers can connect to a HTTPSenabled management point during the deployment of the operating system. This
323

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

certificate is used for the duration of the operating system deployment process only and is not installed on the client. Because of this temporary use, the same certificate can be used for every operating system deployment if you do not want to use multiple client certificates. This certificate must be exported in a Public Key Certificate Standard (PKCS #12) format, and the password must be known so that it can be imported into the distribution point properties. Note The requireme
324

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

nts for this certificate are the same as the client certificate for boot images for deploying operating systems. Because the requireme nts are the same, you can use the same certificate file. Out of band service point AMT Provisionin g Web Server (modified) Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1) and the following object identifier: 2.16.840.1.113741.1.2.3. The subject name field must contain the FQDN of the server that is hosting the out of band service point. Note If you request an AMT provisioning certificate from an external CA instead of from your own This certificate resides in the Personal store in the Computer certificate store of the out of band service point site system server. This AMT provisioning certificate is used to prepare computers for out of band management. You must request
325

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

internal CA, and it does not support the AMT provisioning object identifier of 2.16.840.1.113741.1.2.3, you can alternatively specify the following text string as an organizational unit (OU) attribute in the certificate subject name: Intel(R) Client Setup Ce rtificate. This exact text string in English must be used, in the same case, without a trailing period, and in addition to the FQDN of the server that is hosting the out of band service point. SHA-1 is the only supported hash algorithm. Supported key lengths: 1024 and 2048. For AMT 6.0 and later versions, the key length of 4096 bits is also supported.

this certificate from a CA that supplies AMT provisioning certificates, and the BIOS extension for the Intel AMT-based computers must be configured to use the root certificate thumbprint (also referred to as the certificate hash) for this provisioning certificate. VeriSign is a typical example of an external CA that provides AMT provisioning certificates, but you can also use your own internal CA. Install the certificate on the server that hosts the out of band service point, which must be able to chain successfully to the certificate's root CA. (By default, the root CA
326

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

certificate and intermediate CA certificate for VeriSign are installed when Windows installs.) Site system server that runs the Windows Int une connector Client authenticat ion Not applicable: Windows Intune automaticall y creates this certificate. Enhanced Key Usage value contains Client Authentication (1.3.6.1.5.5.7.3.2). 3 custom extensions uniquely identify the customer Windows Intune subscription. The key size is 2048 bits and uses the SHA-1 hash algorithm. Note You cannot change these settings: This information is provided for informational purposes only. This certificate is automatically requested and installed to the Configuration Manager database when you subscribe to Windows Intune. When you install the Windows Intune connector, this certificate is then installed on the site system server that runs the Windows Intune connector. It is installed into the Computer certificate store. This certificate is used to authenticate the Configuration Manager hierarchy to Windows Intune by using the Windows Intune connector. All data that is
327

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

transferred between them uses Secure Sockets Layer (SSL).

Proxy Web Servers for Internet-Based Client Management

If the site supports Internet-based client management, and you are using a proxy web server by using SSL termination (bridging) for incoming Internet connections, the proxy web server has the certificate requirements listed in the following table. Note If you are using a proxy web server without SSL termination (tunneling), no additional certificates are required on the proxy web server.
Network infrastructure component Certificate purpose Microsoft certificate template to use Specific information in the certificate How the certificate is used in Configuration Manager

Proxy web server accepting client connections over the Internet

Server authentication and client authentication

1. Web Server 2. Workstation Authenticati on

Internet FQDN in the Subject Name field or in the Subject Alternative Name field (if you are using Microsoft certificate templates, the Subject Alternative Name is available with the workstation template

This certificate is used to authenticate the following servers to Internet clients and to encrypt all data transferred between the client and this server by using SSL: Internet-based management point Internet-based distribution point Internet-based software update point

The client authentication is used to bridge client connections between

328

Network infrastructure component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

only). SHA-1 and SHA-2 hash algorithms are supported.

the System Center 2012 Configuration Manager clients and the Internetbased site systems.

PKI Certificates for Clients

Configuratio n Manager component Certificate purpose Microsoft certificate template to use Specific information in the certificate How the certificate is used in Configuration Manager

Windows client computers

Client authenticatio n

Workstation Authentication

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2). Client computers must have a unique value in the Subject Name field or in the Subject Alternative Name field. Note If you are using multiple values for the Subject Alternative Name, only the first value is used.

By default, Configuration Manager looks for computer certificates in the Personal store in the Computer certificate store. With the exception of the software update point and the Application Catalog website point, this certificate authenticates the client to site system servers that run IIS and that are configured to use HTTPS.

329

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

SHA-1 and SHA-2 hash algorithms are supported. Maximum supported key length is 2048 bits. Mobile device clients Client authenticatio n Authenticated Session Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2). SHA-1 is the only supported hash algorithm. Maximum supported key length is 2048 bits. Important These certificates must be in Distinguish ed Encoding Rules (DER) encoded binary X.509 format. Base64 encoded X.509 format is not supported. Boot images Client Workstation Enhanced Key The certificate is
330

This certificate authenticates the mobile device client to the site system servers that it communicates with, such as management points and distribution points.

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

for deploying operating systems

authenticatio n

Authentication

Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2). There are no specific requirements for the certificate Subject Name field or Subject Alternative Name (SAN), and you can use the same certificate for all boot mages. The private key must be exportable. SHA-1 and SHA-2 hash algorithms are supported. Maximum supported key length is 2048 bits.

used if task sequences in the operating system deployment process include client actions such as client policy retrieval or sending inventory information. This certificate is used for the duration of the operating system deployment process only and is not installed on the client. Because of this temporary use, the same certificate can be used for every operating system deployment if you do not want to use multiple client certificates. This certificate must be exported in a Public Key Certificate Standard (PKCS #12) format, and the password must be known so that it can be imported into the Configuration Manager boot images. Note The
331

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

requirement s for this certificate are the same as the server certificate for site systems that have a distribution point installed. Because the requirement s are the same, you can use the same certificate file. Mac client computers Client authenticatio n For Configuration Manager enrollment:Authentica ted Session For certificate installation independent from Configuration Manager: Workstation Authentication Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2). For Configuration Manager that creates a User certificate, the certificate Subject value is automatically populated with the user name of the person who enrolls the Mac computer. For certificate installation that does not use
332

For Configuration Manager SP1 only: This certificate authenticates the Mac client computer to the site system servers that it communicates with, such as management points and distribution points.

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

Configuration Manager enrollment but deploys a Computer certificate independently from Configuration Manager, the certificate Subject value must be unique. For example, specify the FQDN of the computer. The Subject Alternative Name field is not supported. SHA-1 and SHA-2 hash algorithms are supported. Maximum supported key length is 2048 bits. Linux and UNIX client computers Client authenticatio n Workstation Authentication Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2). The Subject Alternative Name field is not supported. The private key must be exportable. SHA-1 hash For Configuration Manager SP1 only: This certificate authenticates the client for Linux and UNIX to the site system servers that it communicates with, such as management points and distribution points. This certificate must
333

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

algorithm is supported. SHA-2 hash algorithm is supported if the operating system of the client supports SHA-2. For more information, see the About Linux and UNIX Operating Systems That do not Support SHA-256 section in the Planning for Client Deployment for Linux and UNIX Servers topic. Supported key lengths: 2048 bits. Important These certificates must be in Distinguish ed Encoding Rules (DER) encoded binary X.509 format. Base64 encoded X.509

be exported in a Public Key Certificate Standard (PKCS#12) format, and the password must be known so you can specify it to the client when you specify the PKI certificate. For additional information, see the Planning for Security and Certificates for Linux and UNIX Servers section in Planning for Client Deployment for Linux and UNIX Servers topic.

334

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

format is not supported. Root certification authority (CA) certificates for the following scenarios: Ope rating system deploy ment Mobile device enrollm ent RA DIUS server authenti cation for Intel AMTbased comput ers Client certificat e authenti cation Certificate chain to a trusted source Not applicable. Standard root CA certificate. The root CA certificate must be provided when clients have to chain the certificates of the communicating server to a trusted source. This applies in the following scenarios: When you deploy an operating system, and task sequences run that connect the client computer to a management point that is configured to use HTTPS. When you enroll a mobile device to be managed by System Center 2 012 Configuration M anager. When you use 802.1X authentication for AMT-based computers, and you want to specify a file for
335

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

the RADIUS servers root certificate. In addition, the root CA certificate for clients must be provided if the client certificates are issued by a different CA hierarchy than the CA hierarchy that issued the management point certificate. Intel AMTbased computers Server authenticatio n. Web Server (modified) Enhanced Key You must configure the Usage value must contain Server Subject Name for Build from this Active Authentication (1.3.6.1.5.5.7.3.1). Directory information, and then select Common name for the Subject name format. The Subject Name must contain the FQDN of the AMTbased computer, which is supplied You must grant Read and Enroll permissions automatically from Active Directory to the universal security group that you Domain Services. specify in the out of SHA-1 is the only band management supported hash component properties. algorithm. Maximum supported key length: 2048 bits. This certificate resides in the nonvolatile random access memory of the management controller in the computer and is not viewable in the Windows user interface. Each Intel AMTbased computer requests this certificate during AMT provisioning and for subsequent updates. If you remove AMT provisioning information from these computers, they revoke this certificate. When this certificate is installed on
336

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

Intel AMT-based computers, the certificate chain to the root CA is also installed. AMTbased computers cannot support CA certificates with a key length larger than 2048 bits. After the certificate is installed on Intel AMT-based computers, this certificate authenticates the AMT-based computers to the out of band service point site system server and to computers that are run the out of band management console, and encrypts all data transferred between them by using Transport Layer Security (TLS). Intel AMT 802.1X client certificate Client authenticatio n Workstation Authentication Enhanced Key Usage value must You must configure the contain Client Authentication Subject Name for Build from this Active (1.3.6.1.5.5.7.3.2). Directory The subject name information, and then field must contain select Common name the FQDN of the for the Subject name AMT-based This certificate resides in the nonvolatile random access memory of the management controller in the computer and is not viewable in the Windows user
337

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

format, clear the DNS name and select the User principal name (UPN) for the alternative subject name. You must grant the universal security group that you specify in the out of band management component properties Read and Enroll permissions to this certificate template.

computer and the subject alternative name must contain the UPN. Maximum supported key length: 2048 bits.

interface. Each Intel AMTbased computer can request this certificate during AMT provisioning but they do not revoke this certificate when their AMT provisioning information is removed. After the certificate is installed on AMTbased computers, this certificate authenticates the AMT-based computers to the RADIUS server so that it can then be authorized for network access.

Mobile devices that are enrolled by Windows Intune

Client authenticatio n

Not applicable: Windows Intune automatically creates this certificate.

Enhanced Key Usage value contains Client Authentication (1.3.6.1.5.5.7.3.2). 3 custom extensions uniquely identify the customer Windows Intune subscription. Users can supply the certificate Subject value during enrollment.

This certificate is automatically requested and installed when authenticated users enroll their mobiles devices by using Windows Intune. The resulting certificate on the device resides in the Computer store and authenticates the enrolled mobile device to Windows Intune, so that it can
338

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

However, this value is not used by Windows Intune to identify the device. The key size is 2048 bits and uses the SHA-1 hash algorithm. Note You cannot change these settings: This information is provided for information al purposes only.

then be managed. Because of the custom extensions in the certificate, authentication is restricted to the Windows Intune subscription that has been established for the organization.

See Also
Planning for Configuration Manager Sites and Hierarchy

Identify Your Network and Business Requirements to Plan a Configuration Manager Hierarchy
Before you install a System Center 2012 Configuration Manager hierarchy of sites, or a single site, you must understand your network structure, organizational requirements, and the resources that are available to use with Configuration Manager. You can then combine this information with
339

the requirements for Configuration Manager to make decisions about your hierarchy and site designs, and site system server placement. Use the information in the following sections when you plan your Configuration Manager hierarchy: Collect Data about Available Resources Understand Your Organization Understand Your Physical Networks Use Your Active Directory Information Use Collected Information to Plan for Discovery Use Collected Information to Plan for Boundaries and Boundary Groups Use Collected Information to Plan for Site and Hierarchy Design Use Collected Information to Plan for Site Systems

Use the Data That You Collected to Plan Configuration Manager Sites

Collect Data about Available Resources

Before you design your System Center 2012 Configuration Manager deployment, you must understand the available network infrastructure and your companys IT organization and requirements.

Understand Your Organization

It is important that you know the structure of your organization because this information can influence how you deploy, use, and support Configuration Manager. It is also useful to know your organizations long-term plans. Changes such as mergers and acquisitions can have a significant effect on IT infrastructure. External factors that require changes and internal projects (either planned or in progress) can affect how you design and deploy Configuration Manager. Use the following guidelines to help you collect data about your organization.
Considerations Details

Departmental organization

Include the following information: High-level organization charts to help determine the divisional structure of your organization, the design of your Configuration Manager hierarchy, and your method of communicating Configuration Manager implementation updates to different departments Reporting hierarchy Communications methods Service level agreements (SLAs)
340

Considerations

Details

IT organization and administrative policies

Consider the following factors: The structure and technical level of local and remote IT divisions, their reporting hierarchies, and local and global IT administrative policies Organizational structure Reporting hierarchy Local administrative policies and SLAs Global IT administrative policies and SLAs

Long-term business direction

Any major business changes planned for the future, such as mergers, acquisitions, major physical moves, or network migrations

Geographic Profile
To deploy an efficient hierarchy of Configuration Manager sites, and to place individual sites in optimal locations, you must understand the geographic profile of your organization. Many organizations have centrally located headquarters with branch offices located in other regions as remote sites. Organizations that have locations in different cities must consider how to manage resources at those locations. This requires evaluation of the available network bandwidth between locations and an understanding of date and time zone differences that can affect how and when you distribute software to different locations. Use the following guidelines to collect geographic information.
Geographic information Details

Date and time zone information

List the time zone for each location, and list any date and time difference between the remote site and headquarters. Time zone. Date and time differences.

Operating systems and international operating system versions

List the operating systems that are in use and their locations.

Active Directory Structure

When you plan your Configuration Manager hierarchy, consider the layout of your Active Directory structure (hierarchical forest arrangement and domain structure) and its physical structure (Active Directory site topology). An Active Directory site typically includes one or more
341

well connected TCP/IP subnets. A well connected TCP/IP subnet has a fast, reliable network connection. Document your physical Active Directory structure and domain structure before you start the planning phase. Later, when you plan your Configuration Manager deployment, pay attention to the more detailed information of the logical structure, such as the organizational units, because these can help determine how you organize collections, distribute software, and perform queries in Configuration Manager. Use the following guidelines to collect Active Directory information.
Active Directory structure Details

Logical structure

The logical structure of your organization as represented by the following Active Directory components: organizational units, domains, trees, and forests. Information that you collect about domains and forests must include information about trusted and untrusted domains and forests that contain resources that you will use or manage with Configuration Manager. This includes information about existing domains and trusts across forests.

Physical structure

The physical structure of your organization as represented by the following Active Directory components: Active Directory sites (physical subnets) and domain controllers.

Information Technology Organization

It is important to determine your personnel resource requirements and to assign project roles when you plan your Configuration Manager deployment. To do this, you first must have an understanding of your current IT organization. You require this information during your Configuration Manager planning and deployment phases, and also for post-deployment operational tasks. Understand the structure of the IT staff in your organization. For example, you might have one central IT group with members in close communication. Or you might have many decentralized groups where communication is not optimal. There might be a central headquarters with IT responsibility, or many separate administrative units with widely varying goals and philosophies. Use the following guidelines to collect IT organization information.

342

Details

Collect information about your IT organization. Also create an organization chart that maps your IT organization to your geographic profile. IT reporting hierarchy. IT departmental divisions that produce an overlap in Configuration Manager tasks (for example, a department separate from the Configuration Manager team manages all database servers, including computers that are running Microsoft SQL Server). Locations where management control or policy issues exist. Level of technical sophistication and security clearance of IT staff members who are working with Configuration Manager before, during, or after deployment. Auditing policies. Service level agreements for departments, end users, and IT groups. Operating systems in use on the network. Sensitivity to security risks. Change control policy.

Security Environment
Use the following guidelines to collect security policy information.
Details

Collect information about your organizations security policies, such as the following: Account password policies Account reuse policies Account rights policies Client and server lockdown policies (restrictions on disks and registry, services
343

Details

that are stopped, whether services use Domain Administrator accounts, and hidden shared folders that are removed) Auditing policies

Separation of or delegation of duties between IT divisions within the enterprise. The degree to which users must retain control of client devices, and any exceptions to such policies (such as servers, or computers in use by programmers). Collect information about how security-related issues will be handled and supported, such as the following information: Sensitivity to security risks Importance of ease of administration Special requirements for secure data access and transmission Service level agreements (SLAs) for applying security updates

Operating System Languages

Identify the client and server operating system languages that devices use that you will manage with Configuration Manager. By default, the Configuration Manager console and client-facing user interface displays information in English. However, each site can install support for multiple supported languages that can display information in the operating systems language. This information can help you plan for the languages you require at each site to provide your administrative users and endusers with the language support that they require.

Understand Your Physical Networks

It is important that you know the structure of your available networks, the network topology, available bandwidth, the location of servers, and the location of computers that might be installed as Configuration Manager clients. This information can influence your decisions about where and what type of sites your Configuration Manager design requires. Use the following sections to assist you when you collect data about your organization.

344

Network Topology
Create high-level diagrams of your network topology that include any available information that is listed in the following table. Later, after you make decisions about your Configuration Manager hierarchy structure and site system hardware requirements, you can determine whether any equipment upgrades or additions are required before you begin your Configuration Manager deployment. Network diagrams are also helpful for when you create a representative test environment for a test network or pilot project. Ensure that your network diagram is detailed and specific. If your network is large or complex, consider creating a similar but separate diagram for your domain structure and server topology. Use the following guidelines to collect network topology information.
Network topology Details

High-level wide area network (WAN)/LAN architecture Network size Network bandwidth

Links, gateways, firewalls, extranets, virtual private networks, and perimeter networks Number of servers and clients at each location Link speeds and available bandwidth, including any known bandwidth issues Categorize the amount of traffic, and identify the times of day when the network usage is heaviest (peak times) and the times that are scheduled for backup and maintenance (nonpeak times) Windows and non-Microsoft network operating systems TCP/IP, IPv4, IPv6, AppleTalk, and so on, and name resolution methods such as DNS and WINS The Internet Protocol (IP) subnets on your network by subnet ID Active Directory organizational units, site names, trees, and forests

Network usage and traffic patterns

Network types

Network protocols

IP subnet structure

Active Directory site structure

Server Environment
Configuration Manager uses typical network infrastructure, which includes Active Directory Domain Services, DNS, or WINS for name resolution, and Internet Information Services (IIS) for client communications with Configuration Manager site system servers.
345

Use the following guidelines to assist in gathering server data.

Server data Details

Location and function

Document the location and function of the computers that run the core services of your network, such as global catalog servers, domain controllers, DNS and WINS servers, IIS servers, certification authority (CA) servers, computers that run Microsoft SQL Server or Terminal Services, servers running Microsoft Exchange Server, print servers, and file servers. Document current naming conventions for products that you use with Configuration Manager, such as computers that run Windows Server 2008 and SQL Server. This helps you establish and document naming conventions for your Configuration Manager hierarchy elements. These elements include sites, site codes, servers, and the objects that are used by or created in the Configuration Manager console. Because the site code is used to identify each Configuration Manager site, it is important that these are centrally assigned and tracked.

Naming conventions

Hardware, software, and network information

Document hardware, software, and network information for each server to use as a site system role in your Configuration Manager hierarchy. For example, document the following information for each server that will be part of your Configuration Manager hierarchy: Processor type and speed Amount of random access memory (RAM) Disk and array controller configuration and characteristics, including size, cache size, and the drive models and types. Platform operating system, version, and language Whether the Windows Cluster service or Windows Network Load Balancing Service
346

Server data

Details

is enabled Relevant software applications located on servers, which includes firewall and antivirus software

Device Environment
Where applicable, identify information about devices in your network diagram. This type of information can help you determine whether you must upgrade operating systems before you deploy Configuration Manager, the scope of your client deployment for devices, and which discovery and Configuration Manager client installation methods you will employ. It is important to gather this information so that you can prepare for interoperability and connectivity issues that might prevent the Configuration Manager client from installing. For example, suppose that all members of the Contoso Pharmaceuticals sales group use portable computers: Some laptops run Windows XP Professional SP2 (which is not supported as a System Center 2012 Configuration Manager client), and others run Windows 7. Additionally, members of the sales team travel frequently from one location to another and use a custom remote access application to access the sales database located at headquarters. The Contoso Pharmaceuticals marketing group, however, uses desktop computers that run Windows Vista. Although they do not travel, the marketing members have home computers that they use to remotely connect to the corporate network over a virtual private network (VPN).

The information about operating systems, travel, and custom applications can help you prepare to manage the computer operating systems that are in use and plan for operating system upgrades before you deploy Configuration Manager. This information also helps you plan for the deployment of site systems servers for clients on the intranet and on the Internet, and make further plans to manage the custom applications that you use. Use the following guidelines to help you gather data about the devices to manage.
Device considerations Details

Number of devices to manage

Total number of devices in use on your network, and their physical and logical groupings. Number and types (operating systems) of devices on each IP subnet, which includes the projected number of managed devices in the next year.
347

IP subnet size

Device considerations

Details

Logon scripts

Whether users use logon scripts, and if those scripts are customized to users or groups. Note the file name and location of each script, and users and groups that are associated with each script. Desktop security rights that are granted to end users. Windows operating systems (include the language version) in use on each IP subnet, and the locations of any computers running operating systems other than Windows. Computers that are shared by multiple users, laptops that travel from one location to another, mobile devices, all home-based computers that have remote access to the network, and any other device environments. A database or spreadsheet of all major applications that are in use in the enterprise, categorized by organizational division or by IP subnet. Divisions or departments that use Windows Terminal Services to run applications, or that use other special applications, such as internally manufactured or obsolete applications. The types of connectivity that different organizational groups use, which includes remote connection speeds (dependent on the remote access method in use, such as wireless, dial-up, the Internet, or others).

Security rights

Operating systems

Device mobility

Software

Special applications

Connectivity

Use the Data That You Collected to Plan Configuration Manager Sites
After you collect relevant information about your networks and organization, you can combine this information with Configuration Manager options and requirements to plan a site or hierarchy that makes efficient use of your available resources and also meets your organizational goals.
348

Use the following sections to help you use this data when you plan a site or hierarchy.

Use Your Active Directory Information

Combine the information about your Active Directory environment with the information in the following table to identify how you can use your existing Active Directory investment with Configuration Manager.
Active Directory planning Details

Add your Active Directory sites to Configuration Manager as boundaries

Consider using Active Directory Forest Discovery to first identify Active Directory sites and subnets, and then add them as Configuration Manager boundaries. For more information, see About Active Directory Forest Discovery.

Extend the Active Directory schema to simplify the management of client communication to sites in Configuration Manager sites

The preferred, but optional, method for clients to find information about Configuration Manager sites and the Configuration Manager services that are available is from Active Directory Domain Services. When you extend the Active Directory schema and enable sites to publish data to Active Directory, clients can automatically discover resources from this trusted source, and make efficient use of the network, based on their current location. For more information, see Determine Whether to Extend the Active Directory Schema for Configuration Manager.

Use Configuration Manager to manage sites that span multiple Active Directory forests

Configurations across forests within a site or between two sites require a full two-way forest trust so that Kerberos can be used for authentication. You can manage computers that are not members of a trusted Active Directory domain; however, you must implement additional configurations to support these computers. For more information, see Planning for Communications in Configuration Manager.

349

Use Collected Information to Plan for Discovery

Combine the information about your Active Directory structure, your network, and device resources, with the information in the following table to help you plan for discovery, which finds resources for Configuration Manager to manage.
Discovery planning Details

Use the Active Directory discovery methods to find computers, users, and groups that you can manage with Configuration Manager

To query Active Directory Domain Services for resources, you must understand your Active Directory container and location structure (local domain, local forest). Also understand how to construct custom lightweight Directory Access Protocol (LDAP) or Global Catalog queries so that you can search specific areas of Active Directory Domain Services to conserve network bandwidth for when you run the Active Directory Discovery method. For more information about which discovery method to use to discover different resources, see the Decide Which Discovery Methods to Use section in the Planning for Discovery in Configuration Manager topic.

Use Network Discovery to discover details of your network topology and computer resources that you can manage with Configuration Manager

To query your network with Network Discovery, understand your DHCP server infrastructure, available SNMP-enabled devices, or Active Directory domains. This information can help you configure a Network Discovery search to conserve network bandwidth for when you run Network Discovery. For more information about Network Discovery, see the About Network Discovery section in the Planning for Discovery in Configuration Manager topic.

Use Active Directory Forest Discovery to search your local forest, and any additional forests that you configure for Active Directory sites and subnets

Consider using Active Directory Forest Discovery to first identify Active Directory sites and subnets, and then add them as Configuration Manager boundaries. For more information, see the About Active Directory Forest Discovery section in the Planning for Discovery in Configuration Manager topic.
350

Use Collected Information to Plan for Boundaries and Boundary Groups

System Center 2012 Configuration Manager clients use boundary groups during client installation for site assignment, and after installation to locate resources for content deployment. You assign boundaries to boundary groups, and can also assign content servers to boundary groups. Each boundary group can support two distinct configurations; site assignment, and content location. When you configure two or more boundary groups to include the same boundary, directly or indirectly, they are considered to be overlapping. For example, you might add an IP subnet boundary of 5.5.5.5 directly to a boundary group. Next, you add an Active Directory site that includes that same IP Subnet to a second boundary group. These two boundary groups now overlap because each includes the 5.5.5.5 subnet. Configuration Manager supports overlapping boundaries for content location. This type of configuration can help to provide additional options for clients when they search for available content. However, Configuration Manager does not support overlapping boundaries for site assignments as the client cannot identify which site to join. For more information, see Planning for Boundaries and Boundary Groups in Configuration Manager. Combine the information about your network topology, available bandwidth, computer resources, and organization requirements, with the information in the following table to help you plan for boundaries and boundary groups.
Options to consider Details

Create separate boundary for site assignment and for content location

Although boundary groups support configurations for site assignment and content location, consider creating a distinct set of boundary groups for each purpose. Configure boundary groups for client site assignment without overlapping boundaries. If you assign a boundary to a boundary group, do not assign it to another boundary group that specifies a different site. You can configure boundary groups for content location with overlapping boundaries. Each boundary that you assign to a boundary group will be associated with each content location server that you associate to the same boundary group. Overlapping boundary configurations for content locations can provide flexibility for clients that request content.

For more information see, Planning for Boundaries and Boundary Groups in
351

Options to consider

Details

Configuration Manager. Content location Add specific network locations as boundaries to the boundary group, and then add distribution points that are on fast network connections to those network locations. Clients that are on the specified boundaries receive those servers as content locations during content requests. Note State migration points are also considered content location servers when you configure boundary groups. For more information about content location, see Planning for Content Management in Configuration Manager. Site assignment Add specific network locations as boundaries to the boundary group and then specify a site to the boundary group. Avoid assigning the same boundary, directly or indirectly, to more than one boundary group that you use for site assignment. For more information about client site assignment, see How to Assign Clients to a Site in Configuration Manager. Fallback site assignment Consider configuring the hierarchy with a fallback site assignment. The fallback site is assigned to a new client computer that automatically discovers its site when that client is on a network boundary that is not associated with any boundary group that is configured for site assignment. For more information, see the Configure a Fallback Site for Automatic Site Assignment section in the Configuring Settings for Client Management in Configuration Manager topic.

352

Use Collected Information to Plan for Site and Hierarchy Design

Combine the information about your network topology, available bandwidth, server and computer resources, and organization requirements, with the information in the following table to help you plan where to locate sites and site system roles in your hierarchy and how to manage communications between sites, site systems, and clients.
Considerations Details

Consider installing a Configuration Manager site only in a well connected network. Usually well connected networks correspond to geographic locations. For planning purposes, start with the assumption that each well connected network is one Configuration Manager site. Modify this number as you collect more information about your organization.

Identify the number and location of well connected networks that you have in your network. Within a site, clients expect communication with site system servers to be on a well connected network. When you use a boundary group that is configured for content location, you can manage which distribution points and state migration points a client can access. For more information, see Planning for Communications in Configuration Manager.

Remote subnets might be too small to justify their own Configuration Manager site.

If you have remote subnets that are too small to justify their own Configuration Manager site, list those IP subnets and their closest well connected network. From the nearest site, consider placing a distribution point that is enabled for bandwidth control on these subnets to help manage content deployment to clients at those locations. For more information, see Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager.

In a hierarchy that has multiple primary sites, the central administration site replicates data with each primary site.

Balance the location of the central administration site between a location that benefits the most administrative users, and a location that has a well connected network to your largest primary sites. Configuration Manager consoles that connect to a primary site cannot see or manage some data from other primary sites. Database replication occurs regularly between primary sites and the central administration
353

Considerations

Details

site, and a well connected network can help prevent replication delays of the Configuration Manager database. For more information about intersite replication, see the Planning for Inter-Site Communications in Configuration Manager section in the Planning for Communications in Configuration Manager topic. Each Configuration Manager primary site can manage up to 100,000 clients, with up to 400,000 clients in a single hierarchy. However, the practical number of clients that a primary site can manage also depends on the hardware configuration and performance constraints of the site server and site system servers. Although each primary site supports up to 100,000 clients, site system roles have lower limits. If you configure too few site system servers for critical roles at a site, you can create a performance and communication bottleneck that adversely affects the management of your environment. For example, management points support up to 25,000 clients. Therefore, in a site with 100,000 clients, you can expect to install at least four management points to provide adequate service to your clients. However, the addition of more management points can provide redundancy and can improve overall client-tosite communications, and compensate for any unexpected performance issues on those management point servers. For more information about site system server requirements and capacity, see the Site System Requirements section in the Supported Configurations for Configuration Manager topic. Plan your hierarchy infrastructure by using the fewest number of sites necessary to reduced administrative overhead. Tip In a System Center 2012 Configuration Manager hierarchy, you can reduce the number of sites required to manage the same infrastructure than was required in Configuration Manager 2007. Configuration Manager can manage multiple instances of the following options at the same site: Note In previous product versions, the comparable configurations each required a separate site to manage different instances of the option. To partition administrative access to resources throughout the hierarchy, you
354

Considerations

Details

can use role-based administration. For more information, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic. Use collections to assign custom settings to different groups of users or devices in the hierarchy. For more information, see Planning for Client Settings in Configuration Manager. To manage the display language of Configuration Manager consoles and the clients user-facing interface, plan to add support for the server and client operating system languages that you will require at each site. For more information about languages, see the Planning for Operating System Languages section in the Planning for Sites and Hierarchies in Configuration Manager topic. Additionally, when you distribute content to network locations that are not well connected and content distribution is your primary network bandwidth concern, you can use the site system role of a distribution point that is enabled for bandwidth control to replace a secondary site. For more information about how to use distribution points instead of secondary sites, see Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager. Choose the type of site to use for a given network or geographic location. Consider the following when you decide the type of site to deploy at a network or geographical location: Primary and central administration sites require an instance of SQL Server, and that instance must be installed on a well connected network.
355

Considerations

Details

You deploy primary sites to manage clients. Although you can deploy a secondary site to manage the client information from clients at remote locations, the clients must still assign to a primary site. It is from the primary site that clients obtain their policy. Secondary sites extend a primary site to a remote network location. You can deploy a distribution point that is enabled for bandwidth control from the primary site when content deployment to the network location is your primary concern and you are not concerned about the network bandwidth that is used when computers send their client information to the site. Configuration Manager consoles can only connect to a primary site or the central administration site.

For more information about site type options, see the About Site Types in Configuration Manager section in the Planning for Sites and Hierarchies in Configuration Manager topic. As a security best practice, use a public key infrastructure (PKI) to deploy and manage the certificates that are required for communication in Configuration Manager. If you use a PKI, document how the certificates will be configured, deployed, and managed for site systems that require them, client computers, and mobile devices. For more information about the certificate requirements in Configuration Manager, see the Planning for Certificates (Self-Signed and PKI) section in the Planning for Security in Configuration Manager topic. Prepare Active Directory Domain Services to support client communications, or configure alternatives, which includes DNS or WINS. For information to help you decide whether to extend the Active Directory schema to support Configuration Manager, see Determine Whether to Extend the Active Directory Schema for Configuration Manager. For information about client communication, see the Planning for Client Communication in Configuration Manager section in the Planning for Communications in Configuration Manager topic.
356

Use Collected Information to Plan for Site Systems

Depending on the hardware configuration of your site system servers, the numbers of clients that will use each site system server and the security requirements for your organization, you might decide that one server can perform one or more site system roles. It is also possible that you will have to separate specific site system roles, such as those that use Internet Information Services (IIS) to communicate with Configuration Manager clients, from other site system roles such as the site database server. The following sections contain lists of typical planning considerations and questions for you to review when you plan for site systems that are typically used in Configuration Manager. Your organization might require additional considerations.

Database Servers
The database server stores information from clients and the configurations that you use to manage your environment. Each site uses database replication to share the information in its database with other sites in the hierarchy. You can install a database server on the site server or on another server that is on a well connected network location. This site system role requires Microsoft SQL Server, and when you have multiple sites in a hierarchy, the database at each site must use the same SQL Server database collation to enable the data to replicate between them. Use the following planning considerations to help you plan for database servers.
Planning considerations Details

Is this a central administration site, a primary site, or secondary site?

Central administration sites and primary sites must have access to a full installation of SQL Server to host the site database. Secondary sites can use a full installation of SQL Server, or SQL Server Express. For more information, see the Planning for Database Servers in Configuration Manager section in the Planning for Site Systems in Configuration Manager topic.

Are you planning to locate the Configuration Manager site database on the site server?

You can install the site database on an instance of SQL Server on the site server or on another server. If you install the site database by using an instance of SQL Server on another server, or move it to another instance of SQL Server after site installation, Configuration Manager supports moving the site database back to the
357

Planning considerations

Details

site server at a later time. Note Secondary sites do not support SQL Server on another server. For more information, see the Planning for Database Servers in Configuration Manager section in the Planning for Site Systems in Configuration Manager topic. Decide whether to install more than a single SMS Provider at a site. A site server uses the SMS Provider to communicate with the site database. Configuration Manager supports installing multiple instances of the SMS Provider, but only one SMS Provider instance can be installed on each computer. Each SMS Provider can be installed on the site server, another server running SQL Server, or on another server. Multiple instances of the SMS Provider are supported at central administration sites and primary sites. Note Secondary sites do not support installation of the SMS Provider on another computer. For more information, see the Planning for the SMS Provider in Configuration Manager section in the Planning for Site Systems in Configuration Manager topic. For a hierarchy, do you have servers that run SQL Server with compatible configurations that will be available for each planned site? Each server running SQL Server that you use as a database server must meet specific configurations. For example, because sites replicate data directly with other sites, the SQL Server collation of each database server must match that of each other site in the hierarchy. For more information, see the SQL Server Configurations for Database Servers section in the Planning for Site Systems in Configuration
358

Planning considerations

Details

Manager topic.

Distribution Points
You can install one or more distribution points at each primary and secondary site.
Planning considerations Details

Will you deploy content to clients at this site?

Consider the number and size of the applications and packages that you expect to store on the distribution points at this site. This will help you understand the disk space requirements that you require for distribution point servers. For more information see, Planning for Content Management in Configuration Manager.

How many clients will access the distribution points at this site?

Plan for sufficient distribution points to service the number of clients that request content at the site. For more information, see the Determine the Distribution Point Infrastructure section in the Planning for Content Management in Configuration Manager topic.

Will you use distribution point groups to streamline the administration of content deployments?

Identify how you plan to group your distribution points. For more information, see the Plan for Distribution Point Groups section in the Planning for Content Management in Configuration Manager topic. For example, distribution points require Remote Differential Compression and Internet Information Services (IIS). For more information about the prerequisites for distribution points, see the Distribution Point Configurations section in the Planning for Content Management in Configuration Manager topic.

Do your distribution point servers have all the prerequisites installed?

Do you have distribution points in sites that are located on network locations that are not well

If so, configure those distribution points for

359

Planning considerations

Details

connected?

network bandwidth control. For more information, see the Network Bandwidth Considerations for Distribution Points section in the Planning for Content Management in Configuration Manager topic.

Management Points
A management point is the primary point of contact between Configuration Manager clients and the site server. A primary or secondary site can have multiple management points for clients on the intranet, and primary sites can support multiple Internet-based management points for mobile devices and client computers that are on the Internet. Use the following planning considerations to help you plan for management points.
Planning considerations Details

Consider the maximum number of clients that you will manage at this site.

If there will be more than 25,000 clients at a site, you must install more than one management point. Even when you have fewer than 25,000 clients, consider installing additional management points for redundancy and to compensate for less than optimal hardware or server operating conditions. For more information, see the Site System Requirements section in the Supported Configurations for Configuration Manager topic.

Consider how often the clients that are assigned to this site will retrieve new policy information.

Clients download client policy on a schedule that you configure as a client setting. Consider the frequency of this download when you plan for the number of management points to deploy at each site. For more information, see How to Manage Clients in Configuration Manager.

If you will collect hardware or software inventory from clients at this site, consider the inventory configurations and schedules.

Clients collect and send inventory data to a management point on a schedule that you configure as a client setting. Consider the information about the frequency of these actions and the data you will collect from clients when you plan for the number of management points to deploy at each site.
360

Planning considerations

Details

For more information, see How to Configure Hardware Inventory in Configuration Manager. If you will use software metering for clients at this site, consider the schedule for sending the metering data. Clients collect and send metering data to a management point on a schedule that you configure as a client setting. Consider the frequency of this schedule when you plan the number of management points to deploy at each site. For more information, see Planning for Software Metering in Configuration Manager.

Reporting Services Points

A reporting services point is a site server that hosts a site's Reporting website. A reporting point obtains report information from the database server of its Configuration Manager site.
Planning consideration Details

Will this site require a reporting services point?

You can install a reporting services point at a central administration site or a primary site. However, only the reporting services point at the top-level site of your hierarchy can provide reports with information from all sites in your hierarchy. For more information, see Introduction to Reporting in Configuration Manager.

Software Update Points

A software update point is a site system server you install on a site system that already has Windows Server Update Services (WSUS) installed on it. The central administration site and all primary child sites must have an active software update point to deploy software updates. You must determine on which sites to install an Internet-based software update point, when to configure the active software update point as a Windows network load balancing (NLB) cluster, and when to create an active software update point at a secondary site.
Planning considerations Details

What is the maximum number of clients you will Each software update point can support up to
361

Planning considerations

Details

manage at this site?

25,000 clients. If there are more than 25,000 client computers assigned to the site, consider creating a Network Load Balancing (NLB) cluster for a group of WSUS servers, and then use the NLB cluster as the active software update point on the site. For more information, see Planning for Software Updates in Configuration Manager.

Is a supported version of WSUS installed on an existing site system? What is the computer name of the site system?

A supported version of WSUS must be installed on the site system computer before you add the software update point site role to the site system. For information about supported WSUS configurations, see Prerequisites for Software Updates in Configuration Manager.

Does this site support clients that are on the Internet?

The Internet-based software update point accepts communication from devices on the Internet. You can only create the Internetbased software update point when the active software update point is not configured to accept communication from devices on the Internet. For more information, see the Determine the Software Update Point Infrastructure section in the Planning for Software Updates in Configuration Manager topic.

See Also
Planning for Configuration Manager Sites and Hierarchy

Determine Whether to Migrate Configuration Manager 2007 Data to System Center 2012 Configuration Manager
In System Center 2012 Configuration Manager, the built-in migration functionality replaces inplace upgrades of existing Configuration Manager infrastructure by providing a process that
362

transfers data from active Configuration Manager 2007 sites. Migration can transfer most data from Configuration Manager 2007. If you do not migrate Configuration Manager 2007 to System Center 2012 Configuration Manager, or if you migrate data and want to maintain objects that migration does not migrate, you must re-create non-migrated objects in the new Configuration Manager hierarchy. Because of the design changes introduced in System Center 2012 Configuration Manager, you cannot upgrade existing Configuration Manager 2007 infrastructure with one exception. Migration does support the upgrade of qualifying Configuration Manager 2007 distribution points to System Center 2012 Configuration Manager distribution points. This includes the upgrade of a Configuration Manager 2007 secondary site that is co-located with a distribution point. If you upgrade a distribution point, the content on the distribution point computer is retained, and converted to the new System Center 2012 Configuration Manager format. Then the site system role is removed from the Configuration Manager 2007 hierarchy and the distribution point and site system server are added as a distribution point to the System Center 2012 Configuration Manager primary or secondary site of your choice. When a distribution point on a Configuration Manager 2007 secondary site upgrades, the secondary site is uninstalled and removed from the Configuration Manager 2007 hierarchy. The result is a System Center 2012 Configuration Manager distribution point with all migrated content converted to the single instance store. For more information about migrating from Configuration Manager 2007 to System Center 2012 Configuration Manager, see Migrating Hierarchies in System Center 2012 Configuration Manager.

See Also
Planning for Configuration Manager Sites and Hierarchy

Determine Whether to Extend the Active Directory Schema for Configuration Manager
When you extend the Active Directory schema for System Center 2012 Configuration Manager, you can publish site information to Active Directory Domain Services. Extending the Active Directory schema is optional for Configuration Manager. However, by extending the schema you can use all Configuration Manager features and functionality with the least amount of administrative overhead. If you decide to extend the Active Directory schema, you can do so before or after you run Configuration Manager Setup.
363

Considerations for Extending the Active Directory Schema for Configuration Manager
The Active Directory schema extensions for System Center 2012 Configuration Manager and System Center 2012 Configuration Manager SP1 are unchanged from those used by Configuration Manager 2007. If you extended the schema for Configuration Manager 2007, you do not have to extend the schema again for System Center 2012 Configuration Manager or System Center 2012 Configuration Manager SP1. Similarly, if you extended the schema for System Center 2012 Configuration Manager with no service pack, you do not have to extend the schema again for System Center 2012 Configuration Manager SP1. Extending the Active Directory schema is a forest-wide action and can only be done one time per forest. Extending the schema is an irreversible action and must be done by a user who is a member of the Schema Admins Group or who has been delegated sufficient permissions to modify the schema. If you decide to extend the Active Directory schema, you can extend it before or after setup. Four actions are required to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources: Extend the Active Directory schema. Create the System Management container. Set security permissions on the System Management container. Enable Active Directory publishing for the Configuration Manager site.

For information about how to extend the schema, create the System Management container, and configure setting security permissions on the container, see Prepare Active Directory for Configuration Manager in the Prepare the Windows Environment for Configuration Manager topic. For information about how to enable publishing for Configuration Manager sites, see Planning for Publishing of Site Data to Active Directory Domain Services. Mobile devices that are managed by the Exchange Server connector and the following clients do not use Active Directory schema extensions for Configuration Manager: The client for Mac computers The client for Linux and UNIX servers Mobile devices that are enrolled by Configuration Manager Mobile devices that are enrolled by Windows Intune Mobile device legacy clients Windows clients that are configured for Internet-only client management Windows clients that are detected by Configuration Manager to be on the Internet

The following table identifies Configuration Manager functions that use an Active Directory schema that is extended for Configuration Manager, and if there are workarounds that you can use if you cannot extend the schema.

364

Functionality

Active Directory

Details

Client computer installation and site assignment

Optional

When a new Configuration Manager Windows client installs, the client can search Active Directory Domain Services for installation properties. If you do not extend the schema, you must use one of the following workarounds to provide configuration details that computers require to install: Use client push installation. Before you use client installation method, make sure that all prerequisites are met. For more information, see the section Installation Method Dependencies in Prerequisites for Computer Clients. Install clients manually and provide client installation properties by using CCMSetup installation command-line properties. This must include the following: Specify a management point or source path from which the computer can download the installation files by using the CCMSetup property /mp:=<management point name computer name> or /source:<path to client source files> on the CCMSetup command line during client installation. Specify a list of initial management points for the client to use so that it can assign to the site and then download client policy and site settings. Use the CCMSetup Client.msi property SMSMP to do
365

Functionality

Active Directory

Details

this. Publish the management point in DNS or WINS and configure clients to use this service location method.

Port configuration for client-toserver communication

Optional

When a client installs, it is configured with port information. If you later change the client-toserver communication port for a site, a client can obtain this new port setting from Active Directory Domain Services. If you do not extend the schema, you must use one of the following workarounds to provide this new port configuration to existing clients: Reinstall clients and configure them to use the new port information. Deploy a script to clients to update the port information. If clients cannot communicate with a site because of the port change, you must deploy this script externally to Configuration Manager. For example, you could use Group Policy.

Network Access Protection

Required

Configuration Manager publishes health state references to Active Directory Domain Services so that the System Health Validator point can validate a clients statement of health. When you create content at one site and then deploy that content to another site in the hierarchy, the receiving site must be able to verify the signature of the signed content data. This requires access to the public key of the source site where
366

Content deployment scenarios Optional

Functionality

Active Directory

Details

you create this data. When you extend the Active Directory schema for Configuration Manager, a sites public key is made available to all sites in the hierarchy. If you do not extend the Active Directory schema, you can use the hierarchy maintenance tool, preinst.exe, to exchange the secure key information between sites. For example, if you plan to create content at a primary site and deploy that content to a secondary site below a different primary site, you must either extend the Active Directory schema to enable the secondary site to obtain the source primary sites public key, or use preinst.exe to share keys between the two sites directly.

Attributes and Classes Added by the Configuration Manager Schema Extensions

When you extend the schema for Configuration Manager, several classes and attributes are added that any Configuration Manager site in the Active Directory forest can use. Because the global catalog is replicated throughout the forest, consider the network traffic that might be generated. In Windows 2000 forests, extending the schema causes a full synchronization of the whole global catalog. For Windows 2003 forests, Windows 2008 forests, and Windows 2008 R2 forests, only the newly added attributes are replicated. Plan to extend the schema during a time when the replication traffic does not adversely affect other network-dependent processes. When you extend the Active Directory schema for System Center 2012 Configuration Manager, the following attributes and classes are added to Active Directory Domain Services: Attributes: cn=mS-SMS-Assignment-Site-Code cn=mS-SMS-Capabilities cn=MS-SMS-Default-MP cn=mS-SMS-Device-Management-Point
367

cn=mS-SMS-Health-State cn=MS-SMS-MP-Address cn=MS-SMS-MP-Name cn=MS-SMS-Ranged-IP-High cn=MS-SMS-Ranged-IP-Low cn=MS-SMS-Roaming-Boundaries cn=MS-SMS-Site-Boundaries cn=MS-SMS-Site-Code cn=mS-SMS-Source-Forest cn=mS-SMS-Version cn=MS-SMS-Management-Point cn=MS-SMS-Roaming-Boundary-Range cn=MS-SMS-Server-Locator-Point cn=MS-SMS-Site

Classes:

Note The Active Directory schema extensions might include attributes and classes that are carried forward from previous versions of the product but not used by Microsoft System Center 2012 Configuration Manager. For example: Attribute: cn=MS-SMS-Site-Boundaries Class: cn=MS-SMS-Server-Locator-Point

To ensure that these lists are current for your version of System Center 2012 Configuration Manager, review the ConfigMgr_ad_schema.LDF file that is located in the\SMSSETUP\BIN\x64 folder of the System Center 2012 Configuration Manager installation media.

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for Sites and Hierarchies in Configuration Manager

Before you deploy System Center 2012 Configuration Manager in a production environment, plan the design of your sites and site hierarchy. During the planning phase, identify the number and type of sites, and the location where you plan to deploy them. Plan for each site and identify where to install site system roles at each site. Tip
368

Ensure that your plan considers future server hardware changes in addition to current hardware requirements. You can deploy Configuration Manager as a single stand-alone primary site, or as multiple sites in a hierarchy. When you plan your initial deployment, consider a design that can expand for the future growth that your organization might require. Planning for expansion is an important step because the changes in System Center 2012 Configuration Manager from previous versions of the product mean that Configuration Manager can now support more clients with fewer sites. Important Configuration Manager does not support moving a site server between domains. If you must move a site server, you must uninstall Configuration Manager from the server, move the server to the new domain, and then install a new Configuration Manager site. You cannot successfully restore the original site to a server that has been moved to a new domain. Use the following sections in this topic to help you to implement a hierarchy design: Planning a Hierarchy in Configuration Manager About Site Types in Configuration Manager Determine Whether to Install a Central Administration Site Determine Whether to Install a Primary Site Determine Whether to Install a Secondary Site Determine Whether to Install a Site or Use Content Management Options

Planning to Expand a Stand-Alone Primary Site About Language Packs Planning for Server Language Packs Planning for Client Language Packs Best Practices for Managing Language Packs About the Read-Only Console

Planning for Client and Server Operating System Languages in Configuration Manager

Planning for the Configuration Manager Console Planning for Multiple Administrative Users and Global Data Replication in Configuration Manager About Multiple Edits to Global Data in Configuration Manager About Data Access From the Configuration Manager Console

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.

369

System Center 2012 Configuration Manager introduces the central administration site and some changes to primary and secondary sites. The following tables summaries these sites and how they compare to sites in Configuration Manager 2007.
Site Purpose Change from Configuration Manager 2007

Central administration site

The central administration site coordinates intersite data replication across the hierarchy by using Configuration Manager database replication. It also enables the administration of hierarchy-wide configurations for client agents, discovery, and other operations. Use this site for all administration and reporting for the hierarchy.

Although this is the site at the top of the hierarchy in System Center 2012 Configuration Manager, it has the following differences from a central site in Configuration Manager 2007: Does not process data submitted by clients, except for the Heartbeat Discovery data record. Does not accept client assignments. Does not support all site system roles. Participates in database replication

Primary site

Manages clients in well connected networks.

Primary sites in System Center 2012 Configuration Manager have the following differences from primary sites in Configuration Manager 2007: Additional primary sites allow the hierarchy to support more clients. Cannot be tiered below other primary sites. No longer used as a boundary for client agent settings or security. Participates in database replication.

Secondary site

Controls content distribution Secondary sites in for clients in remote locations System Center 2012
370

Site

Purpose

Change from Configuration Manager 2007

across links that have limited network bandwidth.

Configuration Manager have the following differences from secondary sites in Configuration Manager 2007: SQL Server is required and SQL Server Express will be installed during site installation if required. A management point and distribution point are automatically deployed during the site installation. Secondary sites can send content distribution to other secondary sites. Participates in database replication.

Whats New in Configuration Manager SP1

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. With Configuration Manager SP1 you can expand a stand-alone primary site into a hierarchy that includes a new central administration site. After you install the new central administration site, you can install additional primary sites. For more information, see Expand a Stand-Alone Primary Site into a Hierarchy with a Central Administration Site.

Planning a Hierarchy in Configuration Manager

When you plan for a Configuration Manager hierarchy, consider your network and computing environment and identify your business requirements. You can then plan to implement Configuration Manager by using the minimal number of servers and the least amount of administration overhead to meet your organizations goals. System Center 2012 Configuration Manager provides an in-box solution for automated migration from Configuration Manager 2007. However, it does not support in-place upgrades from earlier versions of Configuration Manager or interoperability with Configuration Manager 2007 with the following two exceptions. The first exception is that during the time that you are actively migrating from Configuration Manager 2007 to System Center 2012 Configuration Manager, you can share
371

Configuration Manager 2007 distribution points with System Center 2012 Configuration Manager making the content on these distribution points accessible to System Center 2012 Configuration Manager clients. The second exception is that you can upgrade Configuration Manager 2007 secondary sites to be System Center 2012 Configuration Manager distribution points. To maintain the investment in your current Configuration Manager 2007 infrastructure, you must install System Center 2012 Configuration Manager as a new hierarchy, and then migrate Configuration Manager 2007 data and clients to System Center 2012 Configuration Manager. This side-by-side implementation provides an opportunity to redesign and simplify your hierarchy by using fewer site servers. With System Center 2012 Configuration Manager SP1, you have two additional options. First, you can migrate data from one System Center 2012 Configuration Manager SP1 hierarchy into another System Center 2012 Configuration Manager SP1 hierarchy. Second, you can expand a single System Center 2012 Configuration Manager SP1 stand-alone primary site into a larger hierarchy when you install a new central administration site. For more information about migration, see Migrating Hierarchies in System Center 2012 Configuration Manager. For information about expanding a stand-alone primary site, see the section Planning to Expand a Stand-Alone Primary Site later in this topic.

About Site Types in Configuration Manager

Your Configuration Manager deployment consists of either a hierarchy of sites or a stand-alone site. A hierarchy consists of multiple sites, each with one or more site system servers. A standalone site also consists of one or more site system servers. The following diagrams show some example site designs.

372

Site system servers within a site extend the functionality of Configuration Manager. For example, you might install a site system in a site to support software deployment or to manage mobile devices. To successfully plan your hierarchy of sites and identify the best network and geographical locations to place site servers, ensure that you review the information about each site type and the alternatives to sites offered by site systems you use for content deployment. Use the following table to help you plan the type of sites that you might require in your hierarchy.
Server Purpose More information

Central administration site

The recommended location for all administration and reporting for the hierarchy.

SQL Server is required. Does not process client data. Does not support client assignment. Not all site system roles are available.
373

Server

Purpose

More information

Primary site A required site that manages clients in well connected networks. All clients are assigned to a primary site.

Participates in database replication. SQL Server is required. Additional primary sites provide support for a higher number of clients. Cannot be tiered below other primary sites. Participates in database replication. SQL Server Express or a full instance of SQL Server is required. If neither is installed when the site is installed, SQL Server Express is automatically installed. A management point and distribution point are automatically deployed when the site is installed. Secondary sites must be direct child sites below a primary site, but can be configured to send content to other secondary sites. Participates in database replication.

Secondary site Manages clients in remote locations where network bandwidth control is required.

When you plan a Configuration Manager hierarchy, consider the following: You can schedule and throttle network traffic when you distribute deployment content to distribution points. Therefore, you can use a distribution point instead of a site for some remote network locations. Discovery data records (DDRs) for unknown resources transfer by using file-based replication from a primary site to the central administration site for processing. Because discovery can create a large number of DDRs, plan where to place your central administration site and consider at which sites discovery operations will run to minimize the transfer of DDRs across low-bandwidth networks. DDRs for known resources are processed at the first primary site to receive them and do not transfer by using file-based replication to the central administration site. Instead, after being processed at the primary site, the discovery information replicates to other sites by using database replication.
374

Role-based administration provides a central administrative security model for the hierarchy, and you do not have to install sites to provide a security boundary. Instead, use security scopes, security roles, and collections to define what administrative users can see and manage in the hierarchy. Alerts in the Configuration Manager console provide state-based information for operations throughout the hierarchy.

Use the following sections to help you determine whether to install Configuration Manager sites and site systems.

Determine Whether to Install a Central Administration Site

Install a central administration site if you plan to install multiple primary sites. Use a central administration site to configure hierarchy-wide settings and to monitor all sites and objects in the hierarchy. This site type does not manage clients directly but it does coordinate inter-site data replication, which includes the configuration of sites and clients throughout the hierarchy. Use the following information to help you plan for a central administration site: The central administration site is the top-level site in a hierarchy. When you configure a hierarchy that has more than one primary site, you must install a central administration site, and it must be the first site that you install. The central administration site supports only primary sites as child sites. The central administration site cannot have clients assigned to it. The central administration site does not support all site system roles. For more information, see Planning Where to Install Sites System Roles in the Hierarchy. You can manage all clients in the hierarchy and perform site management tasks for any primary site when you use a Configuration Manager console that is connected to the central administration site. When you use a central administration site, the central administration site is the only place where you can see site data from all sites. This data includes information such as inventory data and status messages. You can configure discovery operations throughout the hierarchy from the central administration site by assigning discovery methods to run at individual sites. You can manage security throughout the hierarchy by assigning different security roles, security scopes, and collections to different administrative users. These configurations apply at each site in the hierarchy. You can configure file replication and database replication to control communication between sites in the hierarchy. This includes scheduling database replication for site data, and managing the bandwidth for the transfer of file-based data between sites.

Determine Whether to Install a Primary Site

Use primary sites to manage clients. Consider installing a primary site for any of the following reasons:
375

To manage clients directly. To increase the number of clients to manage. Each primary site can support up to 100,000 clients. To provide a local point of connectivity for administration. To meet organizational management requirements. For example, you might install a primary site at a remote location to manage the transfer of deployment content across a lowbandwidth network. A primary site can be a stand-alone primary site or a member of a hierarchy. A primary site only supports a central administration site as a parent site. A primary site only supports secondary sites as child sites and can support one or more secondary child sites. A primary site cannot change its parent site relationship after installation. However, with SP1, you can install a new central administration site as a parent site of an existing stand-alone primary site. Primary sites are responsible for processing all client data from their assigned clients. When a primary site is installed, it automatically configures database replication with its designated central administration site. Primary sites use database replication to communicate directly to their central administration site. You can install typically used site system roles when you install a primary site. For a list of site system roles that are supported on primary sites, see Planning Where to Install Sites System Roles in the Hierarchy.

Use the following information to help you plan for primary sites:

Determine Whether to Install a Secondary Site

Use secondary sites to manage the transfer of deployment content and client data across lowbandwidth networks. You manage a secondary site from a central administration site or the secondary sites parent primary site. Secondary sites must be attached to a primary site, and you cannot move them to a different parent site without uninstalling them, and then re-installing them as a child site below the new primary site. You can route content between peer secondary sites to help manage the filebased replication of deployment content. To transfer client data to a primary site, the secondary site uses file-based replication. However, a secondary site also uses database replication to communicate with its parent primary site. Consider installing a secondary site if any of the following conditions apply: You do not require a local administrative user for the site. You have to manage the transfer of deployment content to sites lower in the hierarchy. You have to manage client information that is sent to sites higher in the hierarchy.

If you do not want to install a secondary site and you have clients in remote locations, consider using Windows BranchCache or distribution points that are enabled for bandwidth control and scheduling. You can use these content management options with or without secondary sites, and
376

they can help you to reduce the number of sites and servers that you have to install. For information about content management options in Configuration Manager, see Determine Whether to Install a Site or Use Content Management Options. Use the following details to help you plan for secondary sites: Secondary sites automatically install SQL Server Express during site installation if a local instance of SQL Server is not available. Secondary site installation is initiated from the Configuration Manager console when it is connected to the central administration site or a primary site. When a secondary site is installed, it automatically configures database replication with its parent primary site. Secondary sites use database replication to communicate directly to their parent primary site and to obtain a subset of the shared Configuration Manager database. Secondary sites support the routing of file-based content to other secondary sites that have a common parent primary site. Secondary site installations automatically deploy a management point and distribution point that are located on the secondary site server.

Determine Whether to Install a Site or Use Content Management Options

If you have clients in remote network locations, consider using one or more content management options instead of a primary or secondary site. You can often remove the requirement for another site when you use Windows BranchCache, configure distribution points for bandwidth control, or manually copy content to distribution points (prestage content). Consider deploying a distribution point instead of installing another site if any of the following conditions apply: Your network bandwidth is sufficient for client computers at the remote location to communicate with a management point to download client policy, and send inventory, reporting status, and discovery information. Background Intelligent Transfer Service (BITS) does not provide sufficient bandwidth control for your network requirements.

For more information about content management options in Configuration Manager, see Introduction to Content Management in Configuration Manager.

Planning to Expand a Stand-Alone Primary Site

For Configuration Manager SP1 only: With System Center 2012 Configuration Manager SP1, you can install a new central administration site as a parent site of an existing stand-alone primary site. This expands your stand-alone primary site into a larger hierarchy that supports the install of additional new primary sites. You can expand only one pre-existing primary site into the new hierarchy because the database of the new central administration site is based on the database of your stand-alone primary site. After this new central administration site installs, you cannot join or expand

377

additional pre-existing primary sites to this same hierarchy. However, you can install new primary sites as child sites below the central administration site. To expand a stand-alone primary site into a larger hierarchy, run Configuration Manager SP1 Setup and install a new central administration site on a new server. During setup you can install the new central administration site as the first site in a new hierarchy or expand an existing standalone primary site into a hierarchy. When you expand an existing stand-alone primary site, you must specify the stand-alone primary site server you want to expand. After Setup contacts the site server of the stand-alone primary site, Setup continues normally. After Setup completes, the primary site becomes a child primary site in a hierarchy with a central administration site, and is no longer a stand-alone primary site. After you expand a stand-alone primary site into a hierarchy, you cannot then detach the primary site from the hierarchy to restore it to operation as a stand-alone primary site. To remove the primary site from the hierarchy, you must uninstall the primary site.

Prerequisites for Expanding a Stand-Alone Primary Site

A stand-alone primary site must meet the following prerequisites before you can expand it into a hierarchy with a central administration site:
Prerequisite Details

The stand-alone primary site and new central administration site must run the same version of Configuration Manager

For example, if you use Setup for SP1 to install a central administration site and expand a stand-alone primary site, that stand-alone primary site must also be at SP1. You must stop active migration to the standalone primary site, from other Configuration Manager hierarchies, and remove all configurations for migration This includes migration jobs that have not completed, and the configuration of the active source hierarchy. This is because migration operations are performed by the top-tier site of the hierarchy, and the configurations for migration do not transfer to the central administration site when you expand a stand-alone primary site. After you expand the stand-alone primary site, if you reconfigure migration at the primary site, it will be the central administration site that performs the migration related operations. For more information about how to configure migration, see Configuring Source Hierarchies
378

The stand-alone primary site cannot be configured to migrate data from another Configuration Manager hierarchy

Prerequisite

Details

and Source Sites for Migration to System Center 2012 Configuration Manager.

The computer account of the computer that will host the new central administration site must be a member of the Administrators group on the stand-alone primary site

To successfully expand the stand-alone primary site, the computer account of the new central administration site must be a member of the stand-alone primary sites Administrators group. This is required only during site expansion and the account can be removed from the group on the primary site after site expansion completes. These site system roles are supported only at the top-tier site of the hierarchy. Therefore, you must uninstall these site system roles before you expand the site stand-alone primary site. After you expand the site, you can reinstall these site system roles at the central administration site. All other site system roles can remain installed at the primary site.

You must uninstall the following site system roles from the stand-alone primary site before you can expand the site: Asset Intelligence synchronization point Endpoint Protection point

When the stand-alone primary site is configured for migration, you must stop all active Data Gathering before you expand the site

If you use migration to migrate data from another Configuration Manager hierarchy, you must stop all active Data Gathering before you expand the site. After the site expansion completes, you can reconfigure Data Gathering. For more information about stopping and reconfiguring data gathering for migration, see the Migration Data Gathering section in the Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager topic.

Considerations when Expanding a Stand-Alone Primary Site

When you expand a stand-alone primary site, objects and configurations that exist in the primary site database are shared with the new central administration site. With the following exceptions, there are no special considerations when you expand a stand-alone primary site:

379

Considerations

Details

Software update points

Prior to expanding a stand-alone primary site, you do not need to make configuration changes for software update points at the site. However, when you expand a stand-alone primary site, software update points at the primary site automatically reconfigure to synchronize with a software update point at the new central administration site. Therefore, after the new central administration site install completes, plan to install a software update point at that site as soon as possible, and configure it to synchronize with Windows Server Update Services (WSUS). Until you configure a software update point at the central administration site, software update points at the primary site will be unable to synchronize new software updates. Immediately after you expand a stand-alone primary site, expect a high level of data processing at the central administration site as that site synchronizes software update information from the primary site. The central administration site automatically creates new objects for software update management. The objects at the central administration site are authoritative for the hierarchy. Pre-existing configurations at the primary site automatically apply at the central administration site. These configurations include synchronization schedules, supersedence configurations, and additional related settings.

Packages for software deployment

Packages that were created at the stand-alone primary site before your expand the site, continue to be managed by the primary site. However, these packages replicate as global data to all sites in the hierarchy, and you can manage these packages from the central administration site. The only exception to this is the client installation package. When you expand a stand-alone primary site,
380

Client installation package

Considerations

Details

ownership of the client installation package transfers to the central administration site. However the package ID for this package remains unchanged. Because the top tier site of a hierarchy manages this package, and modifies the package to support only the client operating system languages that are selected at that site, ensure that the central administration site supports the same client languages that are selected at your primary site. For more information, see Planning for Client Language Packs section in Planning for Sites and Hierarchies in Configuration Manager topic. Client settings After you expand a primary site, you must restart the SMS_POLICY_PROVIDER component on the primary site. Until you restart the policy provider, the primary site does not provide new or updated client settings to clients, and continues to provide the client settings that were configured at the primary site before the primary site was expanded. To restart the policy provider, use the Configuration Manager Service Manager. To use the Configuration Manager Service Manager to manage a component, select the component in the Component Status node under System Status in the Monitoring workspace of the Configuration Manager console. After you select the component, click Start in the Component group on the Home tab, and then select Configuration Manager Service Manager. In Configuration Manager Service Manager, locate the component you want to manage, and then click Component. Next, click Query, and after you query the status of the component you can manage the status of that component. The policy provider also restarts when the SMS_EXECUTIVE service restarts on the site server, or after the
381

Considerations

Details

site server computer reboots. Support for client languages When you expand a stand-alone primary site and install the central administration, plan to add support at the central administration site for the same client languages that the stand-alone primary site supports. Adding support for the same client languages is not a requirement; this is a best practice to ensure that new Configuration Manager clients you install support the client languages you expect. For more information about how to manage languages in Configuration Manager, see Planning for Client and Server Operating System Languages in Configuration Manager section in the Planning for Sites and Hierarchies in Configuration Manager topic. Default Boot WIM The central administration site creates and deploys a new default boot WIM. This WIM becomes the new default WIM for use in the hierarchy. The boot WIM from the stand-alone primary site remains unmodified, and objects for operating system deployment that are based on this WIM continue to function.

Planning for Client and Server Operating System Languages in Configuration Manager
System Center 2012 Configuration Manager supports the display of information in multiple languages. By default, the Configuration Manager user interface displays in English although objects that an administrative user creates display in the Configuration Manager console and on the client in the language that is used to create them. In addition, you can install server and client language packs to enable the user interface to display in a language that matches the preferences of the user. Use the information in the following sections to help you plan for language support by installing language packs. For information about how to manage language packs, see the Manage

382

Language Packs at Configuration Manager Sites section in the Manage Site and Hierarchy Configurations topic.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for language support since Configuration Manager 2007: You no longer install site servers by using source files designed for a specific language. Additionally, you no longer install International Client Packs to support different languages on the client. Instead, you can choose to install only the server and client languages that you want to support. Available client and server language packs are included with the Configuration Manager installation media in the LanguagePack folder, and updates are available to download with the prerequisite files. You can add client and server language packs to a site when you install the site, and you can modify the language packs in use after the site installs.

You can install multiple languages at each site, and only need to install the languages that you use: Each site supports multiple languages for Configuration Manager consoles. At each site you can install individual client language packs, adding support for only the client languages that you want to support.

When you install support for a language that matches the display language of a computer, Configuration Manager consoles and the client user interface that run on that computer display information in that language. When you install support for a language that matches the language preference that is in use by the web browser of a computer, connections to web-based information, including the Application Catalog or SQL Server Reporting Services, display in that language.

About Language Packs

You add support for server and client language packs at the central administration site and at primary sites to enable Configuration Manager to display built-in text in a language that matches the users preference. Secondary sites automatically support the same client languages as their parent primary sites. For a list of supported languages, see the Supported Operating System Languages section in the Technical Reference for Language Packs in Configuration Manager topic. Use server language packs for the Configuration Manager console and for site system roles such as the reporting services point. Use client language packs for Configuration Manager clients and the Application Catalog.
383

Language packs use the following language preferences to display information:

The display language of a computer applies to the Configuration Manager console, client notifications, and Software Center. The display preference within a web browser applies to viewing reports and the Application Catalog. Note Even when language packs are installed, data created by an administrative user is not affected by using language packs.

When you run Setup, Configuration Manager copies the available languages from the LanguagePack folder on the Configuration Manager source media to the location that you specify for prerequisite downloads. If the source media is not accessible, Configuration Manager downloads language packs as part of the prerequisite files download. Additionally, any files that are missing or that have updates are also downloaded with the prerequisite files. Then, during Setup, you can select to add one or more of the available server and client language packs to the site. If you do not install language packs when you install a site server, you can add them later by running Setup on the site server. You must run Setup from the Start menu or by opening Setup.exe from the installation path, and then choose to modify the sites configuration. When you change the supported languages for a site Configuration Manager takes the following actions:
Language pack type Action

Server language pack

The site runs a site reset and reinstalls all site system roles at the site. For information about a site reset, see the Perform a Site Reset section in the Manage Site and Hierarchy Configurations topic. The language files are copied to the ConsoleSetup folder. The site runs a site reset and reinstalls all site system roles at the site. For information about a site reset, see the Perform a Site Reset section in the Manage Site and Hierarchy Configurations topic. When you modify client languages at the top-tier site (central administration site or stand-alone primary site), the site modifies the client installation package, and updates this package on each distribution point in the hierarchy. When you modify client languages at a primary site, the site updates the Client folder on the site server and on
384

Client language pack

Language pack type

Action

management points in that site. The site copies updated files to each Application Catalog website point and management point, and if you modify support for mobile device clients, it also updates the files on the enrollment proxy point.

Planning for Server Language Packs

Add support for a server language to a site to enable Configuration Manager consoles and reporting services points to display information in the supported language. You can install multiple server language packs at each site in your hierarchy. Each server language pack that a site supports is added to the Configuration Manager console installation source files on that site server. Before a Configuration Manager console can display information in a supported language, you must add the language pack to the site and install the Configuration Manager console from source files that include that language. Reporting services points automatically update to support the display of information in the language packs that you install at a site.

Planning for Client Language Packs

Configuration Manager supports client languages for device clients and mobile device clients: When a Configuration Manager client installs on a device, it adds support for each client language packs that is included with the client installation files. When a Configuration Manager client installs on a mobile device, it adds support for all languages at the same time.

You can add support for client languages when you install a site, or by rerunning Setup on the site server computer after a site installs. Before a client can display information in a supported language, you must add support for the language to the clients site, and install the client from source files that include that language. You must add support for the client language packs before you install the client. When a site adds support for a client language pack, it updates the client installation files. The set of client installation files that the site updates depends on the sites location in the hierarchy: The top-tier site of a hierarchy manages the client installation package. This package is automatically distributed to each distribution point in the hierarchy. By default, when a client installs, it uses this package for the client installation source files. Note The top-tier site can be a central administration site, or a stand-alone primary site.

385

Primary sites manage the client upgrade package and update the supported languages in the Client folder on the site server and on management points in that site. Clients use the installation source files from their primary site when the client installation process cannot access the client installation package on a distribution point, or when the client installation command-line property /source is used to specify the these files. Tip When you use a central administration site, ensure that a client installs the client language packs you expect by adding support for each language pack to the central administration site and to each primary site.

When you change the supported client languages at a top-tier site, allow time for the client installation package to replicate to distribution points in your hierarchy. You can monitor the redistribution of the package to distribution points by using the Content Status node in the Monitoring workspace of the Configuration Manager console. For more information, see the Monitor Content section in the Operations and Maintenance for Content Management in Configuration Manager topic. Alternately, you can monitor progress by viewing status messages for the redistribution of the package: The client installation package name is Configuration Manager Client Package. Distribution points generate a status message with Message ID 2330 when the package successfully updates on that distribution point.

After a new site server installs with support for client language packs, or after an existing site server updates the distribution points with the language pack changes, you can install new clients or reinstall existing clients on computers to add support for supported client language packs. Important Configuration Manager does not support reinstalling the mobile device client without first wiping the mobile device. Therefore, if you plan to support non-English mobile devices, enable support for mobile device client languages before you install the Configuration Manager mobile device client. When the Configuration Manager client installs on a new computer, CCMSetup modifies the MSI command line to add support for each language pack that is included with the client installation source files. To update an existing client with new language packs, you must upgrade or reinstall the client. For example, you can modify the languages supported on a computer when you redeploy the client software by using client push installation or software deployment. The following table lists the client upgrade and installation methods that are not supported for managing the language pack support for a previously installed client.
Method Details

Repairing

An MSI repair action reuses the MSI command line last used to install the client, as stored in
386

Method

Details

the registry of the client computer. This command line will not reference new client language packs. Automatic client upgrade This type of upgrade fails because automatic upgrades are based on a change of client version. New language packs do not change the client version. Software update points rely on a change of client version to install the client. New language packs do not change the client version.

Software update-based client installation

For information about how clients access source files for installation, see How to Install Clients on Windows-Based Computers in Configuration Manager. For information about client installation properties, see About Client Installation Properties in Configuration Manager

Best Practices for Managing Language Packs

Use the following best practices information to help you use language packs in System Center 2012 Configuration Manager.

Install languages at the time you install a site

When you modify the language packs that are supported at the top-tier site of a hierarchy, the site initiates an update of the client installation package on each distribution point in the hierarchy, reinstalls applicable site system roles, and performs a site reset. Additionally, you must reinstall clients before they can use new language packs that you add to their site.

When you add support for client language packs to your central administration site, also add these client language packs to each primary site
When you modify the client language packs at a site, the client installation files that update depend on the sites location in the hierarchy. When a client installs, it might use the client installation package that is managed by the top-tier site of the hierarchy, or it can fall back to using source files from the management point in the clients assigned site when it cannot access the client installation package on a distribution point.

Planning for the Configuration Manager Console

Administrative users use the Configuration Manager console to manage the Configuration Manager environment. Each Configuration Manager console connects to either a central
387

administration site, or a primary site. After the initial connection is made, the Configuration Manager console can connect to other sites. However, you cannot connect a Configuration Manager console to a secondary site. To connect to a different site when you use the Configuration Manager console, on the Application Menu, select Connect to a New Site, and then specify the name of the site server. You can also specify a connection to a specific site when you open a new instance of the Configuration Manager console. To do so, you must specify the site server name as part of the command line to open the Configuration Manager console. For example, to connect to a site that runs on Server1, at the command prompt, type %path%\microsoft.configurationmanagement.exe Server1. Configuration Manager does not limit the number of simultaneous Configuration Manager console connections to a primary site or central administration site. When you connect to the central administration site, you can view and configure data for all sites in the hierarchy. If you have a central administration site but connect the Configuration Manager console directly to a primary site, you can view and manage Configuration Manager data from this connection, but you cannot see data from other primary sites or from the secondary sites of other primary sites. However, if you do not have a central administration site because your hierarchy has a stand-alone primary site, you can use the Configuration Manager console to access all the data in your hierarchy. Important When you manage objects or clients by using a Configuration Manager console that is connected to a child primary site in a hierarchy with other primary sites, the changes you make replicate throughout the hierarchy to other primary sites, even though you cannot see data from those other primary sites. Note When you connect a Configuration Manager console to an evaluation installation of Configuration Manager, the title bar of the console displays the number of days that remain before the evaluation installation expires. The number of days does not automatically refresh and only updates when you make a new connection to a site. After the evaluation period ends, the Configuration Manager console connects as a read-only console.

About the Read-Only Console

When you connect a Configuration Manager console to a primary site, there are certain conditions that result in the Configuration Manager console connecting as a read-only console. The read-only console lets you view objects and configuration settings but prevents you from making any changes that could be lost when the primary site completes initialization or is synchronized with the central administration site after replication issues are resolved. Read-only consoles are established for the following reasons: You connect to a primary site before it completes the Configuration Manager site installation. You connect to a primary site that has intersite replication problems.
388

You connect to a primary site during a site restoration of that site. You connect to a primary site when that site is initializing global data.

After the primary site is fully initialized, or replication issues between that site and the central administration site are resolved, you must close, and then reconnect the Configuration Manager console to establish a normal session where you can manage objects and configurations. Note A Configuration Manager console that connects to an evaluation installation of Configuration Manager after the evaluation period of 180 days ends will connect as a read-only console.

Planning for Multiple Administrative Users and Global Data Replication in Configuration Manager
Use the following sections to help you plan for multiple administrative users who access objects and configuration settings that are shared between sites. This data is referred to as global data, and it is available throughout the hierarchy.

About Multiple Edits to Global Data in Configuration Manager

Because different administrative users at one or more sites can attempt to manage the same object at the same time, Configuration Manager prevents one administrative user from editing an object if another administrative user in the hierarchy is currently editing the same object. When an object you want to manage is already in use, you have the option to view the object as a readonly instance, or to retry to obtain ownership of the object. If you retry to obtain ownership and the object is no longer in use by another administrative user, you are granted ownership and can edit the object. Do not confuse the read-only status for an object you want to manage with the readonly Configuration Manager console. Unlike the read-only console, this is an object-specific condition that is temporary and based on the individual objects current availabili ty. This condition is not related to the status of the site to which your Configuration Manager console connects. Configuration Manager also resolves edits to an object when those edits are made at different sites when one of the sites is unable to replicate data. This scenario might occur if a network link is disconnected. In this scenario, the first edit to an object that replicates to the central administration site takes precedence over a later edit from the primary site that was unable to replicate the data.

About Data Access From the Configuration Manager Console

Use role-based administration to define the objects in the hierarchy that administrative users can see in the Configuration Manager console and the permissions that they have for those objects. Use a combination of security roles, security scopes, and collections to help manage access to

389

data throughout the hierarchy for each administrative user. For more information, see Planning for Security in Configuration Manager.

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning to Upgrade System Center 2012 Configuration Manager

System Center 2012 Configuration Manager supports the installation of a service pack to upgrade the version of a Configuration Manager site. When you upgrade Configuration Manager to a new service pack version, plan for the changes that are required to install the new service pack, and the changes that the service pack introduces. Changes in a service pack might require you to modify pre-upgrade configurations to support the installation of the service pack, such as new prerequisites for site system roles. Also plan to modify post-upgrade configurations, which include the reconfiguration of some settings and the upgrade of Configuration Manager clients and Configuration Manager consoles. Note System Center 2012 Configuration Manager does not support an upgrade from Configuration Manager 2007 or earlier product versions. Additionally, you cannot share a site system server or site system role between a Configuration Manager 2007 site and a System Center 2012 Configuration Manager site. Before you install a System Center 2012 Configuration Manager site system role on a computer, you must uninstall all site system roles from the Configuration Manager 2007 site. The only exceptions are distribution points that you share between hierarchies during migration. For more information, see the Share Distribution Points Between Source and Destination Hierarchies section in the Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager topic. Tip In a hierarchy, before you can upgrade a child site, the parent site of that site must complete its upgrade to the new service pack. Use the information in the following sections to plan for upgrading Configuration Manager sites to a new service pack version. Planning to Upgrade to Configuration Manager SP1 Configuration Manager SP1 Upgrade Checklist Considerations for Upgrading to Configuration Manager SP1

Support for Uninstalling a Service Pack

390

Planning to Upgrade to Configuration Manager SP1

Configuration Manager supports installing System Center 2012 Configuration Manager Service Pack 1 (SP1) to upgrade a site that runs System Center 2012 Configuration Manager with no service pack. You can run the service pack upgrade on the site servers of central administration sites and primary sites. After a primary site upgrades to System Center 2012 Configuration Manager SP1, you can then use the Configuration Manager console to upgrade secondary sites to Configuration Manager SP1. Use the information in the following sections to help you plan for the upgrade to Configuration Manager SP1.

What's New in Configuration Manager SP1

The following items are new or have changed for installing Configuration Manager SP1: You can install a new System Center 2012 Configuration Manager SP1 site, or upgrade an existing site that runs Configuration Manager with no service pack. You can expand a stand-alone primary site that runs Configuration Manager SP1. When you expand a primary site, you install a new central administration site that becomes the parent site of the existing primary site.

Configuration Manager SP1 Upgrade Checklist

Use the information in the following check list to help you identify and plan for pre-upgrade configuration modifications and additional actions that are related to upgrading your sites and hierarchy to Configuration Manager SP1.
Step More information

Ensure that your computing environment meets the supported configurations that are required for upgrading to System Center 2012 Configuration Manager SP1.

Before you upgrade to Configuration Manager SP1, install the required prerequisites on each computer that hosts a site system role. Several site system roles require new or upgraded prerequisites. For example, to deploy an operating system, Configuration Manager SP1 uses the Windows Assessment and Deployment Kit (Windows ADK) instead of Windows Automated Installation Kit (Windows AIK). Before you run Setup, you must download and install Windows ADK on the site server and on each computer that runs an instance of the SMS Provider. For general information about supported
391

Step

More information

platforms and prerequisite configurations, see Supported Configurations for Configuration Manager. For information about how to use the Windows ADK with Configuration Manager, see the Prerequisites For Deploying Operating Systems in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Review the site and hierarchy status and verify that there are no unresolved issues. Before you upgrade a site, resolve all operational issues for the site server, the site database server, and site system roles that are installed on remote computers. A site upgrade can fail due to existing operational problems. For information about the status of sites and site system roles, see Monitor Configuration Manager Sites and Hierarchy. Install all applicable critical updates for operating systems on computers that host the site, the site database server, and remote site system roles. Before you upgrade a site, install any critical updates for each applicable site system. If an update that you install requires a restart, restart the applicable computers before you start the service pack update. For more information, see Windows Update. Disable database replicas for management points at primary sites. Configuration Manager cannot successfully upgrade a primary site that has a database replica for management points enabled. Disable database replication before you create the backup of the site database to test the database upgrade, and before you upgrade the production site to Configuration Manager SP1. For more information, see Configure Database Replicas for Management Points. Reconfigure software update points that use NLBs. Configuration Manager cannot upgrade a site that uses a Network Load Balancing (NLB) cluster to host software update points. For more information, see the Upgrading from Configuration Manager with No Service Pack to Configuration Manager SP1 section in the Planning for Software Updates in Configuration
392

Step

More information

Manager topic. Back up the site database at the central administration site and primary sites. Before you upgrade a site, back up the site database to ensure that you have a successful backup to use for disaster recovery. For more information, see Backup and Recovery in Configuration Manager. Disable the site maintenance task Delete Aged Client Operations on primary sites. Before you upgrade any sites to Configuration Manager SP1, disable this site maintenance task on each primary site in the hierarchy. When this task remains active at a primary site that runs Configuration Manager with no service pack, this task deletes information about active client operations for clients that run Configuration Manager SP1. After all primary sites are upgraded to Configuration Manager SP1, you can enable this task for standard site maintenance at each primary site. For more information about site maintenance tasks, see the Planning for Maintenance Tasks for Configuration Manager section in the Planning for Site Operations in Configuration Manager topic. Create a copy of each built-in collection that you have modified. When you upgrade to Configuration Manager SP1, the built-in collections are overwritten in the site database. If you have customized a built-in collection, create a copy of that collection before you upgrade. In Configuration Manager SP1, the built-in collections are read-only and cannot be modified. Run Setup Prerequisite Checker. Configuration Manager SP1 introduces new prerequisite checks. Before you upgrade a site, you can run the Prerequisite Checker independently from Setup to validate that your site meets the prerequisites. When you upgrade the site, Prerequisite Checker runs again. For more information, see the Prerequisite Checker section in the Install Sites and Create
393

Step

More information

a Hierarchy for Configuration Manager topic. For information about prerequisite checks, see Technical Reference for the Prerequisite Checker in Configuration Manager. Download prerequisite files and redistributable files for Configuration Manager SP1. Use Setup Downloader from the Configuration Manager SP1 source media to download prerequisite redistributable files, Configuration Manager SP1 language packs, and the latest product updates for the service pack upgrade. For information about Setup Downloader, see the Setup Downloader section in the Install Sites and Create a Hierarchy for Configuration Manager topic. Plan to manage server and client languages when you upgrade a site. Configuration Manager SP1 supports the same server and client languages as Configuration Manager with no service pack, and it also supports additional languages that are introduced with Configuration Manager SP1. However, when you upgrade to Configuration Manager SP1, the site upgrade installs new versions of each language pack. When you run Setup, Setup reviews the current language configuration of your site, and then identifies the language packs that are available in the folder where you store previously downloaded prerequisite files. You can then affirm the selection of the current server and client language packs, or change the selections to add or remove support for languages. Only those language packs are available that are available with the prerequisite files that you download. Important Server and client language packs are service pack version-specific. You cannot use the language packs from Configuration Manager with no service pack to enable languages for a Configuration Manager SP1 site.
394

Step

More information

If you have previously installed a language pack for servers or clients at a site, and a Configuration Manager SP1 version of that language pack is not available with the prerequisite files, that language cannot be selected. Support for that language is removed from the site when it upgrades. For more information about language packs, see the Planning for Client and Server Operating System Languages in Configuration Manager section in the Planning for Sites and Hierarchies in Configuration Manager topic. For information about Setup Downloader, see the Setup Downloader section in the Install Sites and Create a Hierarchy for Configuration Manager topic. Plan for new site system role prerequisites. Important Prerequisite Checker for Configuration Manager does not verify the prerequisites for site system roles on the site server or on remote computers. Several site system roles have new prerequisites for Configuration Manager SP1. Before you upgrade a site, verify that each computer that hosts a site system role meets any new prerequisites for Configuration Manager SP1. During a site upgrade, Configuration Manager automatically upgrades site system roles at the site by reinstalling each site system role. When prerequisites are not met, the site system role might not reinstall or might reinstall, but might fail to operate correctly. For information about prerequisites for site system roles, see the Site System Requirements section in the Supported Configurations for Configuration Manager topic. Review the list of considerations for site upgrades. When you upgrade a site, some features and configurations reset to a default configuration. To help you plan for these and related changes in Configuration Manager SP1, review the information in the Considerations for Upgrading to Configuration Manager SP1 section in this topic.

395

Step

More information

Test the database upgrade process on a copy of the most recent site database backup.

Before you upgrade a Configuration Manager central administration site or primary site to a new service pack, plan to test the site database upgrade process on a copy of the site database. You should test the site database upgrade process, because when you upgrade a site, the site database might be modified and although a test database upgrade is not required, it can identify problems for the upgrade before your production database is affected. A failed site database upgrade can render your site database inoperable and might require a site recovery to restore functionality. Note Configuration Manager supports neither the backup of secondary sites nor the test upgrade of a secondary site database. Although the site database is shared between sites in a hierarchy, plan to test the database at each applicable site before you upgrade that site. If you use database replicas for management points at a primary site, disable replication before you create the backup of the site database. Important It is not supported to run a test database upgrade on the production site database. Doing so upgrades the site database and could render your site inoperable. For more information, see the Test the Configuration Manager Site Database for the Upgrade section in the Upgrade Configuration Manager to a New Service Pack topic.

Restart the site server and each computer that Internal process that is company-specific. hosts a site system role to ensure that there are no pending actions from a recent installation of updates or from prerequisites.
396

Step

More information

Install the service pack.

Starting at the top-level site in the hierarchy, run Setup.exe from the Configuration Manager SP1 source media. After the top-level site completes the upgrade to Service Pack 1, you can begin the upgrade of each child site. Complete the upgrade of each site before you begin to upgrade the next site. Until all sites in your hierarchy upgrade to the same service pack version, your hierarchy operates in a mixed service pack version mode. For information about how to run the service pack installation, see the Upgrade a Configuration Manager Site section in the Upgrade Configuration Manager to a New Service Pack topic. For information about operating a Configuration Manager hierarchy in mixed mode, see the Interoperability between Sites with Different Service Pack Versions in System Center 2012 Configuration Manager section in the Interoperability between Different Versions of Configuration Manager topic.

Upgrade stand-alone Configuration Manager consoles.

By default, when you upgrade a central administration site or primary site, the installation also upgrades a Configuration Manager console that is installed on the site server. However, you must manually upgrade each Configuration Manager console that is installed on a computer other than the site server. Tip When you use a Configuration Manager console that is of a lower service pack version than the site that you connect to, the console cannot display or create some objects and information that are available in the new service pack version. When you use a Configuration Manager console that is of a higher service pack version
397

Step

More information

than the site that you connect to, the connection is blocked. When you upgrade a Configuration Manager console, the installation process uninstalls the existing Configuration Manager console, and then installs the new version of the software. Therefore, to upgrade a Configuration Manager console on computers other than site servers, you can use any method that Configuration Manager supports to install the Configuration Manager console. These supported methods can include a manual installation or a deployment that installs the console. For more information about how to install the Configuration Manager console, see the Install a Configuration Manager Console section in the Install Sites and Create a Hierarchy for Configuration Manager topic. Reconfigure database replicas for management If you use database replicas for management points at primary sites. points at primary sites, you must uninstall the database replicas before you upgrade the site. After you upgrade a primary site, reconfigure the database replica for management points. For more information, see the Configurations for Using a Database Replica section in the Configure Database Replicas for Management Points topic. Upgrade clients. After you upgrade a primary site, plan to upgrade clients that are assigned to that site. Although a Configuration Manager primary site or secondary site can support communication from clients that have a lower service pack version, this communication should be a temporary configuration. Clients that run a previous service pack version of Configuration Manager cannot use the new functionality that is available with the new service pack version of Configuration Manager. When you upgrade a client, the current client software is uninstalled and the new client
398

Step

More information

software version is installed. To upgrade clients, you can use any method that Configuration Manager supports. Tip When you upgrade the top-level site of a hierarchy to a new service pack, the client installation package on each distribution point in the hierarchy is also updated. When you upgrade a primary site, the client upgrade package that is available from that primary site is updated. For information about how to upgrade existing clients and how to install new clients, see How to Install Clients on Windows-Based Computers in Configuration Manager.

Considerations for Upgrading to Configuration Manager SP1

Use the following information to help you prepare for changes to sites and the hierarchy when you upgrade to Configuration Manager SP1. Automatic actions: When you upgrade a Configuration Manager site to a new service pack, the following actions occur automatically: The site performs a site reset, which includes a reinstallation of all site system roles. If the site is the top-level site of a hierarchy, it updates the client installation package on each distribution point in the hierarchy. If the site is a primary site, it updates the client upgrade package for that site.

Manual actions for the administrative user after an upgrade: After you upgrade a Configuration Manager site to a new service pack, ensure that the following actions are performed: Ensure that clients that are assigned to each primary site upgrade and install the client software for the new service pack. Upgrade each Configuration Manager console that connects to the site and that runs on a computer that is remote from the site server. At primary sites where you use database replicas for management points, reconfigure the database replicas for Configuration Manager SP1.

Actions that affect configurations and settings: When a site upgrades to Configuration Manager SP1, some configurations and settings do not persist after the upgrade or are set to a

399

new default configuration. The following table includes configurations and settings that do not persist or that change, and provides details to help you plan for them during a site upgrade.
Configuration or setting Details

Software Center

When you upgrade to Configuration Manager SP1, the following Software Center items are reset to their default values Work information is reset to business hours from 5.00am to 10.00pm Monday to Friday. The value for Computer maintenance is set to Suspend Software Center activities when my computer is in presentation mode. The value for Remote control is set to the value in the client settings that are assigned to the computer.

Software update summarization schedules

When you upgrade to Configuration Manager SP1, custom summarization schedules for software updates or software update groups are reset to the default value of 1 hour. After the upgrade finishes, reset custom summarization values to the required frequency.

Support for Uninstalling a Service Pack

Configuration Manager does not support uninstalling service packs. However, Configuration Manager does provide limited support for uninstalling updates from clients. Updates are installed when you deploy updates from a cumulative update to a Configuration Manager client. For more information about updates, see Update System Center 2012 Configuration Manager. Use the information in the following sections to help restore Configuration Manager to an earlier service pack version.

Downgrading Configuration Manager Sites

Configuration Manager does not support the removal of a service pack to restore a site to a previous version. Instead, uninstall all site system roles and uninstall the Configuration Manager site. After the site is uninstalled, you can then reinstall a site with the version of Configuration Manager that you require. However, because sites in a Configuration Manager hierarchy share a common database, you cannot uninstall a site without first uninstalling its child sites. Additionally,
400

when you reinstall sites, you cannot install a site that uses a lower service pack version than its parent site.

Downgrading Configuration Manager Clients

Configuration Manager does not support the removal of a service pack version from a Configuration Manager client. Instead, uninstall the client, and then reinstall the client software from the appropriate Configuration Manager version.

Downgrading Configuration Manager Consoles

Configuration Manager does not support downgrading a Configuration Manager console to a console of a previous version or service pack. Instead, uninstall the Configuration Manager console, and then reinstall the Configuration Manager console for the version that you require.

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for Publishing of Site Data to Active Directory Domain Services

If you extend the Active Directory schema for System Center 2012 Configuration Manager, you can publish Configuration Manager sites to Active Directory Domain Services so that Active Directory computers can securely retrieve site information from a trusted source. Although publishing site information to Active Directory Domain Services is not required for basic Configuration Manager functionality, this configuration can reduce administrative overhead.

When you extend the Active Directory schema for Configuration Manager and a site is configured to publish to Active Directory Domain Services, Configuration Manager clients can automatically find management points through Active Directory publishing using an LDAP query to a global catalog server. If you do not extend the Active Directory schema for Configuration Manager, management points cannot be published to Active Directory Domain Services and clients must have an alternative mechanism to locate their default management point. For information about service location by clients, see the Planning for Service Location by Clients section in the Planning for Communications in Configuration Manager topic. The following are prerequisites you must configure before a Configuration Manager site can publish site data to Active Directory Domain Services:

401

You must extend the Active Directory schema in each forest where you will publish site data. For more information, see Determine Whether to Extend the Active Directory Schema for Configuration Manager. You must configure Active Directory Forests for use with Configuration Manager, and enable publishing to the forests you want to use. For information, see the About Active Directory Forest Discovery section in the Planning for Discovery in Configuration Manager topic. You must enable publishing at each site that will publish its data to Active Directory Domain Services. For information, see Configuring Sites to Publish to Active Directory Domain Services.

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for Discovery in Configuration Manager

System Center 2012 Configuration Manager discovery identifies computer and user resources that you can manage by using Configuration Manager. It can also discover the network infrastructure in your environment. Discovery creates a discovery data record (DDR) for each discovered object and stores this information in the Configuration Manager database. When discovery of a resource is successful, discovery puts information about the resource in a file that is referred to as a discovery data record (DDR). DDRs are in turn processed by site servers and entered into the Configuration Manager database where they are then replicated by database-replication with all sites. The replication makes discovery data available at each site in the hierarchy, regardless of where it was discovered or processed. You can use discovery information to create custom queries and collections that logically group resources for management tasks such as the assignment of custom client settings and software deployments. Computers must be discovered before you can use client push installation to install the Configuration Manager client on devices. Use the following sections to help you plan for discovery in Configuration Manager: Discovery Methods in Configuration Manager Decide Which Discovery Methods to Use About Active Directory System, User, and Group Discovery Methods Shared Discovery Options Active Directory System Discovery Active Directory User Discovery Active Directory Group Discovery

About Active Directory Forest Discovery About Delta Discovery

402

About Heartbeat Discovery About Network Discovery About Discovery Data Records Decide Where to Run Discovery Best Practices for Discovery

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. System Center 2012 Configuration Manager introduces the following changes for discovery: Each discovery data record is processed and entered into the database one time only, at a primary site or central administration site, and then the discovery data record is deleted without additional processing. Discovery information entered into the database at one site is shared to each site in the hierarchy by using Configuration Manager database replication. Active Directory Forest Discovery is a new discovery method that can discover subnets and Active Directory sites, and can add them as boundaries for your hierarchy. Active Directory System Group Discovery has been removed. Active Directory Security Group Discovery is renamed to Active Directory Group Discovery and discovers the group memberships of resources. Active Directory System Discovery and Active Directory Group Discovery support options to filter out stale computer records from discovery. Active Directory System, User, and Group Discovery support Active Directory Delta Discovery. Delta Discovery is improved from Configuration Manager 2007 R3 and can now detect when computers or users are added or removed from a group.

Discovery Methods in Configuration Manager

Before you enable discovery methods for Configuration Manager, ensure you understand what each method can discover. Because discovery can generate a large volume of network traffic, and the resultant DDRs can result in a significant use of CPU resources during processing, plan to use only those discovery methods that you require to meet your goals. You could use only one or two discovery methods to be successful, and you can always enable additional methods in a controlled manner to extend the level of discovery in your environment. Use the following table to help you plan for each of the six configurable discovery methods.

403

Discovery method

Enabled by default

Accounts that run discovery

More information

Active Directory Forest Discovery

No

Active Directory Forest Discovery Account, or the computer account of the site server

Can discover Active Directory sites and subnets, and then create Configuration Manager boundaries for each site and subnet from the forests that you have configured for discovery. When Active Directory Forest Discovery identifies a supernet that is assigned to an Active Directory site, Configuration Manager converts the supernet into an IP address range boundary. Supports a userdefined account to discover resources for each forest. Can publish to the Active Directory Domain Services of a forest when publishing to that forest is enabled, and the specified account has permissions to that forest. Discovers computers from the specified locations in Active Directory Domain Services. Discovers user accounts from the specified locations in
404

Active Directory System Discovery

No

Active Directory System Discovery Account, or the computer account of the site server Active Directory User Discovery Account, or

Active Directory User Discovery

No

Discovery method

Enabled by default

Accounts that run discovery

More information

the computer account of the site server

Active Directory Domain Services.

Active Directory Group Discovery

No

Active Directory Group Discovery Account, or the computer account of the site server

Discovers local, global, and universal security groups, the membership within these groups, and the membership within distribution groups from the specified locations in Active directory Domain Services. Distribution groups are not discovered as group resources. Used by active Configuration Manager clients to update their discovery records in the database. Heartbeat Discovery can force discovery of a computer as a new resource record, or can repopulate the database record of a computer that was deleted from the database. Searches your network infrastructure for network devices that have an IP address. Can discover devices that might not be found by
405

Heartbeat Discovery

Yes

Computer account of the client

Network Discovery

No

Computer account of the site server

Discovery method

Enabled by default

Accounts that run discovery

More information

other discovery methods. This includes printers, routers, and bridges. All configurable discovery methods support a schedule for when discovery runs. With the exception of Heartbeat Discovery, you can configure each method to search specific locations for resources to add to the Configuration Manager database. After discovery runs, you can change the locations that a discovery method searches. These new locations are searched during the next discovery run. However, the next run of the discovery method is not limited to the new locations and always attempts to discover information from all current configured locations. Heartbeat Discovery is the only discovery method that is enabled by default. To help maintain the database record of Configuration Manager clients, do not disable Heartbeat Discovery. In addition to these discovery methods, Configuration Manager also uses a process named Server Discovery (SMS_WINNT_SERVER_DISCOVERY_AGENT). This discovery method creates resource records for computers that are site systems, such as a computer that is configured as a management point. This method of discovery runs daily and is not configurable.

Decide Which Discovery Methods to Use

To discover potential Configuration Manager client computers or user resources, you must enable the appropriate discovery methods. You can use different combinations of discovery methods to locate different resources and to discover additional information about those resources. The discovery methods that you use determine the type of resources that are discovered and which Configuration Manager services and agents are used in the discovery process. They also determine the type of information about resources that you can discover. Discover Computers When you want to discover computers, you can use Active Directory System Discovery or Network Discovery. As an example, if you want to discover resources that can install the Configuration Manager client before you use client push installation, you might run Active Directory System Discovery. Alternately you could run Network Discovery and use its options to discover the operating system of resources (required to later use client push installation). However, by using Active Directory System Discovery, you not only discover the resource, but discover basic information and can discover extended information about it from Active Directory Domain Services. This information might be useful in building complex queries and collections to use for the assignment of client settings or content deployment. Network Discovery, on the other hand, provides you with information about your network topology that you are not able to acquire with other discovery methods, but Network Discovery does not provide you any information about your Active Directory environment.
406

It is also possible to use only Heartbeat Discovery to force the discovery of clients that you installed by methods other than client push installation. However, unlike other discovery methods, Heartbeat Discovery cannot discover computers that do not have an active Configuration Manager client, and returns a limited set of information. It is intended to maintain an existing database record and not to be the basis of that record. Information submitted by Heartbeat Discovery might not be sufficient to build complex queries or collections. If you use Active Directory Group Discovery to discover the membership of a specified group, you can discover limited system or computer information. This does not replace a full discovery of computers but can provide basic information. This basic information is insufficient for client push installation. Discover Users When you want to discover information about users, you can use Active Directory User Discovery. Similar to Active Directory System Discovery, this method discovers users from Active Directory and includes basic information in addition to extended Active Directory information. You can use this information to build complex queries and collections similar to those for computers. Discover Group Information When you want to discover information about groups and group memberships, use Active Directory Group Discovery. This discovery method creates resource records for security groups. You can use this method to search a specific Active Directory group to identify the members of that group in addition to any nested groups within that group. You can also use this method to search an Active Directory location for groups, and recursively search each child container of that location in Active Directory Domain Services. This discovery method can also search the membership of distribution groups. This can identify the group relationships of both users and computers. When you discover a group, you can also discover limited information about its members. This does not replace Active Directory System or User Discovery and is usually insufficient to build complex queries and collections or serve as the bases of a client push installation. Discover Infrastructure There are two methods that you can use to discover network infrastructure, Active Directory Forest Discovery and Network Discovery. You can use Active Directory Forest Discovery to search an Active Directory forest for information about subnets and Active Directory site configurations. These configurations can then be automatically entered into Configuration Manager as boundary locations. When you want to discover your network topology, use Network Discovery. While other discovery methods return information related to Active Directory Domain Services and can identify the current network location of a client, they do not provide infrastructure information based on the subnets and router topology of your network.

407

About Active Directory System, User, and Group Discovery Methods

This section contains information about the following discovery methods: Active Directory System Discovery Active Directory User Discovery Active Directory Group Discovery Note The information in this section does not apply to Active Directory Forest Discovery. These three discovery methods are similar in configuration and operation, and can discover computers, users, and information about group memberships of resources that are stored in Active Directory Domain Services. The discovery process is managed by a discovery agent that runs on the site server at each site where discovery is configured to run. You can configure each of these discovery methods to search one or more Active Directory locations as location instances in the local forest or remote forests. When discovery searches an untrusted forest for resources, the discovery agent must be able to resolve the following to be successful: To discover a computer resource with Active Directory System Discovery, the discovery agent must be able to resolve the FQDN of the resource. If it cannot resolve the FQDN, it will then attempt to resolve the resource by its NetBIOS name. To discovery user or group resource with Active Directory User Discovery or Active Directory Group Discovery, the discovery agent must be able to resolve the FQDN of the domain controller name you specify for the Active Directory location.

For each location instance that you specify, you can configure individual search options such as enabling a recursive search of the locations Active Directory child containers. You can also configure a unique account to use when it searches that location instance. This provides flexibility in configuring a discovery method at one site to search multiple Active Directory locations across multiple forests, without having to configure a single account that has permissions to all locations. When each of these three discovery methods run at a specific site, the Configuration Manager site server at that site contacts the nearest domain controller in the specified Active Directory forest to locate Active Directory resources. The domain and forest can be in any supported Active Directory mode, and the account that you assign to each location instance must have Read access permission to the specified Active Directory locations. Discovery searches the specified locations for objects and then attempts to collect information about those objects. A DDR is created when sufficient information about a resource can be identified. The required information varies depending on the discovery method that is being used. If you configure the same discovery method to run at different Configuration Manager sites to take advantage of querying local Active Directory servers, you can configure each site with a unique set of discovery options. Because discovery data is shared with each site in the hierarchy, avoid overlap between these configurations to efficiently discover each resource one time. For smaller environments, you might consider running each discovery method at only one single site
408

in your hierarchy to reduce administrative overhead and the potential for multiple discovery actions to rediscover the same resources. When you minimize the number of sites that run discovery you can reduce the overall network bandwidth that is being used by discovery, and reduce the overall number of DDRs that are created and must be processed by your site servers. Many of the discovery method configurations are self-explanatory. Use the following sections for more information about the discovery options that might require additional information before you configure them.

Shared Discovery Options

The following table identifies configuration options that are available on multiple Active Directory Discovery methods. Key: = Supported = Unsupported

Discovery option

Active Directory System Discovery

Active Directory User Discovery

Active Directory Group Discovery

Details

Delta Discovery

Delta Discovery is an option available for each Active Directory discovery method except Active Directory Forest Discovery. Configuration Manager can use Delta Discovery to search Active Directory Domain Services (AD DS) for specific attributes that have changed after the last full discovery cycle of the discovery method. You can configure a short interval for Delta Discovery to search for new resources because discovering only new resources does not affect the performance of the site server as much as a
409

Discovery option

Active Directory System Discovery

Active Directory User Discovery

Active Directory Group Discovery

Details

full discovery cycle does. Delta Discovery can detect the following new resource types: Computer objects User objects Security group objects System group objects

Delta Discovery cannot detect when a resource has been deleted from AD DS. You must run a full discovery cycle to detect this change. DDRs for objects that Delta Discovery discovers are processed similarly to the DDRs that are created by a full discovery cycle. You configure Delta Discovery on the Polling Schedule tab in the properties for each discovery method. Filter stale computer records by domain logon You can configure discovery to exclude discovery of stale computer records based on the last domain logon of the computer. When this option is enabled, Active Directory System Discovery evaluates each computer it identifies. Active Directory Group Discovery evaluates each computer that is a
410

Discovery option

Active Directory System Discovery

Active Directory User Discovery

Active Directory Group Discovery

Details

member of a group that is discovered. Use of this option requires the following: Computers must be configured to update the lastLogonTimeStam p attribute in AD DS. The Active Directory domain functional level is set to Windows Server 2003 or later.

When configuring the time after the last logon, consider the interval for replication between domain controllers. You configure filtering on the Option tab in both Active Directory System Discovery Properties and Active Directory Group Discovery Properties dialog boxes by selecting the option Only discover computers that have logged on to a domain in a given period of time. Warning When you configure both of the stale record filters on the same discovery method, computers that
411

Discovery option

Active Directory System Discovery

Active Directory User Discovery

Active Directory Group Discovery

Details

meet the criteria of either filter are excluded from discovery. Filter stale records by computer password You can configure discovery to exclude discovery of stale computer records based on the last computer account password update by the computer. When this option is enabled, Active Directory System Discovery evaluates each computer it identifies. Active Directory Group Discovery evaluates each computer that is a member of a group that is discovered. Use of this option requires the following: Computers must be configured to update the pwdLastSet attribute in AD DS.

When configuring this option, consider the interval for updates to this attribute in addition to the replication interval between domain controllers. You configure filtering on the Option tab in both Active Directory System Discovery Properties and Active Directory
412

Discovery option

Active Directory System Discovery

Active Directory User Discovery

Active Directory Group Discovery

Details

Group Discovery Properties dialog boxes by selecting the option Only discover computers that have updated their computer account password in a given period of time. Warning When you configure both of the stale record filters on the same discovery method, computers that meet the criteria of either filter are excluded from discovery. Search customized Active Directory attributes Each discovery method supports a unique list of attributes that can be discovered. You configure Active Directory customized attributes on the Active Directory Attributes tab in both the Active Directory System Discovery Properties and Active Directory User Discovery Properties dialog boxes.

413

Active Directory System Discovery

Use Configuration Manager Active Directory System Discovery to search the specified Active Directory Domain Services (AD DS) locations for computer resources that can be used to create collections and queries. You can then install the client to discovered computers by using client push installation. To successfully create a discovery data record (DDR) for a computer, Active Directory System Discovery must be able to identify the computer account and then successfully resolve the computer name to an IP address. By default, Active Directory System Discovery discovers basic information about the computer including the following: Computer name Operating system and version Active Directory container name IP address Active Directory site Last Logon Timestamp

In addition to the basic information, you can configure the discovery of extended attributes from Active Directory Domain Services. You can view the default list of object attributes returned by Active Directory System Discovery, and configure additional attributes to be discovered in the Active Directory System Discovery Properties dialog box on the Active Directory Attributes tab. For more information about how to configure this discovery method, see Configure Active Directory Discovery in Configuration Manager. Active Directory System Discovery actions are recorded in the file adsysdis.log in the <InstallationPath>\LOGS folder on the site server.

Active Directory User Discovery

Use Configuration Manager Active Directory User Discovery to search Active Directory Domain Services (AD DS) to identify user accounts and associated attributes. You can view the default list of object attributes returned by Active Directory User Discovery, and configure additional attributes to be discovered in the Active Directory User Discovery Properties dialog box on the Active Directory Attributes tab. By default, Active Directory User Discovery discovers basic information about the user account including the following: User name Unique user name (includes domain name) Domain Active Directory container names

In addition to the basic information, you can configure the discovery of extended attributes from Active Directory Domain Services.
414

For more information about how to configure this discovery method, see Configure Active Directory Discovery in Configuration Manager. Active Directory User Discovery actions are recorded in the file adusrdis.log in the <InstallationPath>\LOGS folder on the site server.

Active Directory Group Discovery

Use Configuration Manager Active Directory Group Discovery to search Active Directory Domain Services (AD DS) to identify the group memberships of computers and users. This discovery method searches a discovery scope that you configure, and then identifies the group memberships of resources in that discovery scope. By default, only security groups are discovered. However, you can discover the membership of distribution groups when you select the checkbox for the option Discover the membership of distribution groups on the Option tab in the Active Directory Group Discovery Properties dialog box. Use Active Directory Group Discovery to discover the following information: Groups Membership of Groups Limited information about a groups member computers and users, even when those computers and users have not previously been discovered by another discovery method

This discovery method is intended to identify groups and the group relationships of members of groups. This method of discovery does not support the extended Active Directory attributes that can be identified by using Active Directory System Discovery or Active Directory User Discovery. Because this discovery method is not optimized to discover computer and user resources, consider running this discovery method after you have run Active Directory System Discovery and Active Directory User Discovery. This is because this discovery method creates a full DDR for groups, but only a limited DDR for computers and users that are members of groups. You can configure the following discovery scopes that control how Active Directory Group Discovery searches for information: Location: Use a location if you want to search one or more Active Directory containers. This scope option supports a recursive search of the specified Active Directory containers that also searches each child container under the container you specify. This process continues until no more child containers are found. Groups: Use groups if you want to search one or more specific Active Directory groups. You can configure the Active Directory Domain to use the default domain and forest, or limit the search to an individual domain controller. Additionally, you can specify one or more groups to search. If you do not specify at least one group, all groups found in the specified Active Directory Domain location are searched. Caution When you configure a discovery scope, select only the groups that you must discover. This is because Active Directory Group Discovery attempts to discover each member of each group in the discovery scope. Discovery of large groups can require extensive use of bandwidth and Active Directory resources.
415

Note You have to run either Active Directory System Discovery or Active Directory User Discovery to create collections that are based on extended Active Directory attributes and to ensure accurate discovery results for computers and users. For more information about how to configure this discovery method, see Configure Active Directory Discovery in Configuration Manager. Active Directory Group Discovery actions are recorded in the file adsgdis.log in the <InstallationPath>\LOGS folder on the site server.

About Active Directory Forest Discovery

Use Configuration Manager Active Directory Forest Discovery to discover IP subnets and Active Directory sites and to add them to Configuration Manager as boundaries. Unlike other discovery methods, Active Directory Forest Discovery does not discover resources that you can manage. Instead, this method discovers Active Directory network locations and can convert those locations into boundaries for use throughout your hierarchy. Use Active Directory Forest Discovery to do the following: Discover IP subnets in an Active Directory forest Discover Active Directory sites in an Active Directory forest Add the IP subnets and Active Directory sites that are discovered as boundaries in Configuration Manager Publish to the Active Directory Domain Services of a forest when publishing to that forest is enabled, and the specified Active Directory Forest Account has permissions to that forest

Manage Active Directory Forest Discovery in the Configuration Manager console from the following nodes under Hierarchy Configuration in the Administration workspace: Discovery Methods: Here you can enable Active Directory Forest Discovery to run at the top-level site of your hierarchy. You can also specify a simple schedule to run discovery, and configure it to automatically create boundaries from the IP subnets and Active Directory sites that it discovers. Active Directory Forest Discovery cannot be run at a child primary site or at a secondary site. Note This discovery method does not support Delta Discovery. Active Directory Forests: Here you configure the additional Active Directory forests that you want to discover, specify the account to use as the Active Directory Forest Account for each forest, and configure publishing to each forest. Additionally, you can monitor the discovery process and add IP subnets and Active Directory sites to Configuration Manager as boundaries and members of boundary groups.

When publishing is enabled for a forest and that forests schema is extended for Configuration Manager, the following information is published for each site that is enabled to publish to that Active Directory forest: SMS-Site-<site code>
416

SMS-MP-<site code>-<site system server name> SMS-SLP-<site code>-<site system server name> SMS-<site code>-<Active Directory site name or subnet> Note Secondary sites always use the secondary site server computer account to publish to Active Directory. If you want secondary sites to publish to Active Directory, ensure the secondary site server computer account has permissions to publish to Active Directory. A secondary site cannot publish data to an untrusted forest. Tip To configure publishing for Active Directory forests for each site in your hierarchy, connect your Configuration Manager console to the top-level site of your hierarchy. The Publishing tab in an Active Directory site Properties dialog box can only display the current site, and its child sites. Caution When you clear the option to publish a site to an Active Directory forest, all previously published information for that site, including available site system roles, is removed from the Active Directory of that forest.

Active Directory Forest Discovery runs on the local Active Directory forest, each trusted forest, and each additional forest that you configure in the Active Directory Forests node of the Configuration Manager console. Active Directory Forest Discovery actions are recorded in the following logs: All actions, with the exception actions related to publishing, are recorded in the ADForestDisc.Log file in the <InstallationPath>\Logs folder on the site server. Active Directory Forest Discovery publishing actions are recorded in the hman.log and sitecomp.log in the <InstallationPath>\Logs folder on the site server.

About Delta Discovery

Delta Discovery is not a full discovery method in Configuration Manager, but an option available for the Active Directory System, User, and Group discovery methods. Delta Discovery can identify most changes to a previously discovered resource in Active Directory and use fewer resources than a full discovery cycle. When you enable Delta Discovery for a discovery method, the discovery method searches Active Directory Domain Services (AD DS) for specific attributes that have changed after the discovery methods last full discovery cycle. These changes are submitted to the Configuration Manager database to update the resources discovery record. By default, Delta Discovery runs on a five minute cycle. This is because it uses fewer resources during discovery than a full discovery cycle, and does not affect the performance of the site server as much as a full discovery cycle would. When you use Delta Discovery, consider reducing the frequency of the full discovery cycle for that discovery method.
417

Delta Discovery can detect changes on Active Directory objects. The following are the most common changes that Delta Discovery detects: New computers or users added to Active Directory Changes to basic computer and user information New computers or users that are added to a group Computers or users that are removed from a group Changes to System group objects

Although Delta Discovery can detect new resources, and changes to group membership, it cannot detect when a resource has been deleted from AD DS. DDRs for objects that Delta Discovery discovers are processed similarly to the DDRs that are created by a full discovery cycle. You configure Delta Discovery on the Polling Schedule tab in the properties for each discovery method.

About Heartbeat Discovery

Heartbeat Discovery differs from other Configuration Manager discovery methods. It is enabled by default and runs on each computer client to create a discovery data record (DDR). For mobile device clients, this DDR is created by the management point that is being used by the mobile device client. Heartbeat Discovery runs either on a schedule configured for all clients in the hierarchy, or if manually invoked, on a specific client by running the Discovery Data Collection Cycle on the Action tab in a clients Configuration Manager program. When Heartbeat Discovery runs, it creates a discovery data record (DDR) that contains the clients current information including network location, NetBIOS name, and operational status details. It is a small file, about 1KB, which is copied to a management point, and then processed by a primary site. The submission of a Heartbeat Discovery DDR can maintain an active clients record in the database, and also force discovery of an active client that might have been removed from the database, or that has been manually installed and not discovered by another discovery method. Heartbeat Discovery is the only discovery method that provides details about the client installation status by updating a system resource client attribute that has the value Yes. To send the Heartbeat Discovery record, the client computer must be able to contact a management point. Note With Configuration Manager SP1, the Heartbeat discovery data record also includes the version of the client agent. The default schedule for Heartbeat Discovery is set to every 7 days. If you change the heartbeat discovery interval, ensure that it runs more frequently than the site maintenance task Delete Aged Discovery Data, which deletes inactive client records from the site database. You can configure the Delete Aged Discovery Data task only for primary sites. Note
418

Even when Heartbeat Discovery is disabled, DDRs are still created and submitted for active mobile device clients. This ensures that the Delete Aged Discovery Data task does not affect active mobile devices. When the Delete Aged Discovery Data task deletes a database record for a mobile device, it also revokes the device certificate and blocks the mobile device from connecting to management points. Heartbeat Discovery actions are logged in the following locations: For computer clients ,Heartbeat Discovery actions are recorded on the client in the InventoryAgent.log in the %Windir%\CCM\Logs folder. For mobile device clients, Heartbeat Discovery actions are recorded in the DMPRP.log in the %Program Files%\CCM\Logs folder of the management point that the mobile device client uses.

About Network Discovery

Use Configuration Manager Network Discovery to discover the topology of your network and devices on your network. Network Discovery searches your network for IP-enabled resources by querying servers that run a Microsoft implementation of DHCP, Address Resolution Protocol (ARP) caches in routers, SNMP-enabled devices and Active Directory domains. To successfully discover a resource, Network Discovery must identify the IP address and the subnet mask of the resource. Because different types of devices can connect to the network, Network Discovery can discover resources that cannot support the Configuration Manager client software. For example, devices that can be discovered but not managed include printers and routers. Network Discovery can return several attributes as part of the discovery record it creates. This includes the following: NetBIOS name IP addresses Resource domain System roles SNMP community name MAC addresses

To use Network Discovery, you must specify the level of discovery to run. You also configure one or more discovery mechanisms that enable Network Discovery to query for network segments or devices. You can also configure settings that help control discovery actions on the network. Finally, you define one or more schedules for when Network Discovery runs. Note Complex networks and low bandwidth connections can cause Network Discovery to run slowly and generate significant network traffic. As a best practice, run Network Discovery only when the other discovery methods cannot find the resources that you have to
419

discover. For example, use Network Discovery if you must discover workgroup computers. Workgroup computers are not discovered by other discovery methods. When discovery identifies an IP-addressable object and can determine the objects subnet mask, it creates a discovery data record (DDR) for that object. Network Discovery activity is recorded in the Netdisc.log in <InstallationPath>\Logs on the site server that runs discovery.

Levels of Network Discovery

When you configure Network Discovery, you specify one of three levels of discovery:
Level of discovery Details

Topology

This level discovers routers and subnets but does not identify a subnet mask for objects. In addition to topology, this level discovers potential clients such as computers, and resources such as printers and routers. This level of discovery attempts to identify the subnet mask of objects it finds. In addition to topology and potential clients, this level attempts to discover the computer operating system name and version. This level uses Windows Browser and Windows Networking calls.

Topology and client

Topology, client, and client operating system

With each incremental level, Network Discovery increases its activity and network bandwidth usage. Consider the network traffic that can be generated before you enable all aspects of Network Discovery. For example, when you first use Network Discovery, you might start with only the topology level to identify your network infrastructure. Then, you could reconfigure Network Discovery to discover objects and their device operating systems. You could also configure settings that limit Network Discovery to a specific range of network segments to discover objects in network locations that you require and avoid unnecessary network traffic and discovery of objects from edge routers or from outside your network.

Network Discovery Options

To enable Network Discovery to search for IP-addressable devices, you must configure one or more options that specify how to query for devices. The options are listed in the following table.

420

Option

Details

Requirements

Domains

Specify each domain that you want Network Discovery to query. Network Discovery can discover any computer that you can view from your site server when you browse the network. Network Discovery retrieves the IP address and then uses an Internet Control Message Protocol echo request to ping each device that it finds. The ping command helps determine which computers are currently active.

The site server that runs discovery must have permissions to read the domain controllers in each specified domain. Note To discover computers form the local domain, you must enable the Computer Browser service on at least one computer that is located on the same subnet as the site server that runs Network Discovery. To query a device, you must specify the IP Address or NetBIOS name of the device. You must configure Network Discovery to use the community name of the device, or the device rejects the SNMP-based query.

SNMP Devices

Specify each SNMP device that you want Network Discovery to query. Network Discovery retrieves the ipNetToMediaTable value from any SNMP device that responds to the query. This value returns arrays of IP addresses that are client computers or other resources such as printers, routers, or other IP-addressable devices.

DHCP

Specify each DHCP server that you want Network Discovery to query.

For Network Discovery to successfully query a DHCP server, the computer account of Network Discovery can query both the server that runs discovery 32-bit and 64-bit DHCP servers for must be a member of the a list of devices that are registered DHCP Users group on the DHCP server. with each server. Network Discovery retrieves information by using remote procedure calls to the database on the DHCP server. When Network Discovery enumerates a DHCP server, it For example, this level of access exists when one of the following is true: The specified DHCP server is the DHCP server of the server that runs discovery.
421

Option

Details

Requirements

does not always discover static IP addresses. Network Discovery does not find IP addresses that are part of an excluded range of IP addresses on the DHCP server, and does not discover IP addresses that are reserved for manual assignment. Note Network Discovery supports only DHCP servers that run the Microsoft implementation of DHCP. Important To successfully configure a DHCP server in Network Discovery, your environment must support IPv4. You cannot configure Network Discovery to use a DHCP server in a native IPv6 environment.

The computer that runs discovery and the DHCP server are in the same domain. A two-way trust exists between the computer that runs discovery and the DHCP server. The site server is a member of the DHCP users group.

Note Network Discovery runs in the context of the computer account of the site server that runs discovery. If the computer account does not have permissions to an untrusted domain, both the Domain and DHCP server configurations can fail to discover resources.

Limiting Network Discovery

When Network Discovery queries an SNMP device on the edge of you network, it can identify information about subnets and SNMP devices that are outside your immediate network. You can limit Network Discovery by configuring the SNMP devices that discovery can communicate with, and by specifying the network segments to query. Use the following configurations to limit the scope of Network Discovery:

422

Configuration

Details

Subnets

Configure the subnets that Network Discovery queries when it uses the SNMP and DHCP options. Only the enabled subnets are searched by these two options. For example, a DHCP request can return devices from locations across your whole network. If you want to only discover devices on a specific subnet, specify and enable that specific subnet on the Subnets tab in the Network Discovery Properties dialog box. When you specify and enable subnets, you limit future DHCP and SNMP discovery operations to those subnets. Note Subnet configurations do not limit the objects that the Domains discovery option discovers.

SNMP Community names

To enable Network Discovery to successfully query a SNMP device, configure Network Discovery with the community name of the device. If Network Discovery is not configured by using the community name of the SNMP device, the device rejects the query.

Maximum hops

When you configure the maximum number of router hops, you limit the number of network segments and routers that Network Discovery can query by using SNMP. The number of hops that you configure limits the number of additional devices and network segments that Network Discovery can query.

For example, a topology-only discovery with 0 (zero) router hops discovers the subnet on which the originating server resides, and includes any routers on that subnet. The following diagram shows what a topology-only Network Discovery finds when it runs on Server 1 with 0 router hops specified: subnet D and Router 1.

The following diagram shows what a topology and client Network Discovery finds when it runs on Server 1 with 0 router hops specified: subnet D and Router 1, and all potential clients on subnet D.
423

Configuration

Details

To get a better idea of how additional router hops can increase the amount of network resources that are discovered, consider the following network:

Running a topology-only Network Discovery from Server 1 with one router hop discovers the following: Router 1 and subnet 10.1.10.0 (found with zero hops). Subnets 10.1.20.0 and 10.1.30.0, subnet A, and Router 2 (found on the first hop). Warning Each increase to the number of router hops can significantly increase the number of discoverable resources and increase the network bandwidth that Network Discovery uses.

Discovery Data Records Created by Network Discovery

When Network Discovery discovers an object, it creates a discovery data record (DDR) for that object. For Network Discovery to discover an object, it must identify the object IP address and
424

then identify its subnet mask. If Network Discovery cannot determine the subnet mask of an object, it does not create a DDR. Network Discovery uses the following methods to identify the subnet mask of an object:
Method Details Limitation

Router ARP cache

Network Discovery queries the ARP cache of a router to find subnet information.

Typically, data in a router ARP cache has a short time-to-live. When Network Discovery queries the ARP cache, the ARP cache might no longer contain information about the requested object. Network Discovery supports only DHCP servers that run the Microsoft implementation of DHCP.

DHCP

Network Discovery queries each DHCP server that you specify to discover the devices for which the DHCP server has provided a lease. Network Discovery can directly query a SNMP device.

SNMP Device

For Network Discovery to query a device, the device must have a local SNMP agent installed. You must also configure Network Discovery to use the community name that is being used by the SNMP agent.

Configuration Manager processes DDRs that are created by Network Discovery just as it processes DDRs that are created by other discovery methods.

About Discovery Data Records

Discovery data records (DDRs) are files created by a discovery method that contain information about a resource you can manage in Configuration Manager. DDRs contain information about computers, users and in some cases, network infrastructure. They are processed at primary sites or at central administration sites. After the resource information in the DDR is entered into the database, the DDR is deleted and the information replicates as global data to all sites in the hierarchy. The site at which a DDR is processed depends on the information it contains: DDRs for newly discovered resources that are not in the database are processed at the toplevel site of the hierarchy. The top-level site creates a new resource record in the database and assigns it a unique identifier. DDRs transfer by file-based replication until they reach the top-level site.
425

DDRs for previously discovered objects are processed at primary sites. Child primary sites do not transfer DDRs to the central administration site when the DDR contains information about a resource that is already in the database. Secondary site do not process discovery data records and always transfer them by file-based replication to their parent primary site.

DDR files are identified by the .ddr extension, and have a typical size of about 1 KB.

Decide Where to Run Discovery

When you plan to use discovery in Configuration Manager, you must consider where to run each discovery method. After Configuration Manager adds discovery data to a database, it is quickly shared between all sites in the hierarchy. Because there is no benefit to discovering the same information at multiple sites in your hierarchy, consider configuring a single instance of each discovery method that you use to run at a single site instead of running multiple instances of a single method at different sites. However, periodically it might help assign the same discovery method to run at multiple sites, each with a separate configuration and schedule. This is because at each site, all configurations for a single discovery method are evaluated every time that discovery method runs. If you do configure multiple instances of a single discovery method to run at different sites, plan the configuration of each carefully to avoid having two or more discovery processes discover the same resources. Discovering the same locations and resources at multiple sites can consume additional network bandwidth and create duplicate DDRs for resources that add no value and must still be processed by your site servers. The following table identifies at which sites you can configure the different discovery methods.
Discovery method Supported locations

Active Directory Forest Discovery

Central administration site Primary Site Primary site Primary site Primary site Primary site Primary site Secondary site

Active Directory Group Discovery Active Directory System Discovery Active Directory User Discovery Heartbeat Discovery Network Discovery
1

Secondary sites cannot configure Heartbeat Discovery but can receive the Heartbeat DDR from a client.

426

When secondary sites run Network Discovery, or receive Heartbeat Discovery DDRs, they transfer the DDR by file-based replication to their parent primary site. This is because only primary sites and central administration sites can process discovery data records (DDRs). For more information about how DDRs are processed, see About Discovery Data Records in this topic. Consider the following when you plan where to run discovery: When you use an Active Directory Discovery method for systems, users, or groups: Run discovery at a site that has a fast network connection to your domain controllers. Consider the Active Directory replication topology to ensure discovery can access the latest information. Consider the scope of the discovery configuration and limit discovery to only those Active Directory locations and groups that you have to discover. Use a limited initial configuration to identify your network topography. After you identify your network topography, configure Network Discovery to run at specific sites that are central to the network areas that you want to more fully discover.

If you use Network Discovery:

Because Heartbeat Discovery does not run at a specific site, you do not have to consider it in general planning for where to run discovery. Because each site server and network environment is different, limit your initial discovery configurations and closely monitor each site server for its ability to process the discovery data that is generated.

Best Practices for Discovery

Use the following best practices information to help you use discovery in System Center 2012 Configuration Manager.

Run Active Directory System Discovery and Active Directory User Discovery before you run Active Directory Group Discovery
When Active Directory Group Discovery identifies a previously undiscovered user or computer as a member of a group, it attempts to discover basic details for the user or computer. Because Active Directory Group Discovery is not optimized for this type of discovery, this process can cause Active Directory Group Discovery to run slow. Additionally, Active Directory Group Discovery identifies only the basic details about users and computers is discovers, and does not create a complete user or computer discovery record. When you run Active Directory System Discovery and Active Directory User Discovery, the additional Active Directory attributes for each object type are available, and as a result, Active Directory Group Discovery runs more efficiently.

427

When you configure Active Directory Group Discovery, only specify groups that you use with Configuration Manager
To help control the use of resources by Active Directory Group Discovery, specify only those groups that you use with Configuration Manager. This is because Active Directory Group Discovery recursively searches each group it discovers for users, computers, and nested groups. The search of each nested group can expand the scope of Active Directory Group Discovery and reduce performance. Additionally, when you configure delta discovery for Active Directory Group Discovery, the discovery method monitors each group for changes. This further reduces performance when the method must search unnecessary groups.

Configure discovery methods with a longer interval between full discovery, and a more frequent period of delta discovery
Because delta discovery uses fewer resources than a full discovery cycle, and can identify new or modified resources in Active Directory, when you use delta discovery you can reduce the frequency of full discovery cycles to run one per week or less. Delta discovery for Active Directory System Discovery, Active Directory User Discovery and Active Directory Group Discovery identifies almost all the changes of Active Directory objects and can maintain accurate discovery data for resources.

Run Active Directory Discovery methods at primary site that has a network location that is closest to your Active Directory domain controller
To improve the performance of Active Directory discovery, it is recommended to run discover at a primary site that has a fast network connection to your domain controllers. If you run the same Active Directory discovery method at multiple sites, it is recommended to configure each discovery method to avoid overlap. Unlike past versions of Configuration Manager, discovery data is shared between sites. Therefore, it is not necessary to discovery the same information at multiple sites. For more information, see Decide Where to Run Discovery.

Run Active Directory Forest Discovery at a only one site when you plan to automatically create boundaries from the discovery data
If you run Active Directory Forest Discovery at more than one site in a hierarchy, it is recommended to only enable options to automatically create boundaries at a single site. This is because when Active Directory Forest Discovery runs at each site and creates boundaries, Configuration Manager cannot merge those boundaries into a single boundary object. When you configure Active Directory Forest Discovery to automatically create boundaries at multiple sites, the result can be duplicated boundary objects in the Configuration Manager console.

428

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for Client Settings in Configuration Manager

Use client settings in System Center 2012 Configuration Manager to configure user and device settings for the hierarchy. Client settings include configuration options such as the hardware inventory and schedule, and the polling schedule for client policy. All Configuration Manager clients in the hierarchy use the Default Client Settings that are automatically created when you install Configuration Manager. However, you can modify the default client settings and you can create custom client settings to override the default client settings for specific users or devices. When you create a set of custom client settings, you must assign it to one or more collections for the settings to be applied to the collection members. If you apply multiple sets of custom client settings to the same user or device, you can control the order in which these settings are applied according to the order that you specify. Custom device or user settings with an Order value of 1 are always processed last and will override any other configurations. The Default Client Settings has a permanent order of 10,000, which ensures it is always applied before any custom settings are applied. When there is a conflict of settings, the client setting that was applied last (with the lower order value) overrides any previous settings. You can view the resultant client settings for a user or a device by using the System Center 2012 Configuration Manager reports. You can create custom client settings at the central administration site or from any primary site in the hierarchy. Custom settings replicate to all sites in the hierarchy. For information about how to configure client settings, see How to Configure Client Settings in Configuration Manager. For information about client settings for clients that run Linux and UNIX in Configuration Manager SP1, see the Client Settings for Linux and UNIX Servers section in the How to Manage Linux and UNIX Clients in Configuration Manager topic.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. In Configuration Manager 2007, client agent settings are configured on a per-site basis and you cannot configure these settings for the whole hierarchy. In System Center 2012 Configuration Manager, client agent settings and other client settings are grouped into centrally configurable client settings objects that are applied at the hierarchy. To view and configure these,
429

modify the default client settings. If you need additional flexibility for groups of users or computers, configure custom client settings and assign them to collections. For example, you can configure remote control to be available only on specified collections of computers.

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for Site Systems in Configuration Manager

System Center 2012 Configuration Manager uses site system roles to support operations at each site. Computers that host the Configuration Manager site are named site servers, and computers that host the other site system roles are named site system servers. The site server is also a site system server. Site system servers within the same site communicate with each other by using server message block (SMB), HTTP, or HTTPS, depending on the site configuration selections that you make. Because these communications are unmanaged and can occur at any time without network bandwidth control, review your available network bandwidth before you install site system servers and configure the site system roles. At each site, you can install available site system roles on the site server or install one or more site system roles on another site system server. Configuration Manager does not limit the number of site system roles that you can run on a single site system server. However, Configuration Manager does not support site system roles from different sites on the same site system server. Additionally, Configuration Manager supports some site system roles only at specific sites in a hierarchy, and some site system roles have other limitations as to where and when you can install them. Use the following sections to help you plan for site systems: Site System Roles in Configuration Manager Planning for Proxy Servers Configurations for Site System Roles Planning Where to Install Sites System Roles in the Hierarchy Planning for Database Servers in Configuration Manager Planning for the SMS Provider in Configuration Manager Planning for Custom Websites with Configuration Manager

Whats New in Configuration Manager SP1

With Configuration Manager SP1, you can configure a proxy server on each site system server for use by all site system roles installed on that computer. This is not a new site system role, but a configuration for site system server computers.
430

Site System Roles in Configuration Manager

When you install a site, several site system roles automatically are installed on the servers that you specify during Setup. After a site is installed, you can install additional site system roles on those servers or on additional computers that you decide to use as site system servers. The following sections identify the default site system roles and the optional site system roles that are available in Configuration Manager.

Default Site System Roles

When you install a Configuration Manager site, several default site system roles are automatically installed for the site. These site system roles are required for the core operation of each site and although some default site system roles can be moved to other servers, they cannot be removed from the site. Additionally, some default site system roles are installed on additional site system servers when you install optional site system roles. The default site system roles are described in the following table.
Site system role Description

Configuration Manager site server

The site server role is automatically installed on the server from which you run Configuration Manager Setup when you install a central administration site or primary site. When you install a secondary site, the site server role is installed on the server that you specify as the secondary site server. Site systems are computers that provide Configuration Manager functionality to a site. Each site system hosts one or more site system roles. Most site system roles are optional, and you install them only if you have to use them for specific management tasks. Other site system roles are automatically installed on a site system and cannot be configured. This role is assigned during Configuration Manager site installation or when you add an optional site system role to another server.

Configuration Manager site system

Configuration Manager component site system role

Any site system that runs the SMS Executive service also installs the component site system role. This role is required to support other roles, such as a management point, and it is installed and
431

Site system role

Description

removed with the other site system roles. This role is always assigned to the site server when you install Configuration Manager. Configuration Manager site database server The site database server is a computer that runs a supported version of Microsoft SQL Server, and it stores information for Configuration Manager sites, such as discovery data, hardware and software inventory data, and configuration and status information. Each site in the Configuration Manager hierarchy contains a site database and a server that is assigned the site database server role. You can install SQL Server on the site server, or you can reduce the CPU usage of the site server when you install SQL Server on a computer other than the site server. Secondary sites can use SQL Server Express instead of a full SQL Server installation. The site database can be installed on the default instance of SQL Server or on a named instance on a single computer that is running SQL Server. It can be installed on a named instance on a SQL Server cluster. Typically, a site system server supports site systems roles from a single Configuration Manager site only; however, you can use different instances of SQL Server on clustered or non-clustered servers running SQL Server to host the database for different Configuration Manager sites. For this configuration, you must configure each instance of SQL Server to use different ports. This role is installed when you install Configuration Manager. SMS Provider The SMS Provider is the interface between the Configuration Manager console and the site database. This role is installed when you install a central administration site or primary site. Secondary sites do not install the SMS Provider. You can install the
432

Site system role

Description

SMS Provider on the site server, the site database server (unless the site database is hosted on a clustered instance of SQL Server), or on another computer. You can also move the SMS Provider to another computer after the site is installed, or install multiple SMS Providers on additional computers. To move or install additional SMS Providers for a site, run Configuration Manager Setup, select the option Perform site maintenance or reset the Site, click Next , and then on the Site Maintenance page, select the option Modify SMS Provider configuration. Note The SMS Provider is only supported on computers that are in the same domain as the site server.

Optional Site System Roles

Optional site system roles are site system roles that are not required for the core operation of a Configuration Manager site. However, by default, the management point and distribution point, which are optional site system roles, are installed on the site server when you install a primary or secondary site. Although these two site system roles are not required for the core operation of the site, you must have at least one management point to support clients at those locations. After you install a site, you can move the default location of the management point or distribution point to another server, install additional instances of each site system role, and install other optional site system roles to meet your business requirements. The optional site system roles are described in the following table.
Site system role Description

Application Catalog web service point

A site system role that provides software information to the Application Catalog website from the Software Library.

Application Catalog website point

A site system role that provides users with a list of available software from the Application Catalog.
433

Site system role

Description

Asset Intelligence synchronization point

A site system role that connects to Microsoft to download Asset Intelligence catalog information and upload uncategorized titles so that they can be considered for future inclusion in the catalog. This site system role can only be installed on the central administration site or a stand-alone primary site. For more information about planning for Asset Intelligence, see Prerequisites for Asset Intelligence in Configuration Manager. A site system role that contains source files for clients to download, such as application content, software packages, software updates, operating system images, and boot images. You can control content distribution by using bandwidth, throttling, and scheduling options. For more information, see Planning for Content Management in Configuration Manager. A site system role that helps you monitor client installation and identify the clients that are unmanaged because they cannot communicate with their management point. A site system role that provides policy and service location information to clients and receives configuration data from clients. You must install at least one management point at each primary site that manages clients, and at each secondary site where you want to provide a local point of contact for clients to obtain computer and user polices.

Distribution point

Fallback status point

Management point

Endpoint Protection point

A site system role that Configuration Manager uses to accept the Endpoint Protection license terms and to configure the default membership for Microsoft Active Protection Service. A site system role that uses PKI certificates for Configuration Manager to enroll mobile devices and Mac computers, and to provision Intel
434

Enrollment point

Site system role

Description

AMT-based computers

Enrollment proxy point

A site system role that manages Configuration Manager enrollment requests from mobile devices and Mac computers.

Out of band service point

A site system role that provisions and configures Intel AMT-based computers for out of band management.

Reporting services point

A site system role that integrates with SQL Server Reporting Services to create and manage reports for Configuration Manager. For more information, see Planning for Reporting in Configuration Manager. A site system role that integrates with Windows Server Update Services (WSUS) to provide software updates to Configuration Manager clients. For more information, see Planning for Software Updates in Configuration Manager. A site system role that stores user state data when a computer is migrated to a new operating system. For more information about storing user state when you deploy an operating system, see How to Manage the User State in Configuration Manager. A site system role that validates Configuration Manager Network Access Protection (NAP) policies. It must be installed on a NAP health policy server.

Software update point

State migration point

System Health Validator point

Windows Intune connector

A site system role in Configuration Manager SP1 that uses Windows Intune to manage mobile devices in the Configuration Manager console.

435

Planning for Proxy Servers Configurations for Site System Roles

For Configuration Manager SP1 only: During normal operation, several Configuration Manager site system roles require connections to the Internet. Typically, this connection is made in the system context of the computer where the site system role is installed and cannot use a proxy configuration for typical user accounts. When a proxy server is required to complete a connection to the Internet, you must configure the computer to use a proxy server. For Configuration Manager with no service pack, you must manually configure the proxy server for the system context outside of Configuration Manager. With Configuration Manager SP1, you can use the Configuration Manager console to configure each site system server to use a proxy server. This proxy server configuration is used by each applicable site system role that is installed on that computer. For example, a software update point might connect to Microsoft to download updates, and with Configuration Manager SP1 when you use a cloud-based distribution point, the primary site server that manages the cloud-based distribution point must connect to Windows Azure. The following table identifies the site system roles that can use a proxy server:
Site system role Configuration Manager version Details

Asset Intelligence synchronization point

Configuration Manager with no service pack Configuration Manager with SP1

This site system role connects to Microsoft and will use a proxy server configuration on the computer that hosts the Asset Intelligence synchronization point. When you use a cloud-based distribution point, the primary site that manages the cloudbased distribution point must be able to connect to Windows Azure to provision, monitor, and distribute content to the distribution point. If a proxy server is required for this connection, you must configure the proxy server on the primary site server. You cannot configure a proxy server on the cloud-baseddistribution point in Windows Azure.
436

Cloud-based distribution point

Configuration Manager with SP1

Site system role

Configuration Manager version

Details

For more information see the Configure Proxy Settings for Primary Sites that Manage Cloud Services section in the Install and Configure Site System Roles for Configuration Manager topic. Exchange Server connector Configuration Manager with no service pack Configuration Manager with SP1 This site system role connects to an Exchange Server and will use a proxy server configuration on the computer that hosts the Exchange Server connector. This site system role can require connections to Microsoft Update to download patches and synchronize information about updates. With Configuration Manager with no service pack you can configure proxy server settings for the active software update point. With Configuration Manager SP1, proxy server options are only available for the software update point when there is already a proxy configured for the site system server. For more information about proxy servers for software update points, see the Proxy Server Settings section in the Configuring Software Updates in Configuration Manager topic. Windows Intune connector Configuration Manager with SP1 This site system role connects to Windows Intune and will use a proxy server configuration on the computer that hosts the
437

Software updates point

Configuration Manager with no service pack Configuration Manager with SP1

Site system role

Configuration Manager version

Details

Windows Intune connector. With Configuration Manager SP1 you can configure the proxy server for a site system server when you install a site system role by using the Add Site System Roles Wizard or the Create Site System Server Wizard. After you have installed a site system server, you can configure a proxy server by editing the properties for the site system server. Each site system server supports only a single proxy server configuration. If you configure a new proxy server when you install site system role or edit the site system server properties, the new proxy server configuration replaces the previously configured proxy server for that site system server. The proxy server configuration is shared by all site system roles that run on a computer. There is no support for individual site system roles that run on the same computer to use different proxy server configurations. If you require different site system roles to use different proxy servers, you must install the site system roles on different site system server computers. Typically, when you configure the proxy server, each site system role on that computer that supports using the proxy server will use the proxy server with no additional configuration required. An exception to this is the software update point. By default, a software update point does not use an available proxy server unless you also enable the following options when you configure the software update point: Use a proxy server when synchronizing software updates Use a proxy server when downloading content by using automatic deployment rules Tip A proxy server must be configured on the site system server that hosts the software update point before you can select either option. The proxy server is only used for the specific options you select. Because each site system server supports a single proxy server configuration, if you add a new site system role to a computer and specify a different proxy server configuration than is already configured, the new replaces the previous proxy server configuration. Similarly, after you configure a proxy server for a site system server, if you edit the properties of the site system and change the proxy server configuration, this new configuration replaces the previous proxy server configuration. For procedures about configuring the proxy server for site system roles, see the Install and Configure Site System Roles for Configuration Manager topic.

Planning Where to Install Sites System Roles in the Hierarchy

Before you install site system roles, identify the site types that can or cannot support specific site system roles, and how many instances of each site system role you can install at a site or across a hierarchy.
438

You can install some site system roles at only the top-level site in a hierarchy. A top-level site can be a central administration site of a multi-primary site hierarchy or a stand-alone primary site if your hierarchy consists of a single primary site with one or more secondary child sites. Additionally, some site system roles support only a single instance per hierarchy. However, most site system roles support multiple instances across the hierarchy and at individual sites.

Site System Role Placement in the Hierarchy

Use the following table to identify the site system roles that you can install at each type of site in a System Center 2012 Configuration Manager hierarchy, and whether the site system role provides functionality for its site only, or for the entire hierarchy. You can install any supported site system role on the site server computer or on a remote site system server at a central administration site or primary site. At a secondary site, only the distribution point is supported on a remote site system server.
Site system role Central administration site Child primary site Stand-alone Secondary primary site site Site-specific or hierarchywide option

Application Catalog web service point Application Catalog website point Asset Intelligence synchronization 1 point Distribution 2, 5 point Fallback status point Management 2, 3, 5 point Endpoint Protection point Enrollment point Enrollment proxy point

No

Yes

Yes

No

Hierarchy

No

Yes

Yes

No

Hierarchy

Yes

No

Yes

No

Hierarchy

No

Yes

Yes

Yes

Site

No

Yes

Yes

No

Hierarchy

No

Yes

Yes

Yes

Site

Yes

No

Yes

No

Hierarchy

No No

Yes Yes

Yes Yes

No No

Site Site

439

Site system role

Central administration site

Child primary site

Stand-alone Secondary primary site site

Site-specific or hierarchywide option

Out of band service point Reporting services point Software update 4, 5 point State migration 5 point System Health Validator point Windows Intune connector
1 2

No

Yes

Yes

No

Site

Yes

Yes

Yes

No

Hierarchy

Yes

Yes

Yes

Yes

Site

No

Yes

Yes

Yes

Site

Yes

Yes

Yes

No

Hierarchy

Yes

No

Yes

No

Hierarchy

Configuration Manager supports only a single instance of this site system role in a hierarchy.

By default, when you install a secondary site, a management point and a distribution point are installed on the secondary site server.
3

This role is required to support clients in Configuration Manager. Secondary sites do not support more than one management point and this management point cannot support mobile devices that are enrolled by Configuration Manager. For more information about the site system roles that support clients in Configuration Manager, see Determine the Site System Roles for Client Deployment in Configuration Manager.
4

When your hierarchy contains a central administration site, install a software update point at this site that synchronizes with Windows Server Update Services (WSUS) before you install a software update point at any child primary site. When you install software update points at a child primary site, configure it to synchronize with the software update point at the central administration site.
5

At a secondary site, all site system roles must be located on the site server computer. The only exception is the distribution point. Secondary sites support installing distribution points on the site server computer and on remote computers.

Considerations for Placement of Site System Roles

Use the following table to help you decide where to install the site system roles.

440

Site system role

Considerations

Application Catalog website point

When the Application Catalog supports client computers on the Internet, as a security best practice, install the Application Catalog website point in a perimeter network and the Application Catalog web service point on the intranet. Configuration Manager supports a single instance of this site system role in a hierarchy and only at the top-level site in the hierarchy. Configuration Manager supports a single instance of this site system role in a hierarchy and only at the top-level site in the hierarchy. If a user enrolls mobile devices by using Configuration Manager and their Active Directory account is in a forest that is untrusted by the site server's forest, you must install an enrollment point in the users forest so that the user can be authenticated. When you support mobile devices on the Internet, as a security best practice, install the enrollment proxy point in a perimeter network and the enrollment point on the intranet. Although you can install more than one fallback status point in a primary site, clients can be assigned to only one fallback status point and this assignment occurs during client installation: If you install clients by using client push installation, the first fallback status point that is installed for the site is automatically assigned to clients. If you have two fallback status points in the site so that one fallback status point accepts client connections from the Internet (for example, it is in a perimeter network), and the other fallback status point accepts client connections on the intranet only, assign the Internet-based clients to the Internet-based fallback status point.

Asset Intelligence synchronization point

Endpoint Protection point

Enrollment point

Enrollment proxy point

Fallback status point

Management point

You cannot install a System Center 2012 Configuration Manager management point on a
441

Site system role

Considerations

server that has a Configuration Manager 2007 client installed. You must first uninstall the Configuration Manager 2007 client. Out of band service point Install this site system to support out of band management for Intel AMT-based computers. In Configuration Manager, this site system must be installed in a primary site that also contains the enrollment point. The out of band service point cannot provision AMT-based computers in a different forest. Software update point Install this site system in the central administration site to synchronize with Windows Server Update Services and in all primary sites that use the Software Updates feature. Also consider installing a software update point in secondary sites when data transfer across the network is slow. Install this site system role in either a primary site or a secondary site. Consider installing a state migration point in secondary sites when data transfer across the network is slow. Install this site system role in the central administration site and at any primary site. Note A reporting services point installed in a primary site rather than a central administration site can display data from that primary site only. Distribution point Install this site system role in primary sites and secondary sites to distribute software to clients by using Background Intelligent Transfer Service (BITS), Windows BranchCache, multicast for operating system deployment, and streaming for application virtualization. Note When the distribution point is offline or in sleep mode from a power management policy, for example,
442

State migration point

Reporting services point

Site system role

Considerations

software deployments might fail. Windows Intune connector Configuration Manager supports a single instance of this site system role in a hierarchy and only at the top-level site in the hierarchy.

Planning for Database Servers in Configuration Manager

The site database server is a computer that runs a supported version of Microsoft SQL Server that stores information for Configuration Manager sites. Each site in a System Center 2012 Configuration Manager hierarchy contains a site database and a server that is assigned the site database server role. For central administration sites and primary sites, you can install SQL Server on the site server, or you can install SQL Server on a computer other than the site server. For secondary sites, you can use SQL Server Express instead of a full SQL Server installation; however, the database server must be co-located with the site server. You can install the site database on the default instance of SQL Server, a named instance on a single computer running SQL Server, or on a named instance on a clustered instance of SQL Server. Typically, a site system server supports site system roles from only a single Configuration Manager site; however, you can use different instances of SQL Server, on clustered or nonclustered servers running SQL Server, to host a database from different Configuration Manager sites. To support databases from different sites, you must configure each instance of SQL Server to use unique ports for communication.

SQL Server Configurations for Database Servers

To successfully configure a SQL Server installation for use as a Configuration Manager site database server, ensure that the following required SQL Server configurations are specified. Also, be familiar with the optional configurations and planning for service principal names (SPNs), database server location planning, and how to modify the database configuration after a site has completed installation.

Prerequisites for Database Servers

Before you specify a computer to host the site database for any site, ensure that it meets the prerequisites for database servers. Before installing SQL Server, you must be familiar with the Configurations for the SQL Server Site Database section of the Supported Configurations for Configuration Manager topic.

443

Database Server Locations

At a central administration site and at primary sites, you can co-locate the database server on the site server, or place it on a remote server. At secondary sites, the database server is always colocated on the secondary site server. If you use a remote database server computer, ensure the intervening network connection is a high-availability, high-bandwidth network connection. This is because the site server and some site system roles must constantly communicate with the SQL Server that is hosting the site database. Consider the following when you select a remote database server location: The amount of bandwidth required for communications to the database server depends upon a combination of many different site and client configurations; therefore, the actual bandwidth required cannot be adequately predicted. Each computer that runs the SMS Provider and that connects to the site database increases network bandwidth requirements. The computer that runs SQL Server must be located in a domain that has a two-way trust with the site server and all computers running the SMS Provider. You cannot use a clustered SQL Server for the site database server when the site database is co-located with the site server.

SQL Server Service Principal Names

A Service Principal Name (SPN) for the Configuration Manager site database server must be registered in Active Directory Domain Services for the SQL Server service account. The registered SPN lets SQL clients identify and authenticate the service by using Kerberos authentication. When you configure SQL Server to use the local system account to run SQL Server services, the SPN is automatically created in Active Directory Domain Services. When a local domain user account is in use, you must manually register the SPN for the account. Without registering the SPN for the SQL Server service account, SQL clients and other site systems are not able to perform Kerberos authentication, and communication to the database might fail. Important Running the SQL Server service by using the local system account of the computer running SQL Server is not a SQL Server best practice. For the most secure operation of SQL Server site database servers, configure a low-rights domain user account to run the SQL Server service. For information about how to register the SPN when you use a domain user account, see How to Manage the SPN for SQL Server Site Database Servers in this documentation library.

444

About Modifying the Database Configuration

After you install a site, you can manage the configuration of the site database and site database server by running Setup on a central administration site server or primary site server. It is not supported to manage the database configuration for a secondary site. For more information about modifying the site database configuration, see Modify the Site Database Configuration in this documentation library.

About Modifying the Database Server Alert Threshold

By default, Configuration Manager generates alerts when free disk space on a site database server is low. The defaults are set to generate a warning when there is 10 GB or less of free disk space, and a critical alert when there is 5 GB or less of free disk space. You can modify these values or disable alerts for each site. To change these settings: 1. In the Administration workspace, expand Site Configuration, and then click Sites. 2. Select the site that you want to configure and open that sites Properties. 3. In the sites Properties dialog box, select the Alert tab, and then edit the settings. 4. Click OK to close the site properties dialog box.

Planning for the SMS Provider in Configuration Manager

The SMS Provider is a Windows Management Instrumentation (WMI) provider that assigns read and write access to the Configuration Manager database at a site. The SMS Admins group provides access to the SMS Provider and Configuration Manager automatically creates this security group on the site server and on each SMS Provider computer. You must have at least one SMS Provider in each central administration site and primary site. These sites also support the installation of additional SMS Providers. Secondary sites do not install the SMS Provider. The Configuration Manager console, Resource Explorer, tools, and custom scripts use the SMS Provider so that Configuration Manager administrative users can access information that is stored in the database. The SMS Provider does not interact with Configuration Manager clients. When a Configuration Manager console connects to a site, the Configuration Manager console queries WMI on the site server to locate an instance of the SMS Provider to use. The SMS Provider helps enforce Configuration Manager security. It returns only the information that the administrative user who is running the Configuration Manager console is authorized to view. Important When each computer that holds an SMS Provider for a site is offline, Configuration Manager consoles cannot connect to that sites database.

445

Use the following sections in this topic to plan for the SMS Provider. For information about how to manage the SMS Provider, see Manage the SMS Provider Configuration for a Site.

SMS Provider Prerequisites

Before you install the SMS Provider on a computer, ensure that the computer meets the following prerequisites: The computer must be in a domain that has a two-way trust with the site server and the site database site systems. The computer cannot have a site system role from a different site. The computer cannot have an SMS Provider from any site. The computer must run an operating system that is supported for a site server. The computer must have at least 650 MB of free disk space to support the Windows Automated Installation Kit (Windows AIK) components that are installed with the SMS Provider. For more information about Windows AIK and the SMS Provider, see the Operating System Deployment Requirements for the SMS Provider section in this topic. Note In Configuration Manager SP1, the Windows ADK replaces the Windows AIK. For more information, see Prerequisites For Deploying Operating Systems in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.

About SMS Provider Locations

When you install a site, the installation automatically installs the first SMS Provider for the site. You can specify any of the following supported locations for the SMS Provider: The site server computer The site database computer A server-class computer that does not hold an SMS Provider, or a site system role from a different site

Each SMS Provider supports simultaneous connections from multiple requests. The only limitations on these connections are the number of server connections that are available on the SMS Provider computer, and the available resources on the SMS Provider computer to service the connection requests. After a site is installed, you can run Setup on the site server again to change the location of an existing SMS Provider, or to install additional SMS Providers at that site. You can install only one SMS Provider on a computer, and a computer cannot install an SMS Provider from more than one site. Use the following table to identify the advantages and disadvantages of installing an SMS Provider on each supported location.

446

Location

Advantages

Disadvantages

Configuration Manager site server

The SMS Provider does not use the system resources of the site database computer. This location can provide better performance than an SMS Provider located on a computer other than the site server or site database computer. The SMS Provider does not use site system resources on the site server. This location can provide the best performance of the three locations, if sufficient server resources are available.

The SMS Provider uses system and network resources that could be dedicated to site server operations.

SQL Server that is hosting the site database

The SMS Provider uses system and network resources that could be dedicated to site database operations. This location is not an option when the site database is hosted on a clustered instance of SQL Server. The SMS Provider performance might be reduced due to the additional network traffic that is required to coordinate with the site server and the site database computer. This server must be always accessible to the site database computer and all computers with the Configuration Manager console installed. This location can use system resources that would otherwise be dedicated to other services.

Computer other than the site server or site database computer

SMS Provider does not use site server or site database computer resources. This type of location lets you deploy additional SMS Providers to provide high availability for connections.

To view the locations of each SMS Provider that is installed at a site, view the General tab of the site Properties dialog box.
447

About SMS Provider Languages

The SMS Provider operates independently of the display language of the computer where it is installed. When an administrative user or Configuration Manager process requests data by using the SMS Provider, the SMS Provider attempts to return that data in a format that matches the operating system language of the requesting computer. The SMS Provider does not translate information from one language to another. Instead, when data is returned for display in the Configuration Manager console, the display language of the data depends on the source of the object and type of storage. When data for an object is stored in the database, the languages that will be available depend on the following: Objects that Configuration Manager creates are stored in the database by using support for multiple languages. The object is stored by using the languages that are configured at the site where the object is created when you run Setup. These objects are displayed in the Configuration Manager console in the display language of the requesting computer, when that language is available for the object. If the object cannot be displayed in the display language of the requesting computer, it is displayed in the default language, which is English. Objects that an administrative user creates are stored in the database by using the language that was used to create the object. These objects display in the Configuration Manager console in this same language. They cannot be translated by the SMS Provider and do not have multiple language options.

About Multiple SMS Providers

After a site completes installation, you can install additional SMS Providers for the site. To install additional SMS Providers, run Configuration Manager Setup on the site server. Consider installing additional SMS Providers when any of the following is true: You will have a large number of administrative users that run a Configuration Manager console and connect to a site at the same time. You will use the Configuration Manager SDK, or other products, that might introduce frequent calls to the SMS Provider. You want to ensure high availability for the SMS Provider.

When multiple SMS Providers are installed at a site and a connection request is made, the site non-deterministically assigns each new connection request to use an installed SMS Provider. You cannot specify the SMS Provider location to use with a specific connection session. Note Consider the advantages and disadvantages of each SMS Provider location and balance these considerations with the information that you cannot control which SMS Provider will be used for each new connection. For example, when you first connect a Configuration Manager console to a site, the connection queries WMI on the site server to non-deterministically identify an instance of the SMS Provider that the console will use. This specific instance of the SMS Provider remains in use by the
448

Configuration Manager console until the Configuration Manager console session ends. If the session ends because the SMS Provider computer becomes unavailable on the network, when you reconnect the Configuration Manager console the site will non-deterministically assign an SMS Provider computer to the new connection session. It is possible to be assigned to same SMS Provider computer that is not available. If this occurs, you can attempt to reconnect the Configuration Manager console until an available SMS Provider computer is assigned.

About the SMS Admins Group

You use the SMS Admins group to provide administrative users access to the SMS Provider. The group is automatically created on the site server when the site installs, and on each computer that installs an SMS Provider. Additional information about the SMS Admins group: When the computer is a member server, the SMS Admins group is created as a local group. When the computer is a domain controller, the SMS Admins group is created as a domain local group. When the SMS Provider is uninstalled from a computer, the SMS Admins group is not removed from the computer.

Before a user can make a successful connection to an SMS Provider, their user account must be a member of the SMS Admins group. Each administrative user that you configure in the Configuration Manager console is automatically added to the SMS Admins group on each site server and to each SMS Provider computer in the hierarchy. When you delete an administrative user from the Configuration Manager console, that user is removed from the SMS Admins group on each site server and on each SMS Provider computer in the hierarchy. After a user makes a successful connection to the SMS Provider, role-based administration determines what Configuration Manager resources that user can access or manage. You can view and configure SMS Admins group rights and permissions by using the WMI Control MMC snap-in. By default, Everyone has Execute Methods, Provider Write, and Enable Account permissions. After a user connects to the SMS Provider, that user is granted access to data in the site database based on their role-based administrative security rights as defined in the Configuration Manager console. The SMS Admins group is explicitly granted Enable Account and Remote Enable on the Root\SMS namespace. Note Each administrative user who uses a remote Configuration Manager console requires Remote Activation DCOM permissions on the site server computer and on the SMS Provider computer. Although you can grant these rights to any user or group, as best practice, grant them to the SMS Admins group to simplify administration. For more information, see the Configure DCOM Permissions for Remote Configuration Manager Console Connections section in the Manage Site and Hierarchy Configurations topic.

449

About the SMS Provider Namespace

The structure of the SMS Provider is defined by the WMI schema. Schema namespaces describe the location of Configuration Manager data within the SMS Provider schema. The following table contains some of the common namespaces that are used by the SMS Provider.
Namespace Description

Root\SMS\site_<site code>

The SMS Provider, which is extensively used by the Configuration Manager console, Resource Explorer, Configuration Manager tools, and scripts. Provides the location of the SMS Provider computers for a site. Location inventoried for WMI namespace information during hardware and software inventory. Configuration Manager client configuration policies and client data. Location of inventory reporting classes that are collected by the inventory client agent. These settings are compiled by clients during computer policy evaluation and are based on the client settings configuration for the computer.

Root\SMS\SMS_ProviderLocation

Root\CIMv2

Root\CCM

root\CIMv2\SMS

Operating System Deployment Requirements for the SMS Provider

The SMS Provider requires the following external dependency be installed on the computer that runs the SMS Provider to enable you to use operating system deployment task functions by using the Configuration Manager console: For Configuration Manager with no service pack: Automated Installation Kit (Windows AIK) For Configuration Manager SP1: Windows Assessment and Deployment Kit (Windows ADK)

For Configuration Manager with no service pack, the Windows AIK installs as a component of the SMS Provider. For Configuration Manager with SP1, you must manually install the Windows ADK on a computer before you can install the SMS Provider. When you manage operating system deployments, the Windows AIK or Windows ADK allows the SMS Provider to complete various tasks, which include the following: View WIM file details Add driver files to existing boot images
450

Create boot .ISO files

The Windows AIK or Windows ADK installation can require up to 650 MB of free disk space on each computer that installs the SMS Provider. This high disk space requirement is necessary for Configuration Manager to install the Windows PE boot images. Note In Configuration Manager SP1, the Windows ADK replaces the Windows AIK. For more information, see Prerequisites For Deploying Operating Systems in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.

Planning for Custom Websites with Configuration Manager

Configuration Manager site system roles that require Microsoft Internet Information Services (IIS) also require a website to host the site system services. By default, site systems use the IIS website named Default Web Site on a site system server. However, you can use a custom website that has the name of SMSWEB. This option might be appropriate if you must run other web applications on the same server and their settings are either incompatible with Configuration Manager, or you want the additional resilience of using a separate website. In this scenario, these other applications continue to use the default IIS website, and Configuration Manager operations use the custom website. Important When you run other applications on a Configuration Manager site system, you increase the attack surface on that site system. As a security best practice, dedicate a server for the Configuration Manager site systems that require IIS. You can use custom websites on all primary sites. When you use a custom website at a site, all client communications within the site are directed to use the custom website named SMSWEB on each site system instead of the default website on IIS. Additionally, site system roles that use IIS but do not accept client connections, such as the reporting services point, also use the SMSWEB website instead of the default website. For more information about which site systems require IIS, see Supported Configurations for Configuration Manager. Before you configure a Configuration Manager site to use a custom website, you must manually create the custom website in IIS on each site system server that requires Internet Information Services (IIS) at that site. Because secondary sites are automatically configured to use a custom website when you enable this option on the parent site, you must also create a custom website in IIS on each secondary site system server that requires IIS. If you enable custom websites for one site, consider using custom websites for all sites in your hierarchy to ensure that clients can successfully roam within the hierarchy. Note

451

When you select or clear the check box to use a custom website for a site, the following site system roles that are installed on each site system server in the site are automatically uninstall and reinstalled: Management point Distribution point Software update point Fallback status point State migration point

Site System Roles That Can Use Custom Websites

The following Configuration Manager site system roles require IIS and use the default or custom website on the site system server: Application Catalog web service point Application Catalog website point Distribution point Enrollment point Enrollment proxy point Fallback status point Management point Software update point State migration point

Custom Website Ports

When you create a custom website, you must assign port numbers to the custom website that differ from the port numbers that the default website uses. The default website and the custom website cannot run at the same time if both sites are configured to use the same TCP/IP ports. After the site system roles are reinstalled, verify that the TCP/IP ports configured in IIS for the custom website match the client request ports for the site. For information about how to configure ports for client communication, see How to Configure Client Communication Port Numbers in Configuration Manager.

Switching Between Default Websites and Custom Websites

Although you can select or clear the check box to use a custom website at any time, if possible, configure this option as soon as the site is installed to minimize any disruptions to service continuity. When you make this site configuration change, plan for the site system roles that are automatically uninstalled and reinstalled with the new website and port configuration. You must also plan to manually uninstall and reinstall any site system roles that are not automatically reinstalled to use the new website and port configuration.

452

When you change from using the default website to use a custom website, Configuration Manager does not automatically remove the old virtual directories. If you want to remove the files that Configuration Manager used, you must manually delete the virtual directories that were created under the default website. If you change the site option to use a custom website, clients that are assigned to the site must be configured to use the client request port that matches the new website port. For information about how to configure ports for client communication, see How to Configure Client Communication Port Numbers in Configuration Manager.

How to Create the Custom Website in Internet Information Services (IIS)

To use a custom website for a site, you must perform the following actions before you enable the option to use a custom website in Configuration Manager: Create the custom web site in IIS for each site system server that requires IIS in the primary site and any child secondary sites. Name the custom website SMSWEB. Configure the custom website to respond to the same port that you configure for Configuration Manager client communication. Important When you change from using the default website and use a custom website, Configuration Manager adds the client request ports that are configured on the default website to the custom website. Configuration Manager does not remove these ports from the default website, and the ports are listed for both the default and custom website. IIS cannot start both websites when they are configured to operate on the same TCP/IP ports, and clients cannot contact the management point. Use the information in the following procedures to help you configure the custom websites in IIS. Note The following procedures are for Internet Information Services (IIS) 7.0 on Windows Server 2008 R2. If you cannot use these procedures because your server has a different operating system version, refer to the IIS documentation for your operating system version. To create a custom website in Internet Information Services (IIS) 1. On the computer that runs the Configuration Manager site system, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In the Internet Information Services (IIS) Manager console, in the Connections pane, right-click the Sites node to select Add Web Site. 3. In the Add Web Site dialog box, enter SMSWEB in the Site name box. Important
453

SMSWEB is the required name for Configuration Manager custom websites. 4. In the Physical path box, specify the physical path to use for the website folder. 5. Specify the protocol and custom port for this website. After you create the website, you can edit it to add additional website bindings for additional protocols. When you configure the HTTPS protocol, you must specify a SSL certificate before you can save the configuration.

6. Click OK to create the custom website. Remove the custom website ports from the default website in Internet Information Services (IIS) 1. In the Internet Information Services (IIS) Manager, edit the Bindings of the IIS website that has the duplicate ports (Default Web Site). Remove the ports that match the ports that are assigned to the custom website ( SMSWEB). 2. Start the website (SMSWEB). 3. Restart the SMS_SITE_COMPONENT_MANAGER service on the site server.

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for Cloud Services in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. With System Center 2012 Configuration Manager SP1, you can use cloud services to help you manage resources and to reduce the number of remote distribution points that you deploy in a hierarchy. Use the information in the following sections to help you plan for using a cloud-based infrastructure, such as site system roles by using Windows Azure.

About Cloud Services for Site System Roles

With Configuration Manager SP1, you can use a cloud service in Windows Azure to host the following site system roles: Distribution point - For information about how to use cloud-based distribution points, see the Planning for Cloud-Based Distribution Points section in the Planning for Content Management in Configuration Manager topic.
454

Site system roles that Windows Azure hosts are named site system cloud services. These cloud services are in contrast to site system servers, which refer to on-premises computers that you manage in your network environment. Before you can use a cloud service to host a site system role, you must have a subscription to Windows Azure, and configure Windows Azure to support the site system roles. To use Windows Azure for site system roles, you must obtain a management certificate that you upload to Windows Azure. The management certificate enables Configuration Manager to communicate with the cloud service. For additional requirements, see the planning topic that is specific to the site system role that you install as a cloud service. When you use a cloud service to host a site system role, you do not have to plan for the hardware that the site system role is installed on. The cloud service in Windows Azure replaces the hardware. For example, for a distribution point, you define the amount of storage that you want the distribution point to use, and specify when Configuration Manager generates alerts that are based on data transfer thresholds. You also specify the Windows Azure region that each cloudbased distribution point serves. For example, you might deploy one cloud-based distribution point to the North America region, and a second distribution point to Asia. Typically, the primary concern for a site system role that is installed as a cloud service is cost management for the Windows Azure account that hosts the cloud service. Therefore, plan to monitor each cloud service that you use for ongoing costs that are associated with the storage of data in the cloud, and for data transfers from site system cloud services that you use with Configuration Manager. For more information, see Costs of Using a Cloud Service with Configuration Manager, and review the details for your Windows Azure subscription.

Costs of Using a Cloud Service with Configuration Manager

When you use a cloud service, plan for the cost of data storage and transfers that Configuration Manager clients perform. System Center 2012 Configuration Manager does not control charges for using a cloud service, nor does Configuration Manager add additional costs to access a cloud service. Instead, your Windows Azure account and subscription details, and the volume of data that you store and allow clients to download determine all costs. For more information about Windows Azure, see Windows Azure in the MSDN Library.

Security and Cloud Services with Configuration Manager

Configuration Manager uses certificates to provision and access your content in Windows Azure, and to manage the services that you use. Configuration Manager encrypts the data that you store in Windows Azure, but does not introduce additional security or data controls beyond those that Windows Azure provides. For more information about Windows Azure security, see the documentation for Windows Azure.
455

The following topics on the TechNet website can help you understand security in Windows Azure: Windows Azure: Understanding Security Account Management in Windows Azure Windows Azure Security Overview Get Past the Security Crossroads in Your Cloud Migration Data Security in Azure Part 1 of 2

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for Content Management in Configuration Manager

Content management in System Center 2012 Configuration Manager provides the tools for you to manage content files for applications, packages, software updates, and operating system deployment. Configuration Manager uses distribution points to store files required for software to run on client computers. These distribution points function as distribution centers for the content files and let users download and run the software. Clients must have access to at least one distribution point from which they can download the files. Use the following sections in this topic to help you plan how to manage content in your Configuration Manager hierarchy: Plan for Distribution Points Distribution Point Configurations Planning for Preferred Distribution Points and Fallback Content Source Location Network Connection Speed to the Content Source Location On-Demand Content Distribution Content Source Location Scenarios

Planning for BranchCache Support Network Bandwidth Considerations for Distribution Points Planning for Scheduling and Throttling Determine Whether To Prestage Content

Planning for Cloud-Based Distribution Points Prerequisites for Cloud-Based Distribution Points Plan for the Cost of using Cloud-Based Distribution About Subscriptions and Certificates for Cloud-Based Distribution Points Site Server to Cloud-Based Distribution Point Communication Client to Cloud-Based Distribution Point Communication
456

Determine the Distribution Point Infrastructure

Plan for Distribution Point Groups Plan for Content Libraries Note For information about the dependencies and supported configurations for content management, see Prerequisites for Content Management in Configuration Manager.

Plan for Distribution Points

When you plan for distribution points in your hierarchy, determine what distribution point attributes you must have in your environment, how to distribute the network and system load on the distribution point, and determine the distribution point infrastructure.

Distribution Point Configurations

Distribution points can have a number of different configurations. The following table describes the possible configurations.
Distribution point configuration Descriptions

Preferred distribution point

You assign boundary groups to distribution points. The distribution points are preferred for clients that are within the boundary group for the distribution point, and the client uses preferred distribution points as the source location for content. When the content is not available on a preferred distribution point, the client uses another distribution point for the content source location. You can configure a distribution point to let clients not in the boundary groups use it as a fallback location for content. Enable the PXE option on a distribution point to enable operating system deployment for Configuration Manager clients. The PXE option must be configured to respond to PXE boot requests that Configuration Manager clients on the network make and then interact with the Configuration Manager infrastructure to determine the appropriate installation actions to take. Important
457

PXE

Distribution point configuration

Descriptions

You can enable PXE only on a server that has Windows Deployment Services installed. When you enable PXE, Configuration Manager installs Windows Deployment Services on the distribution point site system if it is not already installed. Multicast Enable the multicast option on a distribution point to use multicast when you distribute operating systems. Important You can enable multicast only on a server that has Windows Deployment Services installed. When you enable multicast, Configuration Manager installs Windows Deployment Services on the distribution point site system if it is not already installed. Pull For Configuration Manager SP1 only: Enable the pull-distribution point option on a distribution point to change the behavior of how that computer obtains the content that you distribute to the distribution point. When you configure a distribution point to be a pulldistribution point, you must specify one or more source distribution points from which the pulldistribution point obtains the content. Important Although a pull-distribution point supports communications over HTTP and HTTPS, source distribution points must be configured for HTTP. You cannot specify a source distribution point that is configured for HTTPS. Support for mobile devices You must configure the distribution point to accept HTTPS communications to support mobile devices. You must configure the distribution point to
458

Support for Internet-based clients

Distribution point configuration

Descriptions

accept HTTPS communications to support Internet-based clients. Application Virtualization Although there are no configuration requirements for the distribution point to enable streaming of virtual applications to clients, there are application management prerequisites that you must consider. For more information, see Prerequisites for Application Management in Configuration Manager.

Planning for Preferred Distribution Points and Fallback

When you create a distribution point, you have the option to assign boundary groups to the distribution point. The distribution points are preferred for clients that are within a boundary group that is assigned to the distribution point.

Content Source Location

When you deploy software to a client, the client sends a content request to a management point, the management point sends a list of the preferred distribution points to the client, and the client uses one of the preferred distribution points on the list as the source location for content. When the content is not available on a preferred distribution point, the management point sends a list to the client with distribution points that have the content available. The client uses one of the distribution points for the content source location. In the distribution point properties and in the properties for a deployment type or package, you can configure whether to enable clients to use a fallback source location for content. When a preferred distribution point does not have the content and the fallback settings are not enabled, the client fails to download the content, and the software deployment fails.

Network Connection Speed to the Content Source Location

You can configure the network connection speed of each distribution point in an assigned boundary group. Clients use this value when they connect to the distribution point. By default, the network connection speed is configured as Fast, but it can also be configured as Slow. When the client uses a distribution point that is not preferred, the connection to the distribution point is automatically considered as slow. The network connection speed helps determine whether a client can download content from a distribution point. You can configure the deployment behavior for each network connection speed in the deployment properties for the specific software that you are deploying. You can choose to never install software when the network connection is considered slow, download and install the software, and so on.

459

On-Demand Content Distribution

You can select the Distribute the content for this package to preferred distribution points property for an application or package to enable on-demand content distribution to preferred distribution points. When enabled, the management point creates a trigger for Distribution Manager to distribute the content to all preferred distribution points in the list when a client requests the content for the package and the content is not available on any preferred distribution points. Depending on the scenario, the client might wait for the content to be available on a preferred distribution point, or it might download the content from a distribution point that is configured to enable a fallback location for content source.

Content Source Location Scenarios

When you deploy software to clients, the content source location that the client uses depends on the following settings: Allow fallback source location for content: This distribution point property enables clients to fall back and use the distribution point as the source location for content when the content is not available on a preferred distribution point. Deployment properties for network connection speed: The deployment properties for network speed are configured as a property for deployed objects, such as application deployment types, software updates, and task sequence deployments. There are different settings for the different deployment objects, but the properties can configure whether to download and install the software content when the network connection speed is configured as slow. Distribute the content for this package to preferred distribution points : When you select this application deployment type or package property, you enable on-demand content distribution to preferred distribution points.

The following table provides scenarios for different content location and fallback scenarios.
Scenario: Scenario 1 Scenario 2 Scenario 3

Fallback configuration and deployment behavior for slow network:

Allow Fallback Not enabled

Allow Fallback Enabled

Deployment Fallback option: Enabled

Deployment behavior Deployment behavior for slow network for slow network Deployment behavior for slow network Any configuration Do not download content Download and install content The client sends a content request to the management point. The client includes a
460

Distribution points are online and meet the following criteria: Content is

The client sends a content request to the management point.

The client sends a content request to the management point. The client includes a

Scenario:

Scenario 1

Scenario 2

Scenario 3

available on a preferred distribution point. Content is available on a fallback distribution point. The package configuration for on-demand package distribution is not relevant in this scenario.

A content location list is returned to the client from the management point with the preferred distribution points that contain the content. The client downloads the content from a preferred distribution point on the list.

flag with the request that indicates fallback distribution points are allowed. A content location list is returned to the client from the management point with the preferred distribution points and fallback distribution points that contain the content. The client downloads the content from a preferred distribution point on the list.

flag with the request to indicate that fallback distribution points are allowed. A content location list is returned to the client from the management point with the preferred distribution points and fallback distribution points that contain the content. The client downloads the content from a preferred distribution point on the list. The client sends a content request to the management point. The client includes a flag with the request that indicates fallback distribution points are allowed. A content location list is returned to the client from the management point with the preferred distribution points and fallback distribution points that have the content. There are no preferred distribution points that have the content, but at least one fallback distribution point that
461

Distribution points are online and meet the following criteria: Content is not available on a preferred distribution point. Content is available on a fallback distribution point. The package is not configured for on-demand package distribution.

The client sends a content request to the management point.

The client sends a content request to the management point. The client includes a flag with the request A content location list that indicates fallback is returned to the client distribution points are from the management allowed. point with the preferred distribution points that have the A content location list content. There are no is returned to the client preferred distribution from the management points in the list. point with the preferred distribution points and fallback The client fails with the distribution points that message Content is have the content. not available and There are no preferred goes into retry mode. distribution points that A new content request have the content, but is started every hour. at least one fallback distribution point has

Scenario:

Scenario 1

Scenario 2

Scenario 3

the content. The content is not downloaded because the deployment property for when the client is using a fallback distribution point is set to Do not download. The client fails with the message Content is not available and goes into retry mode. The client makes a new content request every hour. Distribution points are online and meet the following criteria: Content is not available on a preferred distribution point. Content is available on a fallback distribution point. The package is configured for ondemand package distribution. The client sends a content request to the management point. The client sends a content request to the management point. The client includes a flag with the request A content location list that indicates fallback is returned to the client distribution points are from the management allowed. point with the preferred distribution points that have the A content location list content. There are no is returned to the client preferred distribution from the management points that have the point with the content. preferred distribution points and fallback distribution points that The client fails with the have the content. message Content is There are no preferred not available and distribution points that goes into retry mode. have the content, but A new content request at least one fallback is made every hour. distribution point that has the content.

has the content. The content is downloaded from a fallback distribution point on the list because the deployment property for when the client is using a fallback distribution point is set to Download and install the content.

The client sends a content request to the management point. The client includes a flag with the request that indicates fallback distribution points are allowed. A content location list is returned to the client from the management point with the preferred distribution points and fallback distribution points that have the content. There are no preferred distribution points that have the content, but at least one fallback distribution point that has the content.
462

Scenario:

Scenario 1

Scenario 2

Scenario 3

The management point creates a trigger for Distribution Manager to distribute the content to all preferred distribution points for the client that made the content request. Distribution Manager distributes the content to all preferred distribution points.

A content request is initiated by the client to the management point The management point creates a trigger every hour. for Distribution Manager to distribute A content location list the content to all is returned to the client preferred distribution from the management points for the client point with the that made the content preferred distribution request. points that have the content (in most cases Distribution Manager the content is distributes the content distributed to the to all preferred preferred distribution points within the hour). distribution points. The client downloads the content from a preferred distribution point on the list.

The content is not downloaded because the deployment property for when the client is using a fallback distribution point is set to Do not download. The client fails with the message Content is not available and goes into retry mode. The client makes a new content request every hour.

The content is downloaded from a fallback distribution point on the list because the deployment property for when the client is using a fallback distribution point is set to Download and install the content. The management point creates a trigger for Distribution Manager to distribute the content to all preferred distribution points for the client that made the content request. Distribution Manager distributes the content to all preferred distribution points.

A content request is initiated by the client to the management point. A content location list is returned to the client from the management
463

Scenario:

Scenario 1

Scenario 2

Scenario 3

point with the preferred distribution points that have the content (typically the content is distributed to the preferred distribution points within the hour). The client downloads the content from a preferred distribution point on the list.

Planning for BranchCache Support

Windows BranchCache has been integrated in Configuration Manager. You can configure the BranchCache settings on software deployments. When all the requirements for BranchCache are met, this feature enables clients at remote locations to obtain content from local clients that have a current cache of the content. For example, when the first BranchCache-enabled client computer requests content from a distribution point that is running Windows Server 2008 R2 and that has also been configured as a BranchCache server, the client computer downloads the content and caches it. This content is then made available for clients on the same subnet that request this same content, and these clients also cache the content. In this way, subsequent clients on the same subnet do not have to download content from the distribution point, and the content is distributed across multiple clients for future transfers. For more information about BranchCache support in Configuration Manager, see the BranchCache Feature Support section in the Supported Configurations for Configuration Manager topic.

Network Bandwidth Considerations for Distribution Points

To help you plan for the distribution point infrastructure in your hierarchy, consider the network bandwidth used for the content management process and what you can do to reduce the network bandwidth that is used. When you create a package, change the source path for the content, or update content on the distribution point, the files are copied from the source path to the content library on the site server. Then, the content is copied from the content library on the site server to the content library on the distribution points. When content source files are updated, and the source files have already been distributed, Configuration Manager retrieves only the new or updated files, and then sends them to the distribution point. Scheduling and throttling controls can be configured for siteto-site communication and for communication between a site server and a remote distribution
464

point. When network bandwidth between the site server and remote distribution point is limited even after you configure the schedule and throttling settings, you might consider prestaging the content on the distribution point.

Planning for Scheduling and Throttling

In Configuration Manager, you can configure a schedule and set specific throttling settings on remote distribution points that determine when and how content distribution is performed. Each remote distribution point can have different configurations that help address network bandwidth limitations from the site server to the remote distribution point. The controls used for scheduling and throttling to the remote distribution point are similar to the settings for a standard sender address, but in this case, the settings are used by a new component called Package Transfer Manager. Package Transfer Manager distributes content from a site server (primary site or secondary site) to a distribution point that is installed on a site system. The throttling settings are configured on the Rate Limits tab, and the scheduling settings are configured on the Schedule tab for a distribution point that is not on a site server. Warning The Rate Limits and Schedule tabs are displayed only in the properties for distribution points that are not installed on a site server. For more information about configuring scheduling and throttling settings for a remote distribution point, see the Modify the Distribution Point Configuration Settings section in the Configuring Content Management in Configuration Manager topic.

Determine Whether To Prestage Content

Consider prestaging content for applications and packages in the following scenarios: Limited network bandwidth from the site server to distribution point : When scheduling and throttling do not satisfy your concerns about distributing content over the network to a remote distribution point, consider prestaging the content on the distribution point. Each distribution point has the Enable this distribution point for prestaged content setting that you can configure in the distribution point properties. When you enable this option, the distribution point is identified as a prestaged distribution point, and you can choose how to manage the content on a per-package basis. The following settings are available in the properties for an application, package, driver package, boot image, operating system installer, and image, and let you configure how content distribution is managed on remote distribution points that are identified as prestaged: Automatically download content when packages are assigned to distribution points: Use this option when you have smaller packages where the scheduling and throttling settings provide enough control for content distribution. Download only content changes to the distribution point : Use this option when you have an initial package that is possibly large, but you expect future updates to the content in the package to be generally smaller. For example, you might prestage Microsoft Office 2010 because the initial package size is over 700 MB and too large to send over the network. However, content updates to this package might be less than 10 MB and
465

acceptable to distribute over the network. Another example might be driver packages where the initial package size is large, but incremental driver additions to the package might be small. Manually copy the content in this package to the distribution point : Use this option for when you have large packages, with content such as an operating system, and never want to use the network to distribute the content to the distribution point. When you select this option, you must prestage the content on the distribution point. Warning The preceding options are applicable on a per-package basis and are only used when a distribution point is identified as prestaged. Distribution points that have not been identified as prestaged ignore these settings, and content always is distributed over the network from the site server to the distribution points. Restore the content library on a site server: When a site server fails, information about packages and applications contained in the content library is restored to the site database as part of the restore process, but the content library files are not restored as part of the process. If you do not have a file system backup to restore the content library, you can create a prestaged content file from another site that contains the packages and applications that you have to have, and then extract the prestaged content file on the recovered site server. For more information about site server backup and recovery, see the Planning for Backup and Recovery section in the Planning for Site Operations in Configuration Manager topic.

For more information about prestaging content files, see the Prestage Content section in the Operations and Maintenance for Content Management in Configuration Manager topic.

Planning for Pull-Distribution Points

With Configuration Manager SP1, you can configure a distribution point that is not on a site server to be a pull-distribution point. When you deploy content to a large number of distribution points at a site, pull-distribution points can help reduce the processing load on the site server and can help to speed the transfer of the content to each distribution point. This is accomplished by offloading the process of transferring the content to each distribution point from the distribution manager process on the site server. Instead, each pull-distribution point individually manages the transfer of content, downloading content from another distribution point that already has a copy of the content. A pull-distribution point can only obtain content from a distribution point that is specified as a source distribution point. Pull-distribution points support the same configurations and functionality as typical Configuration Manager distribution points. For example, a distribution point that is configured as a pulldistribution point supports using multi-cast and PXE configurations, content validation, transfer schedules, and on-demand content distribution. A pull-distribution point supports HTTP or HTTPS, supports the same certificates options as other distribution points, and can be managed individually or as a member of a distribution point group. However, the following configurations are exceptions to support for the pull-distribution point: A cloud-based distribution point cannot be configured as a pull-distribution point, and cannot be used as a source distribution point.
466

A distribution point on a site server cannot be configured as a pull-distribution point. The prestage content configuration for a distribution point overrides the pull-distribution point configuration. A pull-distribution point that is configured for prestaged content does not pull content from source distribution point and does not receive content from the site server. A distribution point configured as a pull-distribution point does not use configurations for rate limits when transferring content. If you configure a previously installed distribution point to be a pull-distribution point, configurations for rate limits are saved, but not used. If at a later time you remove the pull-distribution point configuration, the rate limit configurations are implemented as previously configured. To transfer content from a source distribution point in a remote forest, the computer that hosts the pull-distribution point must have a Configuration Manager client installed, and a Network Access Account that can access the source distribution point must be configured for use.

You can configure a pull-distribution point when you install the distribution point or after it has installed by editing the properties of the distribution point site system role. A distribution point that you will configure as a pull-distribution point can support communication by HTTP or HTTPS. When you configure the pull-distribution point you must specify one or more source distribution points and only distribution points that qualify to be source distribution points are displayed. Only distribution points that support HTTP can be specified as a source distribution points. A pulldistribution point that supports HTTP can be specified as a source distribution point for another pull-distribution point. When you distribute content to the pull-distribution point, Configuration Manager notifies the distribution point about the content but does not transfer the content to the distribution point computer. Instead, after the pull-distribution point is notified, it attempts to download the content from the first source distribution point on its list of source distribution points. If the content is not available, the pull-distribution point attempts to download the content from the next distribution point on the list, continuing until either the content is successfully downloaded or the content is not accessed from any source distribution point. If the content cannot be downloaded from any source distribution point, the pull-distribution point sleeps for 30 minutes and then begins the process again. To manage the transfer of content, pull-distribution points use the CCMFramework component of the Configuration Manager client software. This framework is installed by the Pulldp.msi when you configure the distribution point to be a pull-distribution point and does not require that the Configuration Manager client be installed. After the pull-distribution point installs, the CCMExec service on the distribution point computer must be operational for the pull-distribution point to function. When the pull-distribution point transfers content, it logs its operation in the datatransferservice.log and the pulldp.log on the distribution point computer. By default, a pull-distribution point uses its computer account to transfer content from a source distribution point. However, when the pull-distribution point transfers content from a source distribution point that is in a remote forest, the pull-distribution point always uses the Network Access Account. This requires that the computer have the Configuration Manager client installed and that a Network Access Account is configured for use and has access to the source distribution point. For information about the Network Access Account, see the Network Access
467

Account section in the Technical Reference for Accounts Used in Configuration Manager topic. For information about configuring the Network Access Account, see Configure the Network Access Account in the Configuring Content Management in Configuration Manager topic. Note Because the pull-distribution point requires the CCMFramework from Configuration Manager SP1, computers that run client software from Configuration Manager with no service pack cannot be configured as pull-distribution points. You can remove the configuration to be a pull-distribution point by editing the properties of the distribution point. When you remove the pull-distribution point configuration, the distribution point returns to normal operation and future content transfers to the distribution point are managed by the site server. In the Configuration Manager console, there is nothing that identified the distribution point as a pull-distribution point. You must review the properties of the distribution point to identify if it is configured as a pull-distribution point.

Planning for Cloud-Based Distribution Points

With Configuration Manager SP1, you can use a cloud service in Windows Azure to host a distribution point. When you use a cloud-based distribution, you configure client settings to enable users and devices to access the content, and specify a primary site to manage the transfer of content to the distribution point. Additionally, you specify thresholds for the amount of content you want to store on the distribution point and the amount of content you want to allow clients to transfer from the distribution point. Based on these thresholds, Configuration Manager can raise alerts that warn you when the combined amount of content you have stored on the distribution point is near the specified storage amount, or when transfers of data by clients are close to the thresholds that you defined. Cloud-based distribution points support the following features that are also supported with onpremises distribution points: You manage cloud-based distribution points individually, or as members of distribution point groups. You can use a cloud-based distribution point for fallback content location. Support for both intranet and Internet-based clients. Content that is sent to the cloud-based distribution point is encrypted by Configuration Manager before sending to Windows Azure. In Windows Azure, you can manually scale the cloud service to meet changing demands for content request by clients, without the requirement to install and provision additional distribution points. The cloud-based distribution point supports the download of content by clients that are configured for Windows BranchCache.

A cloud-based distribution point provides the following additional benefits:

The following are limitations of cloud-based distribution points:

468

You cannot use a cloud-based distribution point for PXE or multi-cast enabled deployments. Additionally, clients are not offered a cloud-based distribution point as a content location for a task sequence that is configured for download on demand. Cloud-based distribution points do not support packages that run from the distribution point. All content must be downloaded by the client, and then run locally. No support to stream applications by using Application Virtualization or similar programs. No support for prestaged content. The distribution manager of the primary site that manages the distribution point transfers all content to the distribution point. Cloud-based distribution points cannot be configured as pull-distribution points.

Prerequisites for Cloud-Based Distribution Points

The following are prerequisites to use a cloud-based distribution point: A subscription to Windows Azure. A management certificate (self-signed or PKI) for communication from a Configuration Manager primary site server to the cloud service in Windows Azure. A service certificate (PKI) that Configuration Manager clients use to connect to cloud-based distribution points and download content from them by using HTTPS. Before a device or user can access content from a cloud-based distribution point, they must receive the client setting for Cloud Services of Allow access to cloud distribution points set to Yes. By default, this value is set to No. Clients must be able to resolve the name of the cloud service, which requires a DNS alias (CNAME record) in your DNS namespace. Clients must be able to access the Internet to use the cloud-based distribution point.

Plan for the Cost of using Cloud-Based Distribution

To help control costs associated with data transfers to and from a cloud-based distribution point, Configuration Manager includes options to control and monitor data access. You can control and monitor the amount of content you store in a cloud service, and you can configure Configuration Manager to alert you when thresholds for client downloads meet or exceed monthly limits. Use these alerts to proactively manage data charges when you use a cloud-based distribution point. For more information, see the section Controlling the Cost of Cloud-Based Distribution Points in the topic Manage Cloud Services for Configuration Manager.

About Subscriptions and Certificates for Cloud-Based Distribution Points

Cloud-based distribution points require certificates to enable Configuration Manager to manage the cloud service that hosts the distribution point, and for clients to access content from the distribution point. The following table provides overview information about these certificates. For more detailed information, see PKI Certificate Requirements for Configuration Manager.

469

Certificate

Details

Management certificate for site server to distribution point communication

The management certificate establishes trust between the Windows Azure management API and Configuration Manager. This authentication allows Configuration Manager to call on the Windows Azure API when you perform tasks such as deploying content or starting and stopping the cloud service. Windows Azure allows customers to create their own management certificates, which can be either a self-signed certificate or a certificate issued by a certification authority (CA): Provide the .cer file of the management certificate to Windows Azure when you configure Windows Azure for Configuration Manager. The .cer file contains the public key for the management certificate and you must upload this certificate to Windows Azure before you install a cloud-based distribution point. This certificate enables Configuration Manager to access the Windows Azure API. Provide the .pfx file of the management certificate to Configuration Manager when you install the cloud-based distribution point. The .pfx file contains the private key for the management certificate. Configuration Manager stores this certificate in the site database. Because the .pfx file contains the private key, you must provide the password to import this certificate file into the Configuration Manager database.

If you create a self-signed certificate, you must first export the certificate as a .cer file, and then export it again as a .pfx file. For more information, see How to Create a Management Certificate and How to Add a Management Certificate to a Windows Azure Subscription in the Windows Azure Platform section of the MSDN Library. Service certificate for client communication to The Configuration Manager cloud-based distribution point service certificate establishes
470

Certificate

Details

the distribution point

trust between the Configuration Manager clients and the cloud-based distribution point and secures the data that clients download from it by using SSL over HTTPS. For an example deployment of this certificate, see the Deploying the Service Certificate for Cloud-Based Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Site Server to Cloud-Based Distribution Point Communication

When you install a cloud-based distribution point, you must assign one primary site to manage the transfer of content to the cloud service. This is equivalent to installing the distribution point site system role to a specific site.

Client to Cloud-Based Distribution Point Communication

When a device or user of a device is configured with the client setting that enables the use of a cloud distribution point, they can receive the cloud-based distribution point as a valid content location. A cloud-based distribution point is considered a remote distribution point when a client evaluates available content locations. Clients on the intranet only use cloud-based distribution points as a fallback option if on-premises distribution points are not available. Clients that can use cloud-based distribution points use the following sequence when they perform a content location request: 1. A client that is configured to use cloud distribution points always attempts to obtain content from a preferred distribution point first. For information about preferred distribution points, see the Preferred Distribution Points section in the Introduction to Content Management in Configuration Manager topic. 2. When a preferred distribution point is not available, the client will use a remote distribution point, if the deployment supports this option and a remote distribution point is available. 3. When a preferred distribution point or remote distribution point is not available, the client can then fall back to obtain the content from a cloud-based distribution point. Note Clients on the Internet that receive both an Internet-based distribution point and a cloud-based distribution point as content locations for a deployment, only attempt to retrieve content from the Internet-based distribution point. If the client on the Internet fails to retrieve content from the Internet-based distribution point, the client does not then attempt to access the cloud-based distribution point.
471

When a client uses a cloud-based distribution point as a content location, the client authenticates itself to the cloud-based distribution point by using a Configuration Manager access token. If the client trusts the Configuration Manager cloud-based distribution point certificate, the client can then download the requested content.

Determine the Distribution Point Infrastructure

At least one distribution point is required at each site in the Configuration Manager hierarchy. By default, a primary site server is configured as a distribution point. However, assign this role to a remote site system and remove it from the site server if possible. This role assignment reduces the resource requirements and improves performance on the site server, and also assists in load balancing. The distribution point site system role is automatically configured on the secondary site server when it is installed. However, the distribution point site system role is not required at secondary sites. Clients connect to distribution points at the parent primary site if one is not available at the secondary site. As you configure your distribution points with assigned boundary groups, consider the physical location and network connection speed between the distribution point and site server Consider the following to help you determine the appropriate number of distribution points to install at a site: The number of clients that might access the distribution point The configuration of the distribution point, such as PXE and multicast The network bandwidth that is available between clients and distribution points The size of the content that clients retrieve from the distribution point The setting for BranchCache, when enabled, lets clients at remote locations obtain content from local clients.

For more information about creating and configuring distribution points, see the Install and Configure the Distribution Point section in the Configuring Content Management in Configuration Manager topic.

Plan for Distribution Point Groups

Distribution point groups provide a logical grouping of distribution points for content distribution. When you distribute content to a distribution point group, all distribution points that are members of the distribution point group receive the content. If you add a distribution point to the distribution point group after an initial content distribution, the content automatically distributes to the new distribution point member. You can add one or more distribution points from any site in the Configuration Manager hierarchy to the distribution point group. You can also add the distribution point to more than one distribution point group, to manage and monitor content from a central location for distribution points that span multiple sites. You can also add a collection to distribution point groups, which creates an association, and then distribute content to the collection. When you distribute content to a collection, the content is assigned to all distribution point groups that are associated with the collection. The content is
472

then distributed to all distribution points that are members of those distribution point groups. There are no restrictions on the number of distribution point groups that can be associated with a collection or the number of collections that can be associated with a distribution point group. If you add a collection to a distribution point group, the distribution point group does not automatically receive content previously distributed to the associated collection. However, the distribution point group receives all new content that is distributed to the collection. Note After you distribute content to a collection, and then associate the collection to a new distribution point group, you must redistribute the content to the collection before the content is distributed to the new distribution point group. For more information about creating and configuring distribution point groups, see the Create and Configure Distribution Point Groups section in the Configuring Content Management in Configuration Manager topic.

Plan for Content Libraries

When you create or deploy content in System Center 2012 Configuration Manager, Configuration Manager creates a content library on the site server that manages the content (such as on the site server of the site where you create the content), and on each distribution point. The content library stores all content files for software updates, applications, operating system deployment, and so on. When planning for content management, ensure there is enough free disk space for use by the content library on each distribution point you deploy, and on each site server that will manage content that you create or that you migrate from another Configuration Manager site. For information about the content library, see the Content Library section in the Introduction to Content Management in Configuration Manager topic. Important For Configuration Manager SP1 only: To move the content library to a different location on a distribution point after the installation, use the Content Library Transfer Tool in the System Center 2012 Configuration Manager Service Pack 1 Toolkit. You can download the toolkit from the Microsoft Download Center.

Supplemental Planning Topics for Content Management

Use the following topics to help you plan for content management in Configuration Manager: Prerequisites for Content Management in Configuration Manager Best Practices for Content Management in Configuration Manager

473

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for Boundaries and Boundary Groups in Configuration Manager

In System Center 2012 Configuration Manager, a boundary is a network location on the intranet that can contain one or more devices that you want to manage. Boundaries can be an IP subnet, Active Directory site name, IPv6 Prefix, or an IP address range, and the hierarchy can include any combination of these boundary types. To use a boundary, you must add the boundary to one or more boundary groups. Boundary groups are collections of boundaries. By using boundary groups, clients on the intranet can find an assigned site and locate content when they have to install software, such as applications, software updates, and operating system images. When clients are on the Internet, or they are configured as Internet-only clients, they do not use boundary information. These clients cannot use automatic site assignment and always download content from any distribution point in their assigned site when the distribution point is configured to allow client connections from the Internet.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for boundaries since Configuration Manager 2007: Boundaries are no longer site specific, but defined once for the hierarchy, and they are available at all sites in the hierarchy. Each boundary must be a member of a boundary group before a device on that boundary can identify an assigned site, or a content server such as a distribution point. You no longer configure the network connection speed of each boundary. Instead, in a boundary group you specify the network connection speed for each site system server associated to the boundary group as a content location server.

Boundaries
Each boundary represents a network location in System Center 2012 Configuration Manager, and it is available from every site in your hierarchy. A boundary does not enable you to manage clients at the network location. To manage a client, the boundary must be a member of a boundary group.

474

Configuration Manager does not support the direct entry of a supernet as a boundary. Instead, use the IP address range boundary type. When Active Directory Forest Discovery identifies a supernet that is assigned to an Active Directory site, Configuration Manager converts the supernet into an IP address range boundary. For more information about Active Directory Forest Discovery, see the About Active Directory Forest Discovery section in the Planning for Discovery in Configuration Manager topic.

Boundary Groups
Use boundary groups to manage your network locations. You must assign boundaries to boundary groups before you can use the boundary group. Boundary groups have the following functions: They enable clients to find a primary site for client assignment (automatic site assignment). They can provide clients with a list of available site systems that have content after you associate the distribution point and state migration point site system servers with the boundary group.

To support site assignment, you must configure the boundary group to specify an assigned site for clients to use during automatic site assignment. To support content location, you must specify one or more site systems. You can only specify site systems with the distribution point or state migration point site system role. Both the site assignment and content location configurations are optional for boundary groups. When you plan for boundary groups, consider creating one set of boundary groups for content location and a second set of boundary groups for automatic site assignment. This separation can help you avoid overlapping boundaries for site assignment. When you have overlapping boundaries and use automatic site assignment, the site to which a client is assigned, might be to is nondeterministic. The following sections contain information to consider when you configure boundary groups.

Site Assignment
You can configure each boundary group with an assigned site for clients. Clients join the assigned site of a boundary group that contains the clients current network location. When a boundary is added to multiple boundary groups that have different assigned sites, clients will nondeterministically select one of the sites. System Center 2012 Configuration Manager does not support this overlapping boundary configuration for site assignment. If you make a change to the site assignment configuration of a boundary group, only new site assignment actions are affected. Clients that have previously been assigned to a site, do not reevaluate their site assignment based on changes to the configuration of a boundary group. For more information about client site assignment, see How to Assign Clients to a Site in Configuration Manager.

475

Content Location
You can associate one or more distribution points and one or more state migration points with each boundary group. You can also associate a distribution point or state migration point with multiple boundary groups. During software distribution, clients request a location for deployment content. Configuration Manager sends the client a list of distribution points that are associated with each boundary group that includes the current network location of the client. During operating system deployment, clients request a location to send or receive their state migration information. Configuration Manager sends the client a list of state migration points that are associated with each boundary group that includes the current network location of the client. This behavior enables the client to select the nearest server from which to transfer the content or state migration information.

Overlapping Boundaries
System Center 2012 Configuration Manager supports overlapping boundary configurations for content location. When a client requests content, and the client network location belongs to multiple boundary groups, Configuration Manager sends the client a list of all distribution points that have the content. When a client requests a server to send or receive its state migration information, and the client network location belongs to multiple boundary groups, Configuration Manager sends the client a list of all state migration points that are associated with a boundary group that includes the current network location of the client. This behavior enables the client to select the nearest server from which to transfer the content or state migration information.

Network Connection Speed

You can configure the network connection speed of each distribution point in a boundary group. Clients use this value when they connect to the distribution point. By default, the network connection speed is configured as Fast, but it can also be configured as Slow. The network connection speed and the deployment configuration determine whether a client can download content from a distribution point when the client is in an associated boundary group.

See Also
Planning for Configuration Manager Sites and Hierarchy

476

Planning for Security in Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. Use the following information to help you plan for security in Microsoft System Center 2012 Configuration Manager. Planning for Certificates (Self-Signed and PKI) Planning for PKI Certificate Revocation Planning for the PKI Trusted Root Certificates and the Certificate Issuers List Planning for PKI Client Certificate Selection Planning a Transition Strategy for PKI Certificates and Internet-Based Client Management

Planning for the Trusted Root Key Planning for Signing and Encryption Planning for Role-Based Administration

In addition to these sections, see Security and Privacy for Site Administration in Configuration Manager. For additional information about how Configuration Manager uses certificates and cryptographic controls, see Technical Reference for Cryptographic Controls Used in Configuration Manager.

Planning for Certificates (Self-Signed and PKI)

Configuration Manager uses a combination of self-signed certificates and public key infrastructure (PKI) certificates. As a security best practice, use PKI certificates whenever possible. For more information about the PKI certificate requirements, see PKI Certificate Requirements for Configuration Manager. When Configuration Manager requests the PKI certificates, such as during enrollment for mobile devices and AMT provisioning, you must use Active Directory Domain Services and an enterprise certification authority. For all other PKI certificates, you must deploy and manage them independently from Configuration Manager. PKI certificates are also required when client computers connect to Internet-based site systems, and they are recommended to be used when clients connect to site systems that run Internet Information Services (IIS). For more information about client communication, see Planning for Client Communication in Configuration Manager. When you use a PKI, you can also use IPsec to help secure the server-to-server communication between site systems in a site and between sites, and for any other scenario when you transfer
477

data between computers. You must configure and implement IPsec independently from Configuration Manager. Configuration Manager can automatically generate self-signed certificates when PKI certificates are not available, and some certificates in Configuration Manager are always self-signed. In most cases, Configuration Manager automatically manages the self-signed certificates, and you do not have to take additional action. One possible exception is the site server signing certificate. The site server signing certificate is always self-signed, and it ensures that the client policies that clients download from the management point were sent from the site server and were not tampered with.

Planning for the Site Server Signing Certificate (Self-Signed)

Clients can securely obtain a copy of the site server signing certificate from Active Directory Domain Services and from client push installation. If clients cannot obtain a copy of the site server signing certificate by using one of these mechanisms, as a security best practice, install a copy of the site server signing certificate when you install the client. This is especially important if the clients first communication with the site is from the Internet, because the management point is connected to an untrusted network and therefore, vulnerable to attack. If you do not take this additional step, clients automatically download a copy of the site server signing certificate from the management point. Scenarios when clients cannot securely obtain a copy of the site server certificate include the following: You do not install the client by using client push, and any of the following conditions is true: The Active Directory schema is not extended for Configuration Manager. The clients site is not published to Active Directory Domain Services. The client is from an untrusted forest or a workgroup.

You install the client when it is on the Internet.

Use the following procedure to install clients together with a copy of the site server signing certificate. To install clients with a copy of the site server signing certificate 1. Locate the site server signing certificate on the clients primary site server. The certificate is stored in the SMS certificate store and has the Subject name Site Server and the friendly name Site Server Signing Certificate. 2. Export the certificate without the private key, store the file securely, and only access it from a secured channel (for example, by using SMB signing or IPsec). 3. Install the client by using the Client.msi property SMSSIGNCERT= <Full path and file name> with CCMSetup.exe.

478

Planning for PKI Certificate Revocation

When you use PKI certificates with Configuration Manager, plan for how and whether clients and servers will use a certificate revocation list (CRL) to verify the certificate on the connecting computer. The certificate revocation list (CRL) is a file that is created and signed by a certification authority (CA) and contains a list of certificates that it has issued, but revoked. Certificates can be revoked by a CA administrator, for example, if an issued certificate is known or suspected to be compromised. Important Because the location of the CRL is added to a certificate when it is issued by a CA, ensure that you plan for the CRL before you deploy any PKI certificates that Configuration Manager will use. By default, IIS always checks the CRL for client certificates, and you cannot change this configuration in Configuration Manager. By default, Configuration Manager clients always check the CRL for site systems; however, you can disable this setting by specifying a site property and by specifying a CCMSetup property. When you manage Intel AMT-based computers out of band, you can also enable CRL checking for the out of band service point and for computers that run the Out of Band Management console. If computers use certificate revocation checking but they cannot locate the CRL, they behave as if all certificates in the certification chain are revoked because their absence from the list cannot be verified. In this scenario, all connections that require certificates and use a CRL fail. Checking the CRL every time that a certificate is used offers more security against using a certificate that has been revoked, but it introduces a connection delay and additional processing on the client. You are more likely to require this additional security check when clients are on the Internet or on an untrusted network. Consult your PKI administrators before you decide whether Configuration Manager clients must check the CRL, and then consider keeping this option enabled in Configuration Manager when both of the following conditions are true: Your PKI infrastructure supports a CRL, and it is published where all Configuration Manager clients can locate it. Remember that this might include clients on the Internet if you are using Internet-based client management, and clients in untrusted forests. The requirement to check the CRL for each connection to a site system configured to use a PKI certificate is larger than the requirement for faster connections and efficient processing on the client, and is also larger than the risk of clients failing to connect to servers if they cannot locate the CRL.

Planning for the PKI Trusted Root Certificates and the Certificate Issuers List
If your IIS site systems use PKI client certificates for client authentication over HTTP or for client authentication and encryption over HTTPS, you might have to import root CA certificates as a site property. The two scenarios are as follows:
479

You deploy operating systems by using Configuration Manager, and the management points only accept HTTPS client connections. You use PKI client certificates that do not chain to a root certification authority (CA) certificate that is trusted by management points. Note When you issue client PKI certificates from the same CA hierarchy that issues the server certificates that you use for management points, you do not have to specify this root CA certificate. However, if you use multiple CA hierarchies and you are not sure whether they trust each other, import the root CA for the clients CA hierarchy.

If you must import root CA certificates for Configuration Manager, export them from the issuing CA or from the client computer. If you export the certificate from the issuing CA that is also the root CA, ensure that the private key is not exported. Store the exported certificate file in a secured location to prevent tampering. You must be able to access the file when you configure the site, so that if you access the file over the network, ensure that the communication is protected from tampering by using SMB signing or IPsec. If any of the root CA certificates that you import are renewed, you must import the renewed certificates. These imported root CA certificates and the root CA certificate of each management point create the certificate issuers list that Configuration Manager computers use in the following ways: When clients connect to management points, the management point verifies that the client certificate chains to a trusted root certificate in the sites certificate issuers list. If it does not, the certificate is rejected, and the PKI connection fails. When clients select a PKI certificate, if they have a certificate issuers list, they select a certificate that chains to a trusted root certificate in the certificate issuers list. If there is no match, the client does not select a PKI certificate. For more information about the client certificate process, see the Planning for PKI Client Certificate Selection section in this topic.

Independently from the site configuration, you might also have to import a root CA certificate when you enroll mobile devices or Mac computers, and when you provision Intel AMT-based computers for wireless networks.

Planning for PKI Client Certificate Selection

If your IIS site systems will use PKI client certificates for client authentication over HTTP or for client authentication and encryption over HTTPS, plan for how clients will select the certificate to use for Configuration Manager. In many cases, the default configuration and behavior will be sufficient. The Configuration Manager client filters multiple certificates by using the following criteria: 1. The certificate issuers list: The certificate chains to a root CA that is trusted by the management point. 2. The certificate is in the default certificate store of Personal.

480

3. The certificate is valid, not revoked, and not expired. The validity check includes verifying that the private key is accessible and that the certificate is not created by using a version 3 certificate template, which is not compatible with Configuration Manager. 4. The certificate has client authentication capability, or it is issued to the computer name. 5. The certificate has the longest validity period. Clients can be configured to use the certificate issuers list by using the following mechanisms: Is it published as Configuration Manager site information to Active Directory Domain Services. Clients are installed by using client push. Clients download it from the management point after they are successfully assigned to their site. It is specified during client installation, as a CCMSetup client.msi property of CCMCERTISSUERS.

If clients do not have the certificate issuers list when they are first installed and are not yet assigned to the site, they skip this check. When they do have the certificate issuers list and do not have a PKI certificate that chains to a trusted root certificate in the certificate issuers list, certificate selection fails, and clients do not continue with the other certificate selection criteria. In most cases, the Configuration Manager client correctly identifies a unique and appropriate PKI certificate to use. However, when this is not the case, instead of selecting the certificate based on the client authentication capability, you can configure two alternative selection methods: A partial string match on the client certificate Subject name. This is a case-insensitive match that is appropriate if you are using the fully qualified domain name (FQDN) of a computer in the subject field and want the certificate selection to be based on the domain suffix, for example contoso.com. However, you can use this selection method to identify any string of sequential characters in the certificate Subject name that differentiate the certificate from others in the client certificate store. Note You cannot use the partial string match with the Subject Alternative Name (SAN) as a site setting. Although you can specify a partial string match for the SAN by using CCMSetup, it will be overwritten by the site properties in the following scenarios: Clients retrieve site information that is published to Active Directory Domain Services. Clients are installed by using client push installation. Use a partial string match in the SAN only when you install clients manually, and when they do not retrieve site information from Active Directory Domain Services. For example, these conditions apply to Internet-only clients. A match on the client certificate Subject name attribute values or the Subject Alternative Name (SAN) attribute values. This is a case-sensitive match that is appropriate if you are using an X500 distinguished name or equivalent OIDs (Object Identifiers) in compliance with RFC 3280, and you want the certificate selection to be based on the attribute values. You can specify only the attributes and their values that you require to uniquely identify or validate the certificate and differentiate the certificate from others in the certificate store.
481

The following table shows the attribute values that Configuration Manager supports for the client certificate selection criteria.
OID Attribute Distinguished name attribute Attribute definition

0.9.2342.19200300.100.1.25 1.2.840.113549.1.9.1 2.5.4.3 2.5.4.4 2.5.4.5 2.5.4.6 2.5.4.7 2.5.4.8 2.5.4.9 2.5.4.10 2.5.4.11 2.5.4.12 2.5.4.42 2.5.4.43 2.5.29.17

DC E or E-mail CN SN SERIALNUMBER C L S or ST STREET O OU T or Title G or GN or GivenName I or Initials (no value)

Domain component E-mail address Common name Subject name Serial number Country code Locality State or province name Street address Organization name Organizational unit Title Given name Initials Subject Alternative Name

If more than one appropriate certificate is located after the selection criteria is applied, you can override the default configuration to select the certificate with the longest validity period and instead, specify that no certificate is selected. In this scenario, the client will not be able to communicate with IIS site systems by using a PKI certificate. The client sends an error message to its assigned fallback status point to alert you to the certificate selection failure so that you can modify or refine your certificate selection criteria. The client behavior then depends on whether the failed connection was over HTTPS or HTTP: If the failed connection was over HTTPS: The client tries to make a connection over HTTP and uses the client self-signed certificate. If the failed connection was over HTTP: The client tries to make another connection over HTTP by using the self-signed client certificate.

To help identify a unique PKI client certificate, you can also specify a custom store, other than the default of Personal in the Computer store. However, you must create this store independently from Configuration Manager and must be able to deploy certificates to this custom store and renew them before the validity period expires.
482

Planning a Transition Strategy for PKI Certificates and InternetBased Client Management
The flexible configuration options in Configuration Manager let you gradually transition clients and the site to use PKI certificates to help secure client endpoints. PKI certificates provide better security and enable clients to be managed when they are on the Internet. Because of the number of configuration options and choices in Configuration Manager, there is no single way to transition a site so that all clients use HTTPS connections. However, you can follow these steps as guidance: 1. Install the Configuration Manager site and configure it so that site systems accept client connections over HTTPS and HTTP. 2. Configure the Client Computer Communication tab in the site properties so that the Site System Settings is HTTP or HTTPS, and select the Use PKI client certificate (client authentication capability) when available check box. Configure any other settings from this tab that you require. For more information, see the Configure Settings for Client PKI Certificates section in the Configuring Security for Configuration Manager topic. 3. Pilot a PKI rollout for client certificates. For an example deployment, see the Deploying the Client Certificate for Computers section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. 4. Install clients by using the client push installation method. For more information, see the How to Install Configuration Manager Clients by Using Client Push section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic. 5. Monitor client deployment and status by using the reports and information in the Configuration Manager console. For more information, see How to Monitor Database Replication and SQL Server Status for Database Replication. 6. Track how many clients are using a client PKI certificate by viewing the Client Certificate column in the Assets and Compliance workspace, Devices node. You can also deploy the Configuration Manager HTTPS Readiness Assessment Tool (cmHttpsReadiness.exe) to computers and use the reports to view how many computers can use a client PKI certificate with Configuration Manager. Note When the Configuration Manager client installs on client computers, the cmHttpsReadiness.exe tool is installed in the %windir%\CCM folder. When you run this tool on clients, you can specify the following options: /Store:<name> /Issuers:<list> /Criteria:<criteria> /SelectFirstCert These options map to the CCMCERTSTORE, CCMCERTISSUERS, CCMCERTSEL, and CCMFIRSTCERT Client.msi properties, respectively. For more information about these options, see About Client Installation Properties in Configuration Manager.

483

7. When you are confident that a sufficient number of clients are successfully using their client PKI certificate for authentication over HTTP, do the following: a. Deploy a PKI web server certificate to a member server that will run an additional management point for the site, and configure that certificate in IIS. For more information, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. b. Install the management point role on this server and configure the Client connections option in the management point properties for HTTPS. 8. Monitor and verify that clients that have a PKI certificate use the new management point by using HTTPS. You can use IIS logging or performance counters to verify this. 9. Reconfigure other site system roles to use HTTPS client connections. If you want to manage clients on the Internet, ensure that site systems have an Internet FQDN and configure individual management points and distribution points to accept client connections from the Internet. Important Before you configure site system roles to accept connections from the Internet, review the planning information and prerequisites for Internet-based client management. For more information, see the Planning for Internet-Based Client Management section in the Planning for Communications in Configuration Manager topic. 10. Extend the PKI certificate rollout for clients and for site systems that run IIS, and configure the site system roles for HTTPS client connections and Internet connections, as required. 11. For the highest security: When you are confident that all clients are using a client PKI certificate for authentication and encryption, change the site properties to use HTTPS only. When you follow this plan to gradually introduce PKI certificates, first for authentication only over HTTP, and then for authentication and encryption over HTTPS, you reduce the risk that clients will become unmanaged. In addition, you will benefit from the highest security that Configuration Manager supports.

Planning for the Trusted Root Key

The Configuration Manager trusted root key provides a mechanism for Configuration Manager clients to verify that site systems belong to their hierarchy. Every site server generates a site exchange key to communicate with other sites. The site exchange key from the top-level site in the hierarchy is called the trusted root key. The function of the trusted root key in Configuration Manager resembles a root certificate in a public key infrastructure in that anything signed by the private key of the trusted root key is trusted further down the hierarchy. For example, by signing the management point certificate with the private key of the trusted root key pair, and by making a copy of the public key of the trusted root key pair available to the clients, clients can differentiate between management points that are

484

in their hierarchy and management points that are not in their hierarchy. Clients use WMI to store a copy of the trusted root key in the namespace root\ccm\locationservices. Clients can automatically retrieve the public copy of the trusted root key by using two mechanisms: The Active Directory schema is extended for Configuration Manager, the site is published to Active Directory Domain Services, and clients can retrieve this site information from a global catalog server. Clients are installed by using client push.

If clients cannot retrieve the trusted root key by using one of these mechanisms, they trust the trusted root key that is provided by the first management point that they communicate with. In this scenario, a client might be misdirected to an attackers management point where it would receive policy from the rogue management point. This would likely be the action of a sophisticated attacker and might occur only in a limited time before the client retrieves the trusted root key from a valid management point. However, to reduce this risk of an attacker misdirecting clients to a rogue management point, you can pre-provision the clients by using the trusted root key. Use the following procedures to pre-provision and verify the trusted root key for a Configuration Manager client: Pre-provision a client by using the trusted root key by using a file. Pre-provision a client by using the trusted root key without using a file. Verify the trusted root key on a client. Note You do not have to pre-provision client by using the trusted root key if they can obtain this from Active Directory Domain Services or they are installed by using client push. In addition, you do not have to pre-provision clients when they use HTTPS communication to management points because trust is established by using the PKI certificates. You can remove the trusted root key from a client by using the Client.msi property RESETKEYINFORMATION = TRUE with CCMSetup.exe. To replace the trusted root key, reinstall the client together with the new trusted root key, for example, by using client push, or by specifying the Client.msi SMSPublicRootKey property by using CCMSetup.exe. To pre-provision a client with the trusted root key by using a file 1. In a text editor, open the file <Configuration Manager directory>\bin\mobileclient.tcf. 2. Locate the entry SMSPublicRootKey=, copy the key from that line, and close the file without any changes. 3. Create a new text file and paste the key information that you copied from the mobileclient.tcf file. 4. Save the file and place it somewhere where all computers can access it, but the file is secured to prevent tampering. 5. Install the client by using any installation method that accepts Client.msi properties, and specify the Client.msi property SMSROOTKEYPATH=<Full path and file name>.
485

Important When you specify the trusted root key for additional security during client installation, you must also specify the site code, by using the Client.msi property SMSSITECODE=<site code>. To pre-provision a client with the trusted root key without using a file 1. In a text editor, open the file <Configuration Manager directory>\bin\mobileclient.tcf. 2. Locate the entry SMSPublicRootKey=, note the key from that line or copy it to the Clipboard, and then close the file without any changes. 3. Install the client by using any installation method that accepts Client.msi properties, and specify the Client.msi property SMSPublicRootKey=<key>, where <key> is the string that you copied from mobileclient.tcf. Important When you specify the trusted root key for additional security during client installation, you must also specify the site code, by using the Client.msi property SMSSITECODE=<site code> To verify the trusted root key on a client 1. On the Start menu, click Run, and then type Wbemtest. 2. In the Windows Management Instrumentation Tester dialog box, click Connect. 3. In the Connect dialog box, in the Namespace box, type root\ccm\locationservices, and then click Connect. 4. In the Windows Management Instrumentation Tester dialog box, in the IWbemServices section, click Enum Classes. 5. In the Superclass Info dialog box, select Recursive, and then click OK. 6. The Query Result window, scroll to the end of the list, and then double-click TrustedRootKey (). 7. In the Object editor for TrustedRootKey dialog box, click Instances. 8. In the new Query Result window that displays the instances of TrustedRootKey, double-click TrustedRootKey=@ 9. In the Object editor for TrustedRootKey=@ dialog box, in the Properties section, scroll down to TrustedRootKey CIM_STRING. The string in the right column is the trusted root key. Verify that it matches the SMSPublicRootKey value in the file <Configuration Manager directory>\bin\mobileclient.tcf.

Planning for Signing and Encryption

When you use PKI certificates for all client communications, you do not have to plan for signing and encryption to help secure client data communication. However, if you configure any site

486

systems that run IIS to allow HTTP client connections, you must decide how to help secure the client communication for the site. To help protect the data that clients send to management points, you can require it to be signed. In addition, you can require that all signed data from clients that use HTTP is signed by using the SHA-256 algorithm. Although this is a more secure setting, do not enable this option unless all clients support SHA-256. Many operating systems natively support SHA-256, but older operating systems might require an update or hotfix. For example, computers that run Windows Server 2003 SP2 must install a hotfix that is referenced in the KB article 938397. Whereas signing helps protect the data from tampering, encryption helps protect the data from information disclosure. You can enable 3DES encryption for the inventory data and state messages that clients send to management points in the site. You do not have to install any updates on clients to support this option, but consider the additional CPU usage that will be required on clients and the management point to perform the encryption and decryption.

Planning for Role-Based Administration

Role-based administration lets you design and implement administrative security for the System Center 2012 Configuration Manager hierarchy by using any or all of the following: Security roles Collections Security scopes

These settings combine to define an administrative scope for an administrative user. The administrative scope controls the objects that an administrative user can view in the Configuration Manager console and the permissions that user has on those objects. Role-based administration configurations replicate to each site in the hierarchy as global data, and then are applied to all administrative connections. Important Intersite replication delays can prevent a site from receiving changes for role-based administration. For information about how to monitor intersite database replication, see the How to Monitor Database Replication and SQL Server Status for Database Replication section in the Monitor Configuration Manager Sites and Hierarchy topic.

Planning for Security Roles

Use security roles to grant security permissions to administrative users. Security roles are groups of security permissions that you assign to administrative users so that they can perform their administrative tasks. These security permissions define the administrative actions that an administrative user can perform and the permissions that are granted for particular object types. As a security best practice, assign the security roles that provide the least permissions. System Center 2012 Configuration Manager has several built-in security roles to support typical groupings of administrative tasks, and you can create your own custom security roles to support your specific business requirements. Examples of the built-in security roles:
487

Full Administrator: This security role grants all permissions in Configuration Manager. Asset Analyst: This security role allows administrative users to view data collected by using Asset Intelligence, software inventory, hardware inventory, and software metering. Administrative users can create metering rules and Asset Intelligence categories, families, and labels. Software Update Manager: This security role grants permissions to define and deploy software updates. Administrative users who are associated with this role can create collections, software update groups, deployments, templates, and enable software updates for Network Access Protection (NAP). Tip You can view the list of built-in security roles and custom security roles you create, including their descriptions, in the Configuration Manager console. To do so, in the Administration workspace, expand Security, and select Security Roles.

Each security role has specific permissions for different object types. For example, the Application Administrator security role has the following permissions for applications: Approve, Create, Delete, Modify, Modify Folders, Move Objects, Read/Deploy, Set Security Scope. You cannot change the permissions for the built-in security roles, but you can copy the role, make changes, and then save these changes as a new custom security role. You can also import security roles that you have exported from another hierarchy (for example, from a test network). Review the security roles and their permissions to determine whether you will use the built-in security roles or you have to create your own custom security roles. Use the following steps to help you plan for security roles: 1. Identify the tasks that the administrative users perform in System Center 2012 Configuration Manager. These tasks might relate to one or more groups of management tasks, such as deploying applications and packages, deploying operating systems and settings for compliance, configuring sites and security, auditing, remotely controlling computers, and collecting inventory data. 2. Map these administrative tasks to one or more of the built-in security roles. 3. If some of the administrative users perform the tasks of multiple security roles, assign the multiple security roles to these administrative users instead of in creating a new security role that combines the tasks. 4. If the tasks that you identified do not map to the built-in security roles, create and test new security roles.

Planning for Collections

Collections specify the user and computer resources that an administrative user can view or manage. For example, for administrative users to deploy applications or to run remote control, they must be assigned to a security role that grants access to a collection that contains these resources. You can select collections of users or devices. For more information about collections, see Introduction to Collections in Configuration Manager.

488

Before you configure role-based administration, check whether you have to create new collections for any of the following reasons: Functional organization. For example, separate collections of servers and workstations. Geographic alignment. For example, separate collections for North America and Europe. Security requirements and business processes. For example, separate collections for production and test computers. Organization alignment. For example, separate collections for each business unit.

Planning for Security Scopes

Use security scopes to provide administrative users with access to securable objects. Security scopes are a named set of securable objects that are assigned to administrator users as a group. All securable objects must be assigned to one or more security scopes. Configuration Manager has two built-in security scopes: All: This built-in security scope grants access to all scopes. You cannot assign objects to this security scope. Default: This built-in security scope is used for all objects, by default. When you first install System Center 2012 Configuration Manager, all objects are assigned to this security scope.

If you want to restrict the objects that administrative users can see and manage, you must create and use your own custom security scopes. Security scopes do not support a hierarchical structure and cannot be nested. Security scopes can contain one or more object types, which include the following: Alert subscriptions Antimalware policies Applications Boot images Boundary groups Configuration items Custom client settings Distribution points and distribution point groups Driver packages Global conditions Migration jobs Operating system images Operating system installation packages Packages Queries Sites Software metering rules Software update groups
489

Software updates packages Task sequence packages Windows CE device setting items and packages

There are also some objects that you cannot include in security scopes because they are only secured by security roles. Administrative access to these cannot be limited to a subset of the available objects. For example, you might have an administrative user who creates boundary groups that are used for a specific site. Because the boundary object does not support security scopes, you cannot assign this user a security scope that provides access to only the boundaries that might be associated with that site. Because a boundary object cannot be associated to a security scope, when you assign a security role that includes access to boundary objects to a user, that user can access every boundary in the hierarchy. Objects that are not limited by security scopes include the following: Active Directory forests Administrative users Alerts Boundaries Computer associations Default client settings Deployment templates Device drivers Exchange Server connector Migration site-to-site mappings Mobile device enrollment profiles Security roles Security scopes Site addresses Site system roles Software titles Software updates Status messages User device affinities

Create security scopes when you have to limit access to separate instances of objects. For example: You have a group of administrative users who must be able to see production applications and not test applications. Create one security scope for production applications and another for the test applications. Different administrative users require different access for some instances of an object type. For example, one group of administrative users requires Read permission to specific software update groups, and another group of administrative users requires Modify and
490

Delete permissions for other software update groups. Create different security scopes for these software update groups.

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for Communications in Configuration Manager

Before you install System Center 2012 Configuration Manager, plan for the network communications between different sites in a hierarchy, between different site system servers in a site, and between clients and site system servers. These communications might be contained in a single domain, or they might span multiple Active Directory forests. You might also have to plan for communications to manage clients on the Internet. Use the following sections in this topic to help you plan for communications in Configuration Manager. Planning for Intersite Communications in Configuration Manager File-Based Replication Database Replication

Planning for Intrasite Communications in Configuration Manager Planning for Client Communication in Configuration Manager Planning for Client Communication to Site Systems Planning for Client Approval Planning for Service Location by Clients Planning How to Wake Up Clients

Planning for Communications Across Forests in Configuration Manager Planning for Internet-Based Client Management Features that Are Not Supported on the Internet Planning for Internet-Based Site Systems Planning for Internet-Based Clients Prerequisites for Internet-Based Client Management Controlling Network Bandwidth Usage Between Sites Controlling Network Bandwidth Usage Between Site System Servers Controlling Network Bandwidth Usage Between Clients and Site System Servers

Planning for Network Bandwidth in Configuration Manager

491

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for site communication since Configuration Manager 2007: Site-to-site communication now uses database replication in addition to file-based replication for many site-to-site data transfers, including configurations and settings. The Configuration Manager 2007 concept of mixed-mode or native-mode sites to define how clients communicate to site systems in the site has been replaced by site system roles that can independently support HTTP or HTTPS client communications. To help support client computers in other forests, Configuration Manager can discover computers in these forests and publish site information to these forests. The server locator point is no longer used, and the functionality of this site system role is moved to the management point. Internet-based client management now supports the following: User policies when the Internet-based management point can authenticate the user by using Windows authentication (Kerberos or NTLM). Simple task sequences, such as scripts. Operating system deployment on the Internet remains unsupported. Internet-based clients on the Internet first try to download any required software updates from Microsoft Update, rather than from an Internet-based distribution point in their assigned site. Only if this fails, will they then try to download the required software updates from an Internet-based distribution point.

Whats New in Configuration Manager SP1

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for site communication for Configuration Manager SP1: File replication routes replace addresses for file-based replication between sites. This is only a change in the name for file-based replication and brings consistency with database replication. There is no change in functionality. Configure database replication links between site databases to control and monitor the network traffic for database replication: Use distributed views to prevent the replication of selected site data from a primary site to the central administration site. The central administration site then accesses this data directly from the primary site database. Schedule the transfer of selected site data across database replication links.
492

Control the frequency that replication traffic is summarized for reports. Define custom thresholds that raise alerts for replication problems. Change the port that Configuration Manager uses for the SQL Server Service Broker. Configure the period of time to wait before a replication failure triggers a site to reinitialize its copy of the site database. Configure a site database to compress the data that it replicates by database replication. The data is compressed only for transfer between sites, and not for storage in the site database at either site.

Configure replication controls for the SQL Server database at a site:

When Configuration Manager SP1 clients run Windows 7, Windows 8, Windows Server 2008 R2, or Windows Server 2012, you can supplement the Wake on LAN site setting for unicast packets by using the wake-up proxy client settings. This combination helps to wake up computers on subnets without the requirement to reconfigure network switches.

Planning for Intersite Communications in Configuration Manager

In a Configuration Manager hierarchy, each site communicates with its parent site and its direct child sites by using two data transfer methods: file-based replication and database replication. Secondary sites not only communicate to their parent primary sites by using both data transfer methods, but can also communicate with other secondary sites by using file-based replication to route content to remote network locations. Configuration Manager uses file-based replication and database replication to transfer different types of information between sites.

File-Based Replication
Configuration Manager uses file-based replication to transfer file-based data between sites in your hierarchy. This data includes content such as applications and packages that you want to deploy to distribution points in child sites, and unprocessed discovery data records that are transferred to parent sites where they are processed. File-based communication between sites uses the Server Message Block (SMB) protocol by using TCP/IP port 445. You can specify configurations that include bandwidth throttling and pulse mode to control the amount of data transferred across the network, and schedules to control when to send data across the network. With Configuration Manager SP1, addresses are renamed to file replication routes to bring consistency with database replication. Prior to SP1, Configuration Manager uses an address to connect to the SMS_SITE share on the destination site server to transfer file-based data. Beginning with SP1, Configuration Manager uses a file replication route. File replication routes and addresses operate the same way, and support the same configurations. The following sections are written for service pack 1 and reference file replication routes instead of addresses. If you use Configuration Manager without a service pack, use the information in the
493

following table to convert the references to file replication routes back to the related reference for addresses.
Configuration Manager with SP1 Configuration Manager without service pack

File Replication Account File replication route File Replication node in the Configuration Manager console

Site Address Account Address Addresses node in the Configuration Manager console

File Replication Routes

Configuration Manager uses file replication routes to transfer file-based data between sites in a hierarchy. File replication routes replace addresses, which are used in previous versions of Configuration Manager. The functionality of file replication routes is unchanged from addresses. The following table provides information about file replication routes.
Object More information

File replication route

Each file replication route identifies a destination site to which file-based data can transfer. Each site supports a single file replication route to a specific destination site. Configuration Manager supports the following configurations for file replication routes: File Replication Account: This account is used to connect to the destination site and to write data to that sites SMS_SITE share. Data written to this share is processed by the receiving site. By default, when a site is added to the hierarchy, Configuration Manager assigns the computer account of the new sites site server as that sites File Replication Account. This account is then added to the destination sites SMS_SiteToSiteConnection_<Sitecode> group which is a local group on the computer that grants access to the SMS_SITE share. You can change this account to be a Windows user account. If you change the account, ensure you add the new account to the destination sites SMS_SiteToSiteConnection_<Sitecode>
494

Object

More information

group. Note Secondary sites always use the computer account of the secondary site server as the File Replication Account. Schedule: You can configure the schedule for each file replication route to restrict the type of data and time when data can transfer to the destination site. Rate Limits: You can configure rate limits for each file replication route to control the network bandwidth that is used when the site transfers data to the destination site: Use Pulse mode to specify the size of the data blocks that are sent to the destination site. You can also specify a time delay between sending each data block. Use this option when you must send data across a very low bandwidth network connection to the destination site. For example, you might have constraints to send 1 KB of data every five seconds, but not 1 KB every three seconds, regardless of the speed of the link or its usage at a given time. Use Limited to maximum transfer rates by hour to have a site send data to a destination site by using only the percentage of time that you specify. When you use this option, Configuration Manager does not identify the networks available bandwidth, but instead divides the time it can send data into slices of time. Then data is sent in a short block of time, which is followed by blocks of time when data is not sent. For example, if the maximum rate is set to 50%, Configuration Manager transmits data for an amount of time followed by an equal period of time when no data is sent. The actual size amount of data, or
495

Object

More information

size of the data block, is not managed. Instead, only the amount of time during which data is sent is managed. Caution By default, a site can use up to three concurrent sendings to transfer data to a destination site. When you enable rate limits for a file replication route, the concurrent sendings for sending data to that site are limited to one. This applies even when the Limit available bandwidth (%) is set to 100%. For example, if you use the default settings for the sender, this reduces the transfer rate to the destination site to be one third of the default capacity. You can configure a file replication route between two secondary sites to route filebased content between those sites.

To manage a file replication route, in the Administration workspace, expand the Hierarchy Configuration node, and select File Replication. Sender Each site has one sender. The sender manages the network connection from one site to a destination site, and can establish connections to multiple sites at the same time. To connect to a site, the sender uses the file replication route to the site to identify the account to use to establish the network connection. The sender also uses this account to write data to the destination sites SMS_SITE share. By default, the sender writes data to a destination site by using multiple concurrent sendings, typically referred to as a thread. Each concurrent sending, or thread, can
496

Object

More information

transfer a different file-based object to the destination site. By default, when the sender begins to send an object, the sender continues to write blocks of data for that object until the entire object is sent. After all the data for the object has been sent, a new object can begin to send on that thread. You can configure the following settings for a sender: Maximum concurrent sendings: By default, each site is configured to use five concurrent sendings, with three available for use when it sends data to any one destination site. When you increase this number you can increase the throughput of data between sites by enabling Configuration Manager to transfer more files at the same time. Increasing this number also increases the demand for network bandwidth between sites. Retry settings: By default, each site is configured to retry a problem connection two times with a one minute delay between connection attempts. You can modify the number of connection attempts the site makes, and how long to wait between those attempts.

To manage the sender for a site, expand the Hierarchy Configuration node in the Administration workspace, then expand Sites, and then click Properties for the site that you want to manage. Click the Sender tab to change the sender configuration.

Database Replication
Configuration Manager database replication uses SQL Server to transfer data and merge changes that are made in a site database with the information stored in the database at other sites in the hierarchy. This enables all sites to share the same information. Database replication is automatically configured by all Configuration Manager sites. When you install a site in a hierarchy, database replication automatically configures between the new site and its designated parent site. When the site installation finishes, database replication automatically starts.
497

When you install a new site in a hierarchy, Configuration Manager creates a generic database at the new site. Next, the parent site creates a snapshot of the relevant data in its database and transfers that snapshot to the new site by file-based replication. The new site then uses a SQL Server bulk copy program (BCP) to load the information into its local copy of the Configuration Manager database. After the snapshot loads, each site conducts database replication with the other site. To replicate data between sites, Configuration Manager uses its own database replication service. The database replication service uses SQL Server change tracking to monitor the local site database for changes, and then replicates those changes to other sites by using a SQL Server Service Broker. By default, this process uses the TCP/IP port 4022. Configuration Manager groups data that replicates by database replication into different replication groups. Each replication group has a separate, fixed replication schedule that determines how frequently changes to the data in the group is replicated to other sites. For example, a configuration change to a role-based administration configuration replicates quickly to other sites to ensure that these changes are enforced as soon as possible. Meanwhile a lower priority configuration change, such as a request to install a new secondary site, replicates with less urgency and takes several minutes for the new site request to reach the destination primary site. Note Configuration Manager database replication is configured automatically and does not support configuration of replication groups or replication schedules. However, with Configuration Manager SP1, you can configure database replication links to control when specific traffic traverses the network. You can also configure when Configuration Manager raises alerts about replication links that have a status of degraded or failed. Configuration Manager classifies the data that it replicates by database replication as either global data or site data. When database replication occurs, changes to global data and site data are transferred across the database replication link. Global data can replicate to both a parent or child site, and site replicates only to a parent site. A third data type that is named local data, does not replicate to other sites. Local data includes information that is not required by other sites: Global Data: Global data refers to administrator-created objects that replicate to all sites throughout the hierarchy, although secondary sites receive only a subset of global data, as global proxy data. Examples of global data include software deployments, software updates, collection definitions, and role-based administration security scopes. Administrators can create global data at central administration sites and primary sites. Site Data: Site data refers to operational information that Configuration Manager primary sites and the clients that report to primary sites create. Site data replicates to the central administration site but not to other primary sites. Examples of site data include hardware inventory data, status messages, alerts, and the results from query-based collections. Site data is only viewable at the central administration site and the primary site where the data originates. Site data can be modified only at the primary site where it was created. All site data replicates to the central administration site; therefore the central administration site can perform administration and reporting for the whole hierarchy.
498

Use the information in the following sections to plan for using the controls that are available with Configuration Manager SP1 to configure database replication links between sites, and to configure controls on each site database. These controls can help you control and monitor the network traffic that database replication creates.

Database Replication Links

When you install a new site in a hierarchy, Configuration Manager automatically creates a database replication link between the two sites. A single link is created to connect the new site to the parent site. With Configuration Manager SP1, each database replication link supports configurations to help control the transfer of data across the replication link. Each replication link supports separate configurations. The controls for database replication links include the following: Use distributed views to stop the replication of selected site data from a primary site to the central administration site, and enable the central administration site to directly access this data from the database of the primary site. Schedule when selected site data transfers from a child primary site to the central administration site. Define the settings that determine when a database replication link is in a degraded status or has failed. Configure when to raise alerts for a failed replication link. Specify how frequently Configuration Manager summarizes data about the replication traffic that uses the replication link. This data is used in reports.

To configure a database replication link, you edit the properties for the link in the Configuration Manager console from the Database Replication node. This node appears in the Monitoring workspace, and with Configuration Manager SP1, this node also appears under the Hierarchy Configuration node in the Administration workspace. You can edit a replication link from either the parent site or the child site of the replication link. Tip You can edit database replication links from the Database Replication node in either workspace. However, when you use the Database Replication node in the Monitoring workspace you can also view the status of database replication for replication links, and access the Replication Link Analyzer tool to help you investigate problems with database replication. For information about how to configure replication links with Configuration Manager SP1, see Site Database Replication Controls. For more information about how to monitor replication, see the How to Monitor Database Replication Links and Replication Status section in the Monitor Configuration Manager Sites and Hierarchy topic. Use the information in the following sections to plan for database replication links. Planning to use Distributed Views For Configuration Manager SP1 only:
499

Distributed views enable requests that are made at a central administration site for selected site data, to access that site data directly from the database at a child primary site. This direct access replaces the need to replicate this site data from the primary site to the central administration site. Because each replication link is independent from other replication links, you can enable distributed views on only the replication links you choose. Distributed views are not supported between a primary site and a secondary site. Distributed views can provide the following benefits: Reduce the CPU load to process database changes at the central administration site and primary sites. Reduce the amount of data that transfers across the network to the central administration site. Improve the performance of the SQL Server that hosts the central administration sites database. Reduce the disk space used by the database at the central administration site.

Consider using distributed views when a primary site is located in close proximity on the network to the central administration site, and the two sites are always on, and always connected. This is because distributed views replace the replication of the selected data between the sites with direct connections between the SQL Servers at each site. This direct connection is made each time a request for this data is made at the central administration site. Typically, requests for data you might enable for distributed views is made when you run reports or queries, view information in Resource Explorer, and by collection evaluation for collections that include rules that are based on the site data. By default, distributed views are disabled for each replication link. When you enable distributed views for a replication link, you select site data that will not replicate to the central administration site across that link, and enable the central administration site to access this data directly from the database of the child primary site that shares the link. You can configure the following types of site data for distributed views: Hardware inventory data from clients Software inventory and metering data from clients Status messages from clients, the primary site, and all secondary sites

Operationally, distributed views are invisible to an administrative user who views data in the Configuration Manager console or in reports. When a request is made for data that is enabled for distributed views, the SQL Server that hosts the database for the central administration site directly accesses the SQL Server of the child primary site to retrieve the information. For example, you use a Configuration Manager console at the central administration site to request information about hardware inventory from two sites, and only one site has hardware inventory enabled for a distributed view. The inventory information for clients from the site that is not configured for distributed views is retrieved from the database at the central administration site. The inventory information for clients from the site that is configured for distributed views is accessed from the database at child primary site. This information appears in the Configuration Manager console or report without distinction as to the source.
500

As long as a replication link has a type of data enabled for distributed views, the child primary site does not replicate that data to the central administration site. As soon as you turn off distributed views for a type of data, the child primary site resumes the replication of that data to the central administration site as part of normal data replication. However, before this data is available at the central administration site, the replication groups that contain this data must reinitialize between the primary site and the central administration site. Similarly, after you uninstall a primary site that has distributed views enabled, the central administration site must complete reinitialization of its data before you can access data that was enabled for distributed views on the central administration site. Important When you use distributed views on any replication link in the hierarchy, you must disable distributed views for all replication links before you uninstall any primary site. For more information, see the Uninstall a Primary Site when you Use Distributed Views section in the Install Sites and Create a Hierarchy for Configuration Manager topic. Prerequisites and Limitations for Distributed Views The following are prerequisites and limitations for distributed views: Both the central administration site and primary site must run Configuration Manager SP1 Distributed views are supported only on replication links between a central administration site and a primary site. The central administration site can have only one instance of the SMS Provider installed, and that instance must be installed on the site database server. This is required to support the Kerberos authentication required to enable the SQL Server at the central administration site to access the SQL Server at the child primary site. There are no limitations on the SMS Provider at the child primary site. The central administration site can have only one SQL Server Reporting Services point installed, and it must be located on site database server. This is required to support the Kerberos authentication required to enable the SQL Server at the central administration site to access the SQL Server at the child primary site. The site database cannot be hosted on a SQL Server cluster. The computer account of the database server from the central administration site requires Read permissions to the site database of the primary site. Distributed views and schedules for when data can replicate are mutually exclusive configurations for a database replication link.

Plan to Schedule Transfers of Site Data on Database Replication Links For Configuration Manager SP1 only: To help you control the network bandwidth that is used to replicate site data from a child primary site to its central administration site, you can schedule when a replication link is used, and specify when different types of site data replicates. You can control when the primary site replicates status messages, inventory, and metering data. Database replication links from secondary sites do not support schedules for site data. The transfer of global data cannot be scheduled.
501

When you configure a database replication link schedule, you can restrict the transfer of selected site data from the primary site to the central administration site, and you can configure different times to replicate different types of site data. For more information about how to control the use of network bandwidth between Configuration Manager sites, see the section Controlling Network Bandwidth Usage Between Sites in this topic. Plan for Summarization of Database Replication Traffic For Configuration Manager SP1 only: Periodically, each Configuration Manager SP1 site summarizes data about the network traffic that traverses database replication links that include the site. This summarized data is used in reports for database replication. Both sites on a replication link summarize the network traffic that traverses the replication link. The summarization of data is performed by the SQL Server that hosts the site database. After summarization of the data, this information replicates to other sites as global data. By default, summarization occurs every 15 minutes. You can modify the frequency of summarization for network traffic by editing the Summarization interval in the properties of the database replication link. The frequency of summarization affects the information you view in reports about database replication. You can modify this interval from 5 minutes to 60 minutes. When you increase the frequency of summarization, you increase the processing load on the SQL Server at each site on the replication link. Plan for Database Replication Thresholds Database replication thresholds define when the status of a database replication link is reported as either degraded or failed. By default, a link is set to degraded when any one replication group fails to complete replication for a period of 12 consecutive attempts, and set to failed when any replication group fails to replicate in 24 consecutive attempts. With Configuration Manager SP1, you can specify custom values to fine-tune when Configuration Manager reports a replication link as degraded or failed. Prior to Configuration Manager SP1, you cannot adjust these thresholds. Adjusting when Configuration Manager reports each status for your database replication links can help you accurately monitor the health of database replication across your database replication links. Because it is possible for one or a few replication groups fail to replicate while other replication groups continue to replicate successfully, plan to review the replication status of a replication link when it first reports a status of degraded. If there are recurring delays for specific replication groups and their delay does not present a problem, or where the network link between sites has low available bandwidth, consider modifying the retry values for the degraded or failed status of the link. When you increase the number of retries before the link is set to degrade or failed, you can eliminate false warnings for known issues, allowing you to more accurately track the status of the link. You should also consider the replication synchronization interval for each replication groups to understand how frequently replication of that group occurs. You can view the Synchronization

502

Interval for replication groups on the Replication Detail tab of a replication link in the Database Replication node in the Monitoring workspace. For more information about how to monitor database replication including how to view the replication status, see the How to Monitor Database Replication Links and Replication Status section in the Monitor Configuration Manager Sites and Hierarchy topic. For information on configuring database replication thresholds, see Site Database Replication Controls.

Site Database Replication Controls

For Configuration Manager SP1 only: Each site database supports configurations that can help you control the network bandwidth used for database replication. These configurations apply only to the site database where you configure the settings, and are always used when the site replicates any data by database replication to any other site. Replication controls for each site database include the following: Change the port that Configuration Manager uses for the SQL Server Service Broker. Configure the period of time to wait before replication failures trigger the site to reinitializes its copy of the site database. Configure a site database to compress the data that it replicates by database replication. The data is compressed only for transfer between sites, and not for storage in the site database at either site.

To configure the replication controls for a site database, you edit the properties of the site database in the Configuration Manager console from the Database Replication node. This node appears under the Hierarchy Configuration node in the Administration workspace, and also appears in the Monitoring workspace. To edit the properties of the site database, select the replication link between the sites, and then open either the Parent Database Properties or Child Database Properties. Tip You can configure database replication controls from the Database Replication node in either workspace. However, when you use the Database Replication node in the Monitoring workspace you can also view the status of database replication for a replication link, and access the Replication Link Analyzer tool to help you investigate problems with replication. For more information about how to configure database replication controls, see Configure Database Replication Controls. For more information about how to monitor replication, see Monitor Site Database Replication.

503

Planning for Intrasite Communications in Configuration Manager

Each Configuration Manager site contains a site server and can have one or more additional site system servers that host site system roles. Configuration Manager requires each site system server to be a member of an Active Directory domain. Configuration Manager does not support a change of the computer name or the domain membership while the computer remains a site system. When Configuration Manager site systems or components communicate across the network to other site systems or Configuration Manager components in the site, they use either server message block (SMB), HTTP, or HTTPS. The communication method depends on how you choose to configure the site. With the exception of communication from the site server to a distribution point, these server-to-server communications in a site can occur at any time and do not use mechanisms to control the network bandwidth. Because you cannot control the communication between site systems, ensure that you install site system servers in locations that have well connected and fast networks. You can use the following options to help you manage the transfer of content from the site server to distribution points: Configure the distribution point for network bandwidth control and scheduling. These controls resemble the configurations used by intersite addresses, and you can often use this configuration instead of installing another Configuration Manager site when the transfer of content to remote network locations is your main bandwidth consideration. You can install a distribution point as a prestaged distribution point. A prestaged distribution point lets you use content that is manually put on the distribution point server and removes the requirement to transfer content files across the network.

For more information about network bandwidth considerations, see Network Bandwidth Considerations for Distribution Points in Planning for Content Management in Configuration Manager.

Planning for Client Communication in Configuration Manager

Client communication in Configuration Manager includes client-to-site-system communications and service location inquiries. By using service location inquiries, Configuration Manager clients can identify the site system servers to use. Use the information in the following sections to plan for communications by Windows-based clients. In Configuration Manager SP1, you can manage clients that run Linux and UNIX. Clients that run Linux and UNIX operate as clients in workgroups. For information about supporting computers that are in workgroups, see the Planning for Communications Across Forests in Configuration Manager in this topic. For additional information about communication for clients that run Linux
504

and UNIX, see the Planning for Communication across Forest Trusts for Linux and UNIX Servers section in the Planning for Client Deployment for Linux and UNIX Servers topic.

Planning for Client Communication to Site Systems

Configuration Manager clients initiate communication to site system roles that provide services to clients. This includes management points from which clients download client policy, and distribution points from which clients download content. To communicate with a site system role, the client must first locate a site system role that is configured to support the protocol (HTTPS or HTTP) that the client can use. By default, clients use the most secure method available to them. Therefore, a client that is configured to use a PKI certificate attempts to locate and communicate with a site system role by using HTTPS before it communicates with a site system role that uses HTTP. For a Configuration Manager client to use HTTPS, you must have a public key infrastructure (PKI) and must install PKI certificates on clients and servers. The client requires a certificate that has client authentication capability for mutual authentication with the site system server. For information about how to use certificates, see PKI Certificate Requirements for Configuration Manager. When you deploy a site system role that uses Internet Information Services (IIS) and supports communication from clients that include management points, an Application Catalog website point, a state migration point, or distribution points, you must specify whether clients connect to the site system by using HTTP or HTTPS. If you use HTTP, you must also consider signing and encryption choices. For more information, see Planning for Signing and Encryption. You can also configure the site system to use an intranet fully qualified domain name (FQDN) and an Internet FQDN. When you configure an Internet FQDN, you can then configure the site system role to accept client connections from the Internet. You can configure support for client connections from the Internet only, or clients connections from the intranet and Internet. You can deploy multiple instances of a site system role in a site and separate instances of that site system role support different communication settings. For example, in a single site, you can have one management point that accepts HTTPS client communication and another management point that accepts HTTP client communication. You can use one site to manage clients across different network locations that use different communication protocols and security settings.

Planning for Client Approval

When clients use a PKI certificate to authenticate themselves to a management point, Configuration Manager knows that the client is trusted because the trust is established by using PKI. When you do not use PKI to establish this trust, Configuration Manager uses a process named client approval to register this trust. By default, Configuration Manager uses the computer account of the device and Kerberos authentication to verify that the device is trusted. By using this default setting, you must manually verify that any client that is displayed as Not Approved in the Configuration Manager console is
505

a trusted device, and then approve it to be managed by Configuration Manager. This scenario applies to computers that are in untrusted forests and in workgroups. It also applies if the Kerberos authentication failed for any reason. Although Configuration Manager has a configuration option to automatically approve all clients, do not use this configuration unless Configuration Manager is running in a secured test environment. You can also select a configuration option to always manually approve clients. The approval setting is for all devices in the hierarchy, and you can manually approve clients from anywhere in the hierarchy. Note Although some management functions might work for clients that are not approved, Configuration Manager does not support the management of these devices.

Planning for Service Location by Clients

Service location is how Configuration Manager clients find sites, site information, and site system roles that they can communicate with. For example, for clients to successfully download client policy, they must first locate a management point from their site that uses the same protocol as they use. Service location is independent from name resolution, which maps a computer name to an IP address. Name resolution is performed by DNS or WINS. However, DNS and WINS can also be used for service location. Clients search for a management point by using the following options in the order specified: 1. Management point 2. Active Directory Domain Services 3. DNS 4. WINS

Planning for Service Location from Management Points

When you install a Configuration Manager client, you can use the /MP option to indicate the management point for the client installation process to download the client installation files. You can use the SMSMP= option to identify the initial management point that the client first communicates with. When a client communicates successfully with a management point from its assigned site, it downloads the current list of available management points and stores this information locally in WMI for future use. After the initial list of management points is built, the client updates the list every 25 hours, and when it receives a new IP address, and when the client CCMEXEC service starts. During the installation of the client, the client builds a lookup list of management points (also known as an MP list) that include the management points that you specify during client installation, and management points that the client can identify from Active Directory Domain Services. A site must have one or more management points installed, and the site must publish to Active Directory Domain Services before the client can discover the sites management points
506

from Active Directory Domain Services. Management points that are found in Active Directory Domain Services must match the clients assigned site code and client version. The client ignores management points that are published by Configuration Manager 2007. If you did not specify a management point to the client during client installation, and if you have not extended the Active Directory schema, the client checks DNS and WINS for management points to add to its lookup list. Note When a client is a member of more than one boundary group that is configured for site assignment, the management point lookup list is determined by a union of all of the boundaries that are associated to each of those boundary groups. After the client builds its list of management points, it sorts the list into different priorities. When the client supports a client PKI certificate, the client uses a management point that supports HTTPS communication and puts HTTPS-capable management points first in the list, as preferred management points. The client then tries to contact a preferred management point before it uses a management point that is not preferred. The order of all equivalent management points is not set and only the relative priority is set. This order of equivalent management points can reset every time that the client updates its management point lookup list. Therefore, a client that has three HTTPS capable management points available to it might contact any of the three HTTPS management points during each new connection attempt. If the client cannot reach the first management point, it retries several times. If it continues to fail, it tries additional management points until communications are established, or there are no more management points on its list. For information about how to install Configuration Manager clients, and how to use command-line parameters to specify management points and the protocol that a client uses to contact site system roles, see How to Install Clients on Windows-Based Computers in Configuration Manager. If the client cannot contact a management point from its lookup list, it tries to use an alternative service location method.

Planning for Service Location from Active Directory Domain Services

Intranet clients use Active Directory Domain Services as their primary method of service location. Examples of site information include the location of available site system roles and their capabilities, and the security information that is required by client computers to establish trusted connections with site system servers in the site. Configuration Manager clients can use Active Directory Domain Services for service location when all the following conditions are true: The Active Directory schema is extended for Configuration Manager 2007 or System Center 2012 Configuration Manager. Configuration Manager sites publish to Active Directory Domain Services. The Active Directory forest is enabled for publishing in Configuration Manager. The client computer is a member of an Active Directory domain and can access a global catalog server.

507

If any one of these conditions cannot be met, you can configure alternative service location methods. Alternatives include DNS, WINS, and a management point that is specified during client installation.

Planning for Service Location by Using DNS Publishing

If you cannot publish site information to Active Directory Domain Services, consider publishing management points to DNS. You can publish this site system role for clients on the intranet. Determine Whether to Publish Management Points to DNS When you publish Configuration Manager management points to DNS, this configuration adds a service location resource record (SRV RR) in the DNS zone of the site system server that hosts the management point. Ensure that you have a corresponding host entry for the site system server. Consider publishing to DNS when any of the following conditions are true: The Active Directory Domain Services schema is not extended to support Configuration Manager. Clients on the intranet are located in a forest that is not enabled for Configuration Manager publishing. Clients are on workgroup computers, and they are not configured for Internet-only client management. Important Publishing service location records for management points in DNS is applicable only to management points that accept client connections from the intranet. Client Discovery of Management Points from DNS For clients to find a management point in DNS, you must assign the clients to a specific site instead of using automatic site assignment. Additionally, you must configure a client property that specifies the domain suffix of the management point. Clients on the intranet use this domain suffix to query DNS for management points for their assigned site. When more than one management point for the site is published to DNS, a client selects the first management point that matches its own communication setting for HTTPS or HTTP. A client that can use HTTPS always selects a management point that is configured for HTTPS if one is available. For more information about how to configure the DNS suffix client property, see How to Configure Client Computers to Find Management Points by using DNS Publishing in Configuration Manager. Publish Management Points to DNS To publish management points to DNS, the following two conditions must be true: Your DNS servers support service location resource records, by using a version of BIND that is at least 8.1.2. The specified intranet FQDNs for the management points in Configuration Manager have host entries (for example, A records) in DNS.
508

Important Configuration Manager DNS publishing does not support a disjoint namespace. If you have a disjoint namespace, you can manually publish management points to DNS or use one of the other alternative service location methods that are documented in this section. When your DNS servers support automatic updates, you can configure System Center 2012 Configuration Manager to automatically publish management points on the intranet to DNS, or you can manually publish these records to DNS. When management points are published to DNS, their intranet FQDN and port number are published in the service location (SRV) record. When your DNS servers do not support automatic updates but do support service location records, you can manually publish management points to DNS. To accomplish this, you must manually specify the service location resource record (SRV RR) in DNS. Configuration Manager supports RFC 2782 for service location records, which have the following format: _Service._Proto.Name TTL Class SRV Priority Weight Port Target To publish a management point to Configuration Manager, specify the following values: _Service: Enter _mssms_mp_<sitecode>, where <sitecode> is the management point's site code. ._Proto: Specify ._tcp. .Name: Enter the DNS suffix of the management point, for example contoso.com. TTL: Enter 14400, which is four hours. Class: Specify IN (in compliance with RFC 1035). Priority: This field is not used by Configuration Manager. Weight: This field is not used by Configuration Manager. Port: Enter the port number that the management point uses, for example 80 for HTTP and 443 for HTTPS. Note If the management point accepts HTTP and HTTPS client connections, you must create two SRV records. In one record, specify the HTTP port number; in the other, specify the HTTPS port number. Target: Enter the intranet FQDN that is specified for the site system that is configured with the management point site role.

If you use Windows Server DNS, you can use the following procedure to enter this DNS record for intranet management points. If you use a different implementation for DNS, use the information in this section about the field values and consult that DNS documentation to adapt this procedure. To manually publish management points to DNS on Windows Server 1. In the Configuration Manager console, specify the intranet FQDNs of site systems. 2. In the DNS management console, select the DNS zone for the management point
509

computer. 3. Verify that there is a host record (A or AAA) for the intranet FQDN of the site system. If this record does not exist, create it. 4. By using the New Other Records option, click Service Location (SRV) in the Resource Record Type dialog box, click Create Record, enter the following information, and then click Done: Domain: If necessary, enter the DNS suffix of the management point, for example contoso.com. Service: Type _mssms_mp_<sitecode>, where <sitecode> is the management point's site code. Protocol: Type _tcp. Priority: This field is not used by Configuration Manager. Weight: This field is not used by Configuration Manager. Port: Enter the port number that the management point uses, for example 80 for HTTP and 443 for HTTPS. Note If the management point accepts HTTP and HTTPS client connections, you must create two SRV records. In one record, specify the HTTP port number; in the other, specify the HTTPS port number. Host offering this service: Enter the intranet fully qualified domain name that is specified for the site system that is configured with the management point site role.

Repeat these steps for each management point on the intranet that you want to publish to DNS.

Planning for Service Location by Using WINS

The first management point in the primary site that is configured to accept HTTP client connections and the first management point in the primary site that is configured to accept HTTPS client connections are automatically published to WINS. When other service location mechanisms fail, clients can find an initial management point by checking WINS. When they connect to this management point, they download a list of other management points. This behavior means that clients can indirectly locate all management points from WINS and use them for subsequent connections. For example, you might prefer clients to use HTTPS when they connect to management points on the intranet, because this configuration provides improved security. You configure all management points but one to accept only HTTPS client connections. The one management point that accepts HTTP client connections is used only when clients first connect to the site. If you do not want clients to find an HTTP management point in WINS, configure clients with the CCMSetup.exe Client.msi property SMSDIRECTORYLOOKUP=NOWINS.

510

Planning How to Wake Up Clients

Configuration Manager supports two wake on local area network (LAN) technologies to wake up computers in sleep mode when you want to install required software, such as software updates and applications: traditional wake-up packets and AMT power-on commands. If you have Configuration Manager SP1, you can supplement the traditional wake-up packet method by using the wake-up proxy client settings. Wake-up proxy uses a peer-to-peer protocol and elected computers to check whether other computers on the subnet are awake, and to wake them if necessary. When the site is configured for Wake On LAN and clients are configured for wake-up proxy, the process works as follows: 1. Computers that have the Configuration Manager SP1 client installed and that are not asleep on the subnet check whether other computers on the subnet are awake. They do this by sending each other a TCP/IP ping command every 5 seconds. 2. If there is no response from other computers, they are assumed to be asleep. The computers that are awake become manager computers for the subnet. Because it is possible that a computer might not respond because of a reason other than it is asleep (for example, it is turned off, removed from the network, or the proxy wake-up client setting is no longer applied), the computers are sent a wake-up packet every day at 2 P.M. local time. Computers that do not respond will no longer be assumed to be asleep and will not be woken up by wake-up proxy. To support wake-up proxy, at least three computers must be awake for each subnet. To achieve this, three computers are non-deterministically chosen to be guardian computers for the subnet. This means that they stay awake, despite any configured power policy to sleep or hibernate after a period of inactivity. Guardian computers honor shutdown or restart commands, for example, as a result of maintenance tasks. If this happens, the remaining guardian computers wake up another computer on the subnet so that the subnet continues to have three guardian computers. 3. Manager computers ask the network switch to redirect network traffic for the sleeping computers to themselves. The redirection is achieved by the manager computer broadcasting an Ethernet frame that uses the sleeping computers MAC address as the source address. This makes the network switch behave as if the sleeping computer has moved to the same port that the manager computer is on. The manager computer also sends ARP packets for the sleeping computers to keep the entry fresh in the ARP cache. The manager computer will also respond to ARP requests on behalf of the sleeping computer and reply with the MAC address of the sleeping computer. Warning During this process, the IP-to-MAC mapping for the sleeping computer remains the same. Wake-up proxy works by informing the network switch that a different network adapter is using the port that was registered by another network adapter. However, this behavior is known as a MAC flap and is unusual for standard network operation. Some network monitoring tools look for this behavior and can assume that something
511

is wrong. Consequently, these monitoring tools can generate alerts or shut down ports when you use wake-up proxy. Do not use wake-up proxy if your network monitoring tools and services do not allow MAC flaps. 4. When a manager computer sees a new TCP connection request for a sleeping machine and the request is to a port that the sleeping machine was listening on before it went to sleep, the manager computer sends a wake-up packet to the sleeping computer, and then stops redirecting traffic for this computer. 5. The sleeping computer receives the wake-up packet and wakes up. The sending computer automatically retries the connection and this time, the computer is awake and can respond. Wake-up proxy has the following prerequisites and limitations: Important If you have a separate team that is responsible for the network infrastructure and network services, notify and include this team during your evaluation and testing period. For example, on a network that uses 802.1X network access control, wake-up proxy will not work and can disrupt the network service. In addition, wake-up proxy could cause some network monitoring tools to generate alerts when the tools detect the traffic to wake-up other computers. The supported clients are Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012. Guest operating systems that run on a virtual machine are not supported. Clients must run Configuration Manager SP1 and be enabled for wake-up proxy by using client settings. Although wake-up proxy operation does not depend on hardware inventory, clients do not report the installation of the wake-up proxy service unless they are enabled for hardware inventory and submitted at least one hardware inventory. Network adapters (and possibly the BIOS) must be enabled and configured for wake-up packets. If the network adapter is not configured for wake-up packets or this setting is disabled, Configuration Manager will automatically configure and enable it for a computer when it receives the client setting to enable wake-up proxy. If a computer has more than one network adapter, you cannot configure which adapter to use for wake-up proxy; the choice is non-deterministic. However, the adapter chosen is recorded in the SleepAgent_<DOMAIN>@SYSTEM_0.log file. The network must allow ICMP echo requests (at least within the subnet). You cannot configure the 5 minute interval that is used to send the ICMP ping commands. Communication is unencrypted and unauthenticated, and IPsec is not supported. The following network configurations are not supported: 802.1X with port authentication Wireless networks Network switches that bind MAC addresses to specific ports IPv6-only networks DHCP lease durations less than 24 hours
512

As a security best practice, use AMT power on commands rather than wake-up packets when this is possible. Because AMT power on commands use PKI certificates to help secure the communication, this technology is more secure than sending wake-up packets. However, to use AMT power on commands, the computers must be Intel AMT-based computers that are provisioned for AMT. For more information about how Configuration Manager can manage AMTbased computers, see Introduction to Out of Band Management in Configuration Manager. If you want to wake up computers for scheduled software installation, you must configure each primary site for one of the three options: Use AMT power on commands if the computer supports this technology; otherwise use wakeup packets Use AMT power on commands only. Use wake-up packets only.

To use wake-up proxy with Configuration Manager SP1, you must deploy Power Management wake-up proxy client settings in addition to selecting the Use wake-up packets only option. Use the following table for more information about the differences between the two Wake-on-LAN (WOL) technologies, traditional wake-up packets and power on commands..
Technology Advantage Disadvantage

Traditional wake-up packets

Does not require any additional site system roles in the site. Supported by many network adapters. UDP wake-up packets are quick to send and process. Does not require a PKI infrastructure. Does not require any changes to Active Directory Domain Services. Supported on workgroup computers, computers from another Active Directory forest, and computers in the same Active Directory forest but using a noncontiguous namespace.

Less secure solution than AMT power on commands because it does not use authentication or encryption. If subnetdirected broadcast transmissions are used for the wake-up packets, this has the security risk of smurf attacks. Might require manual configuration on each computer for BIOS settings and adapter configuration. No confirmation that computers are woken up. Wake-up transmissions as multiple User Datagram Protocol (UDP) packets can unnecessarily saturate available network bandwidth. Unless you use wake-up proxy with Configuration Manager SP1, cannot wake up
513

Technology

Advantage

Disadvantage

computers interactively. Cannot return computers to sleep state. Management features are restricted to waking up computers only. AMT power on commands More secure solution than traditional wake-up packets because it provides authentication and encryption by using standard industry security protocols. It can also integrate with an existing PKI deployment, and the security controls can be managed independently from the product. Supports automatic centralized setup and configuration (AMT provisioning). Established transport session for a more reliable connection and auditable connection. Computers can be woken up interactively (and restarted). Computers can be powered down interactively. Additional management capabilities, which include the following: Restarting a nonfunctioning computer and booting from a locally connected device or known good boot image file. Re-imaging a computer by booting from a boot image file that is located on the network or by using a PXE server. Reconfiguring the BIOS
514

Requires that the site has an out of band service point and enrollment point. Supported only on computers that have the Intel vPro chip set and a supported version of Intel Active Management Technology (Intel AMT) firmware. For more information about which AMT versions are supported, see Supported Configurations for Configuration Manager. The transport session requires more time to establish, higher processing on the server, and an increase in data transferred. Requires a PKI deployment and specific certificates. Requires an Active Directory container that is created and configured for publishing AMTbased computers. Cannot support workgroup computers, computers from another Active Directory forest, or computers from the same Active Directory forest but that use a noncontiguous namespace. Requires changes to DNS and DHCP to support AMT provisioning.

Technology

Advantage

Disadvantage

settings on a selected computer and bypassing the BIOS password if this is supported by the BIOS manufacturer. Booting to a commandbased operating system to run commands, repair tools, or diagnostic applications (for example, upgrading the firmware or running a disk repair tool).

Choose how to wake up computers based on whether you can support the AMT power on commands and whether the computers assigned to the site support the Wake-on-LAN technology. Also consider the advantages and disadvantages of both technologies that are listed in the previous table. For example, wake-up packets are less reliable and are not secured, but power on commands take longer to establish and require more processing on the site system server that is configured with the out of band service point. Important Because of the additional overhead involved in establishing, maintaining, and ending an out of band management session to AMT-based computers, conduct your own tests so that you can accurately judge how long it takes to wake up multiple computers by using AMT power on commands in your environment (for example, across slow WAN links to computers in secondary sites). This knowledge helps you determine whether waking up multiple computers for scheduled activities by using AMT power on commands is practical when you have many computers to wake up in a short amount of time. If you decide to use traditional wake-up packets, you must also decide whether to use subnetdirected broadcast packets, or unicast packets, and what UDP port number to use. By default, traditional wake-up packets are transmitted by using UDP port 9, but to help increase security, you can select an alternative port for the site if this alternative port is supported by intervening routers and firewalls.

For Traditional Wake-up Packets: Choose Between Unicast and SubnetDirected Broadcast for Wake-on-LAN
If you chose to wake up computers by sending traditional wake-up packets, you must decide whether to transmit unicast packets or subnet-direct broadcast packets. If you use wake-up proxy with Configuration Manager SP1, you must use unicast packets. Otherwise, use the following table to help you determine which transmission method to choose.

515

Transmission method

Advantage

Disadvantage

Unicast

More secure solution than subnet-directed broadcasts because the packet is sent directly to a computer instead of to all computers on a subnet. Might not require reconfiguration of routers (you might have to configure the ARP cache).

Wake-up packets do not find destination computers that have changed their subnet address after the last hardware inventory schedule. Switches might have to be configured to forward UDP packets.

Some network adapters might Consumes less network not respond to wake-up bandwidth than subnet-directed packets in all sleep states broadcast transmissions. when they use unicast as the Supported with IPv4 and IPv6. transmission method. Subnet-Directed Broadcast Higher success rate than unicast if you have computers that frequently change their IP address in the same subnet. No switch reconfiguration is required. High compatibility rate with computer adapters for all sleep states, because subnetdirected broadcasts were the original transmission method for sending wake-up packets. Less secure solution than using unicast because an attacker could send continuous streams of ICMP echo requests from a falsified source address to the directed broadcast address. This causes all of the hosts to reply to that source address. If routers are configured to allow subnet-directed broadcasts, the additional configuration is recommended for security reasons: Configure routers to allow only IP-directed broadcasts from the Configuration Manager site server, by using a specified UDP port number. Configure Configuration Manager to use the specified non-default port number.

Might require reconfiguration of all intervening routers to enable subnet-directed broadcasts.

516

Transmission method

Advantage

Disadvantage

Consumes more network bandwidth than unicast transmissions. Supported with IPv4 only; IPv6 is not supported.

Warning There are security risks associated with subnet-directed broadcasts: An attacker could send continuous streams of Internet Control Message Protocol (ICMP) echo requests from a falsified source address to the directed broadcast address, which cause all the hosts to reply to that source address. This type of denial of service attack is commonly called a smurf attack and is typically mitigated by not enabling subnet-directed broadcasts.

Planning for Communications Across Forests in Configuration Manager

System Center 2012 Configuration Manager supports sites and hierarchies that span Active Directory forests. Configuration Manager also supports domain computers that are not in the same Active Directory forest as the site server, and computers that are in workgroups: To support domain computers in a forest that is not trusted by your site servers forest, you can install site system roles in that untrusted forest, with the option to publish site information to the clients Active Directory forest. Or, you can manage these computers as if they are workgroup computers. When you install site system servers in the clients forest, th e client-toserver communication is kept within the clients forest and Configuration Manager can authenticate the computer by using Kerberos. When you publish site information to the clients forest, clients benefit from retrieving site information, such as a list of available management points, from their Active Directory forest rather than downloading this information from their assigned management point. Note If you want to manage devices that are on the Internet, you can install Internet-based site system roles in your perimeter network when the site system servers are in an Active Directory forest. This scenario does not require a two-way trust between the perimeter network and the site servers forest. To support computers in a workgroup, you must manually approve these computers if they use HTTP client connections to site system roles because Configuration Manager cannot authenticate these computers by using Kerberos. In addition, you must configure the Network Access Account so that these computers can retrieve content from distribution points. Because these clients cannot retrieve site information from Active Directory Domain Services,
517

you must provide an alternative mechanism for them to find management points. You can use DNS publishing, or WINS, or directly assign a management point. For information about client approval and how clients find management points, see the Planning for Client Communication in Configuration Manager section in this topic. For information about how to configure the Network Access Account, see the Configure the Network Access Account section in the Configuring Content Management in Configuration Manager topic. For information about how to install clients on workgroup computers, see the How to Install Configuration Manager Clients on Workgroup Computers section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic. Configuration Manager supports the Exchange Server connector in a different forest from the site server. To support this scenario, ensure that name resolution works across the forests (for example, configure DNS forwards), and specify the intranet FQDN of the Exchange Server when you configure the Exchange Server connector. For more information, see How to Manage Mobile Devices by Using the Exchange Server Connector in Configuration Manager. When your Configuration Manager design spans multiple Active Directory domains and forests, use the additional information in the following table to help you plan for the following types of communication.
Scenario Details More information

Communication between sites in a hierarchy that spans forests: Requires a twoway forest trust, which supports Kerberos authentication that Configuration Manager requires.

Configuration Manager supports installing a child site in a remote forest that has the required two-way trust with the forest of the parent site. For example: You can place a secondary site in a different forest from its primary parent site so long as the required trust exists. If you do not have a two-way forest trust which supports Kerberos authentication, then Configuration Manager does not support the child site in the remote forest. Note A child site can be primary site (where the central

When a two-way forest trust exists, Configuration Manager does not require any additional configuration steps. By default, when you install a new site as a child of another site, Configuration Manager configures the following: An intersite file-based replication address at each site that uses the site server computer account. Configuration Manager adds the computer account of each computer to the SMS_SiteToSiteConnection_<siteco de> group on the destination computer. Database replication between the SQL Server at each site.

The following configurations must also be set: Intervening firewalls and network devices must allow the network packets that Configuration Manager requires. Name resolution must work between
518

Scenario

Details

More information

administration site is the parent site), or a secondary site. Intersite communication in Configuration Manager uses database replication and file-based transfers. When you install a site, you must specify an account to install the site on the designated server. This account also establishes and maintains communication between sites. After the site successfully installs and initiates filebased transfers and database replication, you do not have to configure anything else for communication to the site. For more information about how to install a site, see the Install a Site Server section in the Install Sites and Create a Hierarchy for Configuration Manager topic. Communication in a site that spans forests: Does not require a two-way forest trust. To support clients primary sites support the installation of each site system role on computers in other forests. Note Two exceptions are the out of band service point and the Application

the forests. To install a site or site system role, you must specify an account that has local administrator permissions on the specified computer.

The management point and enrollment point site system roles connect to the site database. By default, when these site system roles are installed, Configuration Manager configures the computer account of the new site system server as the connection account and adds the account to the appropriate SQL Server database role. When you install these site system roles in an untrusted domain, you must
519

Scenario

Details

More information

Catalog web service point. Each must be installed in the same forest as the site server. When the site system role accepts connections from the Internet, as a security best practice, install these site system roles in an untrusted forest (for example, in a perimeter network) so that the forest boundary provides protection for the site server. When you specify a computer to be a site system server, you must specify the Site System Installation Account. This account must have local administrative credentials to connect to, and then install site system roles on the specified computer. When you install a site system role in an untrusted forest, you must select the site system option Require the site server to initiate connections to this site system. This configuration enables the site server to establish connections to the site system server to transfer data. This prevents the site system server that is in the untrusted location from initiating contact with the site server that is inside

configure the site system role connection account to enable the site system role to obtain information from the database. If you configure a domain user account for these connection accounts, ensure that the account has appropriate access to the SQL Server database at that site: Management point: Management Point Database Connection Account Enrollment point: Enrollment Point Connection Account

Consider the following additional information when you plan for site system roles in other forests: If you run a Windows Firewall, configure the applicable firewall profiles to pass communications between the site database server and computers that are installed with remote site system roles. For information about firewall profiles, see Understanding Firewall Profiles. When the Internet-based management point trusts the forest that contains the user accounts, user policies are supported. When no trust exists, only computer policies are supported.

520

Scenario

Details

More information

your trusted network. These connections use the Site System Installation Account that you use to install the site system server. Communication between clients and site system roles when the clients are not in the same Active Directory forest as their site server. Configuration Manager supports the following scenarios for clients that are not in the same forest as their sites site server: There is a two-way forest trust between the forest of the client and the forest of the site server The site system role server is located in the same forest as the client The client is on a domain computer that does not have a twoway forest trust with the site server and site system roles are not installed in the client's forest The client is on a workgroup computer Note Configuration Manager cannot manage AMTbased computers out of band when these computers are in a different forest from the site server. Clients on a domain computer can use Active Directory Domain Services for service location when their site is published to their Active Directory Forest. To publish site information to another Active Directory forest, you must first specify the forest and then enable publishing to that forest in the Active Directory Forests node of the Administration workspace. Additionally, you must enable each site to publish its data to Active Directory Domain Services. This configuration enables clients in that forest to retrieve site information and find management points. For clients that cannot use Active Directory Domain Services for service location, you can use DNS, WINS, or the clients assigned management point.

521

Planning for Internet-Based Client Management

Internet-based client management lets you manage Configuration Manager clients when they are not connected to your company network but have a standard Internet connection. This arrangement has several advantages that include the reduced costs of not having to run virtual private networks (VPNs) and being able to deploy software updates in a timelier manner. Because of the higher security requirements of managing client computers on a public network, Internet-based client management requires that clients and the site system servers that the clients connect to use PKI certificates. This ensures that connections are authenticated by an independent authority, and that data to and from these site systems are encrypted by using Secure Sockets Layer (SSL). Use the following sections to help you plan for Internet-based client management.

Features that Are Not Supported on the Internet

Not all client management functionality is appropriate for the Internet; therefore they are not supported when clients are managed on the Internet. The features that are not supported for Internet management typically rely on Active Directory Domain Services or are not appropriate for a public network, such as network discovery and Wake-on-LAN (WOL). The following features are not supported when clients are managed on the Internet: Client deployment over the Internet, such as client push and software update-based client deployment. Instead, use manual client installation. Automatic site assignment. Network Access Protection (NAP). Wake-on-LAN. Operating system deployment. However, you can deploy task sequences that do not deploy an operating system; for example, task sequences that run scripts and maintenance tasks on clients. Remote control. Out of band management. Software deployment to users unless the Internet-based management point can authenticate the user in Active Directory Domain Services by using Windows authentication (Kerberos or NTLM). This is possible when the Internet-based management point trusts the forest where the user account resides.

Additionally, Internet-based client management does not support roaming. Roaming enables clients to always find the closest distribution points to download content. Clients that are managed on the Internet communicate with site systems from their assigned site when these site systems are configured to use an Internet FQDN and the site system roles allow client connections from the Internet. Clients non-deterministically select one of the Internet-based site systems, regardless of bandwidth or physical location. Note
522

New in System Center 2012 Configuration Manager, when you have a software update point that is configured to accept connections from the Internet, Configuration Manager Internet-based clients on the Internet always scan against this software update point, to determine which software updates are required. However, when these clients are on the Internet, they first try to download the software updates from Microsoft Update, rather than from an Internet-based distribution point. Only if this fails, will they then try to download the required software updates from an Internet-based distribution point. Clients that are not configured for Internet-based client management never try to download the software updates from Microsoft Update, but always use Configuration Manager distribution points.

Planning for Internet-Based Site Systems

The following site system roles in a primary site support client connections from the Internet: Management point Distribution point Fallback status point Software update point (with and without a network load balancing cluster) Application Catalog website point Enrollment proxy point

Secondary sites do not support client connections from the Internet. All site systems must reside in an Active Directory domain. However, you can install site systems for Internet-based client management in an untrusted forest. This scenario might be appropriate for a perimeter network that requires high security. Although there is no requirement to have a trust between the two forests, when the forest that contains the Internetbased site systems trusts the forest that contains the user accounts, this configuration supports user-based policies for devices on the Internet when you enable the Client Policy client setting Enable user policy requests from Internet clients. For example, the following configurations illustrate when Internet-based client management supports user policies for devices on the Internet: The Internet-based management point is in the perimeter network where a read-only domain controller resides to authenticate the user and an intervening firewall allows Active Directory packets. The user account is in Forest A (the intranet) and the Internet-based management point is in Forest B (the perimeter network). Forest B trusts Forest A, and an intervening firewall allows the authentication packets. The user account and the Internet-based management point are in Forest A (the intranet). The management point is published to the Internet by using a web proxy server. Note If Kerberos authentication fails, NTLM authentication is then automatically tried. As the previous example shows, you can place Internet-based site systems in the intranet when they are published to the Internet by using a web proxy server, such as ISA Server and Forefront
523

Threat Management Gateway. These site systems can be configured for client connection from the Internet only, or client connections from the Internet and intranet. When you use a web proxy server, you can configure it for Secure Sockets Layer (SSL) bridging to SSL (more secure) or SSL tunneling: SSL bridging to SSL: The recommended configuration when you use proxy web servers for Internet-based client management is SSL bridging to SSL, which uses SSL termination with authentication. Client computers must be authenticated by using computer authentication, and mobile device legacy clients are authenticated by using user authentication. Mobile devices that are enrolled by Configuration Manager do not support SSL bridging. The benefit of SSL termination at the proxy web server is that packets from the Internet are subject to inspection before they are forwarded to the internal network. The proxy web server authenticates the connection from the client, terminates it, and then opens a new authenticated connection to the Internet-based site systems. When Configuration Manager clients use a proxy web server, the client identity (client GUID) is securely contained in the packet payload so that the management point does not consider the proxy web server to be the client. Bridging is not supported in Configuration Manager with HTTP to HTTPS, or from HTTPS to HTTP. Tunneling: If your proxy web server cannot support the requirements for SSL bridging, or you want to configure Internet support for mobile devices that are enrolled by Configuration Manager, SSL tunneling is also supported. It is a less secure option because the SSL packets from the Internet are forwarded to the site systems without SSL termination, so they cannot be inspected for malicious content. When you use SSL tunneling, there are no certificate requirements for the proxy web server.

Planning for Internet-Based Clients

You must decide whether the client computers that will be managed over the Internet will be configured for management on the intranet and the Internet, or for Internet-only client management. You can only configure the client management option during the installation of a client computer. If you change your mind later, you must reinstall the client. Tip You do not have to restrict the configuration of Internet-only client management to the Internet and you can also use it on the intranet. Clients that are configured for Internet-only client management only communicate with the site systems that are configured for client connections from the Internet. This configuration would be appropriate for computers that you know never connect to your company intranet, for example, point of sale computers in remote locations. It might also be appropriate when you want to restrict client communication to HTTPS only (for example, to support firewall and restricted security policies), and when you install Internet-based site systems in a perimeter network and you want to manage these servers by using the Configuration Manager client.
524

When you want to manage workgroup clients on the Internet, you must install them as Internetonly. Note Mobile device clients are automatically configured as Internet-only when they are configured to use an Internet-based management point. Other client computers can be configured for Internet and intranet client management. They can automatically switch between Internet-based client management and intranet client management when they detect a change of network. If these clients can find and connect to a management point that is configured for client connections on the intranet, these clients are managed as intranet clients that have full Configuration Manager management functionality. If the clients cannot find or connect to a management point that is configured for client connections on the intranet, they attempt to connect to an Internet-based management point, and if this is successful, these clients are then managed by the Internet-based site systems in their assigned site. The benefit in automatic switching between Internet-based client management and intranet client management is that client computers can automatically use all Configuration Manager features whenever they are connected to the intranet and continue to be managed for essential management functions when they are on the Internet. Additionally, a download that began on the Internet can seamlessly resume on the intranet, and vice versa.

Prerequisites for Internet-Based Client Management

Internet-based client management in Configuration Manager has the following external dependencies:
Dependency More information

Clients that will be managed on the Internet must have an Internet connection.

Configuration Manager uses existing Internet Service Provider (ISP) connections to the Internet, which can be either permanent or temporary connections. Client mobile devices must have a direct Internet connection, but client computers can have either a direct Internet connection or connect by using a proxy web server. The Internet-based site systems do not require a trust relationship with the Active Directory forest of the site server. However, when the Internet-based management point can authenticate the user by using Windows authentication, user policies are supported. If Windows authentication fails, only computer policies are supported.
525

Site systems that support Internet-based client management must have connectivity to the Internet and must be in an Active Directory domain.

Dependency

More information

Note To support user policies, you also must set to True the two Client Policy client settings: Enable user policy polling on clients Enable user policy requests from Internet clients

An Internet-based Application Catalog website point also requires Windows authentication to authenticate users when their computer is on the Internet. This requirement is independent from user policies. You must have a supporting public key infrastructure (PKI) that can deploy and manage the certificates that the clients require and that are managed on the Internet and the Internet-based site system servers. The following infrastructure services must be configured to support Internet-based client management: Public DNS servers: The Internet fully qualified domain name (FQDN) of site systems that support Internet-based client management must be registered as host entries on public DNS servers. Intervening firewalls or proxy servers: These network devices must allow the client communication that is associated with Internet-based site systems. For more information about the PKI certificates, see PKI Certificate Requirements for Configuration Manager

Client communication requirements: Support HTTP 1.1 Allow HTTP content type of multipart MIME attachment (multipart/mixed and application/octet-stream) Allow the following verbs for the Internetbased management point: HEAD CCM_POST BITS_POST GET PROPFIND

Allow the following verbs for the Internetbased distribution point: HEAD GET PROPFIND

Allow the following verbs for the Internetbased fallback status point: POST Allow the following verbs for the Internet526

Dependency

More information

based Application Catalog website point: POST GET

Allow the following HTTP headers for the Internet-based management point: Range: CCMClientID: CCMClientIDSignature: CCMClientTimestamp: CCMClientTimestampsSignature:

Allow the following HTTP header for the Internet-based distribution point: Range:

For configuration information to support these requirements, refer to your firewall or proxy server documentation. For similar communication requirements when you use the software update point for client connections from the Internet, see the documentation for Windows Server Update Services (WSUS). For example, for WSUS on Windows Server 2003, see Appendix D: Security Settings, the deployment appendix for security settings.

Planning for Network Bandwidth in Configuration Manager

System Center 2012 Configuration Manager includes several methods to control the network bandwidth that is used by communications between sites, site system servers, and clients. However, not all communication on the network can be managed. Use the following sections to help you understand the methods that you can use to control network bandwidth and to design your site hierarchy. When you plan the Configuration Manager hierarchy, consider the amount of network data that will be transferred from intersite and intrasite communications. Note

527

File replication routes (known as addresses prior to Configuration Manager SP1), are used only for intersite communications and are not used for intrasite communications between site servers and site systems.

Controlling Network Bandwidth Usage Between Sites

Configuration Manager transfers data between sites by using both file-based replication and database replication. Prior to Configuration Manager with SP1 you can configure file-based replication to control the use of network bandwidth for transfers, but cannot configure the use of network bandwidth for database replication. With Configuration Manager SP1, you can configure the use of network bandwidth for database replication for selected site data. When you configure network bandwidth controls, you should remain aware of the potential for data latency. If communications between sites is restricted or configured to only transfer data after regular business hours, administrators at either the parent site or child site might be unable to view certain data until the intersite communication has occurred. For example, if an important software update package is being sent to distribution points that are located at child sites, the package might not be available at those sites until all pending intersite communication is completed. Pending communication might include delivery of a package that is very large and that has not yet completed its transfer. Controls for File-based Replication: During file-based data transfers, Configuration Manager uses all of the available network bandwidth to send data between sites. You can control this process by configuring the sender at a site to increase or decrease site-to-site sending threads. A sending thread is used to transfer one file at a time. Each additional thread allows additional files to be transferred at the same time, which results in more bandwidth use. To configure the number of threads to use for site-to-site transfers, configure the Maximum concurrent sendings on the Sender tab of the sites properties. To control file-based data transfers between sites, you can schedule when Configuration Manager can use a file replication route to a specific site. You can control the amount of network bandwidth to use, the size of data blocks, and the frequency for sending the data blocks. Additional configurations can limit data transfers based on the priority of the data type. For each site in the hierarchy, you can set schedules and rate limits for that site to use when transferring data by configuring the properties of the file replication rout to each destination site. Configurations for a file replication route only apply to the data transfers to the destination site specified for that file replication route. For more information about file replication routes, see the sub-section File Replication Routes in the Planning for Intersite Communications in Configuration Manager section in this topic. Important When you configure rate limits to restrict the bandwidth use on a specific file replication route, Configuration Manager can use only a single thread to transfer data to that destination site. Use of rate limits for a file replication route overrides the use of multiple threads per site that are configured in the Maximum concurrent sendings for each site.
528

Controls for Database Replication: With Configuration Manager SP1, you can configure database replication links to help control the use of network bandwidth for the transfer of selected site data between sites. Some of the controls are similar to those for file-based replication, with additional support to schedule when hardware inventory, software inventory, software metering, and status messages replicate to the parent site across the link. For more information, see the section Database Replication in this topic.

Controlling Network Bandwidth Usage Between Site System Servers

Within a site, communication between site systems uses server message blocks (SMB), can occur at any time, and does not support a mechanism to control network bandwidth. However, when you configure the site server to use rate limits and schedules to control the transfer of data over the network to a distribution point, you can manage the transfer of content from the site server to distribution points with controls similar to those for site-to-site file-based transfers.

Controlling Network Bandwidth Usage Between Clients and Site System Servers
Clients regularly communicate with different site system servers. For example, they communicate with a site system server that runs a management point when they have to check for a client policy, and communicate with a site system server that runs a distribution point when they have to download content to install an application or software update. The frequency of these connections and the amount of data that is transferred over the network to or from a client depends on the schedules and configurations that you specify as client settings. Typically, client policy requests use low network bandwidth. The network bandwidth might be high when clients access content for deployments or send information such as hardware inventory data to the site. You can specify client settings that control the frequency of client-initiated network communications. Additionally, you can configure how clients access deployment content, for example, by using Background Intelligent Transfer Service (BITS). To use BITS to download content, the client and the distribution point must be configured to use BITS. If the client is configured to use BITS, but the distribution point is not, the client uses SMB to transfer the content. For information about client settings in Configuration Manager, see Planning for Client Settings in Configuration Manager.

See Also
Planning for Configuration Manager Sites and Hierarchy

529

Planning for Site Operations in Configuration Manager

Use the information in the following sections to help you plan for site operations. Planning for Backup and Recovery Planning for Client Management Planning for Maintenance Tasks for Configuration Manager Planning for Alerts

Planning for Backup and Recovery

Enterprise solutions such as Configuration Manager must prepare for loss of critical data by planning for both backup and recovery operations. For Configuration Manager sites, this preparation ensures that sites and hierarchies are recovered with the least data loss and in the quickest possible time. A Configuration Manager site contains a large amount of data, which is mostly stored in the site database. To ensure that you are correctly backing up your sites, schedule the Backup Site Server maintenance task for the central administration site and each primary site in your hierarchy. The Backup Site Server maintenance task creates a complete backup snapshot of your site and contains all the data necessary to perform recovery operations. You can also use your own method for backing up the site database. For example, you can create a site database backup as part of a SQL Server maintenance plan. Depending on your Configuration Manager hierarchy, the requirement to back up a site to avoid data loss varies. For example, consider the following scenarios: Central administration site with child primary sites: When you have a Configuration Manager hierarchy, the site can likely be recovered even when you do not have a site backup. Because database replication is used in the hierarchy, the data required for recovery can be retrieved from another site in the hierarchy. The benefit of restoring a site by using a backup is that only changes to the data since the last backup have to be retrieved from another site, which reduces the amount of data transferred over your network. Stand-alone primary site: When you have a stand-alone primary site (no central administration site), you must have a Configuration Manager backup to avoid data loss. Secondary sites: There is no backup and recovery support for secondary sites. You must reinstall the secondary site when it fails.

For more information about how to configure site backup or recover a site, see Backup and Recovery in Configuration Manager.

Whats New in Configuration Manager

Note

530

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new since Configuration Manager 2007: In System Center 2012 Configuration Manager, recovery is integrated in the Configuration Manager Setup Wizard. Configuration Manager 2007 used the Site Repair Wizard to recover sites. You have the following options when running recovery in System Center 2012 Configuration Manager: Site Server Recover the site server from a backup. Reinstall the site server. Recover the site database from a backup. Create a new site database. Use a site database that been manually recovered. Skip database recovery.

Site Database

System Center 2012 Configuration Manager database replication uses SQL Server to transfer data and merge changes made to the database of a site with the information stored in the database at other sites in the hierarchy. This enables all sites to share the same information. Recovery in System Center 2012 Configuration Manager uses database replication to retrieve global data that the failed site created before it failed. This process minimizes data loss even when no backup is available.

You can start an unattended site recovery by configuring an unattended installation script and then using the Setup command /script option.

Whats New in Configuration Manager SP1

The following item is new since System Center 2012 Configuration Manager: Starting in Configuration Manager SP1, you can recover a secondary site by using the Recover Secondary Site action from the Sites node in the Configuration Manager console. During the recovery, the secondary site files are installed on the destination computer and then the secondary site data is reinitialized with data from the primary site. The secondary site that you recover must have the same FQDN, meet all secondary site prerequisites, and you must configure appropriate security rights for the secondary site. For more information about the Prerequisite Checker, see the Prerequisite Checker section in the Install Sites and Create a Hierarchy for Configuration Manager topic. For more information about secondary site security requirements, see the Install a Secondary Site section in the Install Sites and Create a Hierarchy for Configuration Manager topic.

531

Volume Shadow Copy Service

The Backup Site Server maintenance task uses the Volume Shadow copy Service (VSS) to create the backup snapshot. VSS is essentially a framework which facilitates communication between applications, storage subsystems, and storage management applications (including backup applications) to define point-in-time copies of storage data. These point-in-time copies, or shadow copies, of site server and site database information are used to back up and restore Configuration Manager sites. By using VSS shadow copies, the Backup Site Server maintenance task can minimize off-line times for site servers. VSS must be running for the Backup Site Server maintenance task to finish successfully.

What Gets Backed Up

The Backup Site Server maintenance task includes the following information in the backup set: The Configuration Manager site database files Note The Backup Site Server maintenance task does not support configuring an NTFS file system junction point to store the site database files. The following Configuration Manager installation folders: <ConfigMgrInstallationPath>\bin <ConfigMgrInstallationPath>\inboxes <ConfigMgrInstallationPath>\Logs <ConfigMgrInstallationPath>\Data <ConfigMgrInstallationPath>\srvacct

The ..\HKEY_LOCAL_MACHINE\Software\Microsoft\SMS registry key.

What Does Not Get Backed Up

The Backup Site Server maintenance task creates a backup set that includes everything you need to restore your site server to a functional state. There are some Configuration Manager items not included in the site backup that you might want to back up outside of the normal process. The following sections provide information about items not backed up as part of the backup task. Warning For more information about supplemental backup tasks, see the Supplemental Backup Tasks section in the Backup and Recovery in Configuration Manager topic.

Configuration Manager Site Systems

Some Configuration Manager site systems contain site data that is easily recreated if the site fails and are not backed up during the site backup process. For example, you do not have to backup data from site systems such as distribution points and management points. The site server can easily reinstall these site systems if they fail.
532

Custom Reporting Services Reports

When you create custom Configuration Manager reports in SQL Server Reporting Services, there are several items on the Reporting Services server that you must add to your backup set to recover the reports in the event of a failure on the server running Reporting Services.

Content Files
The content library in Configuration Manager is the location where all content files are stored for software updates, applications, operating system deployment, and so on. The content library is located on the site server and each distribution point. The Backup Site Server maintenance task does not include a backup of the content library or the package source files. When a site server fails, the information about the content library files is restored to the site database, but you must restore the content library and package source files on the site server.

SQL Server Master Database

You do not have to back up the SQL Server master database. The Backup Site Server maintenance task backs up all of the required information for restoring the site database to SQL Server as part of the backup process. The original SQL Server master database is not required for restoring the site database on a new server that is hosting the SQL Server database.

Configuration Manager Log Files

The Backup Site Server maintenance task backs up logs located in the <ConfigMgrInstallationPath>\Logs folder, but some System Center 2012 Configuration Manager site systems write logs in other locations and are not backed up by the Backup Site Server maintenance task. Plan an alternative method to back up these log files, if it is required.

Configuration Manager Clients

System Center 2012 Configuration Manager clients are not backed up as part of the site backup process for the following reasons: To correctly back up a Configuration Manager client, the client services must be stopped. However, there is no reliable way to stop and start the client services. Stopping and starting the client services can potentially corrupt the data on the hard disk of the client or in the backup snapshot. Clients are too numerous. It is neither practical nor beneficial to back up and restore the clients assigned to a site. The effect of losing client data is relatively small.

System Center Updates Publisher

When you use System Center Updates Publisher to create custom software updates, the updates are stored in the Updates Publisher database. Though many of these custom software updates might have been published to Windows Server Update Services, you typically want to have a backup of the Updates Publisher database that contains the source for the custom updates.
533

Maintenance Mode Support

When the Backup Site Server maintenance task performs a site backup, critical site services must be stopped including: SMS Executive service (SMS_Executive) SMS Site Component Manager service (SMS_Site_Component_Manager)

If the Configuration Manager site server or site database server is being monitored by the monitoring agent on the System Center Operations Manager client, the backup process might generate false stop service alerts when critical Configuration Manager services are stopped for backup. To avoid this problem, configure the entire backup process to be monitored as a single transaction that is managed by using Operations Manager maintenance mode state management.

Planning for Client Management

Use the following links to help you plan for client management: Planning for Hardware Inventory in Configuration Manager Prerequisites for Asset Intelligence in Configuration Manager Planning for Power Management in Configuration Manager Planning for Remote Control in Configuration Manager Planning for Software Metering in Configuration Manager Planning for Out of Band Management in Configuration Manager Planning for Compliance Settings in Configuration Manager Planning for Endpoint Protection in Configuration Manager Planning for Software Updates in Configuration Manager Planning How to Deploy Operating Systems in Configuration Manager

Planning for Maintenance Tasks for Configuration Manager

System Center 2012 Configuration Manager sites and hierarchies require regular maintenance and monitoring to provide services effectively and continuously. Regular maintenance ensures that the hardware, software, and the Configuration Manager database continue to function correctly and efficiently. Optimal performance greatly reduces the risk of failure. While your Configuration Manager site and hierarchy perform the tasks that you schedule and configure, site components continually add data to the Configuration Manager database. As the amount of data grows, database performance and the free storage space in the database decline. You can configure site maintenance tasks to remove aged data that you no longer require. Configuration Manager provides predefined maintenance tasks that you can use to maintain the health of the Configuration Manager database. Not all maintenance tasks are available at each

534

site, by default, several are enabled while some are not, and all support a schedule that you can configure for when to run. Most maintenance tasks periodically remove out-of-date data from the Configuration Manager database. Reducing the size of the database by removing unnecessary data improves the performance and the integrity of the database, which increases the efficiency of the site and hierarchy. Other tasks, such as Rebuild Indexes, help maintain the database efficiency, while some, such as the Backup Site Server task, help you prepare for disaster recovery. Important When you plan the schedule of any task that deletes data, consider the use of that data across the hierarchy. When a task that deletes data runs at a site, the information is removed from the Configuration Manager database, and this change replicates to all sites in the hierarchy. This can affect other tasks that rely on that data. For example, at the central administration site, you might configure Discovery to run one time per month to identify non-client computers, and plan to install the Configuration Manager client to these computers within two weeks of their discovery. However, at one site in the hierarchy, an administrator configures the Delete Aged Discovery Data task to run every seven days with a result that seven days after non-client computers are discovered, they are deleted from the Configuration Manager database. Back at the central administration site, you prepare to push install the Configuration Manager client to these new computers on day 10. However, because the Delete Aged Discovery Data task has recently run and deleted data that is seven days or older, the recently discovered computers are no longer available in the database. After you install a Configuration Manager site, review the available maintenance tasks and enable those tasks that your operations require. Review the default schedule of each task, and when necessary, modify the schedule to fine-tune the maintenance task to fit your hierarchy and environment. Although the default schedule of each task should suit most environments, monitor the performance of your sites and database and expect to fine-tune tasks to increase your deployments efficiency. Plan to periodically review the site and database performance and to reconfigure maintenance tasks and their schedules to maintain that efficiency.

When to Perform Common Maintenance Tasks

To maintain your site, consider performing regular maintenance on a daily, weekly, and for some tasks, a more periodic schedule. Common maintenance can include both the built-in maintenance tasks and other tasks such as account maintenance to maintain compliance with your company policies. Performing regular maintenance is important to ensure correct site operations. Maintain a maintenance log to document dates that maintenance was conducted, by whom, and any maintenance-related comments about the task conducted. Use the following information as a guide to help you plan when to perform different maintenance tasks. Use these lists as a starting point, and add any additional tasks you might require.

535

Daily Tasks The following are maintenance tasks you might consider performing on a daily basis: Verify that predefined maintenance tasks that are scheduled to run daily are running successfully. Check the Configuration Manager database status. Check site server status. Check Configuration Manager site system inboxes for file backlogs. Check site systems status. Check the operating system event logs on site systems. Check the SQL Server error log on the site database computer. Check system performance. Check Configuration Manager alerts.

Weekly Tasks The following are maintenance tasks you might consider performing on a weekly basis: Verify that predefined maintenance tasks scheduled to run weekly are running successfully. Delete unnecessary files from site systems. Produce and distribute end-user reports if required. Back up application, security, and system event logs and clear them. Check the site database size and verify that there is enough available disk space on the site database server so that the site database can grow. Perform SQL Server database maintenance on the site database according to your SQL Server maintenance plan. Check available disk space on all site systems. Run disk defragmentation tools on all site systems.

Periodic Tasks Some tasks do not have to be performed during daily or weekly maintenance, but are important to ensure overall site health, and security and disaster recovery plans are up-to-date. The following are maintenance tasks that you might consider performing on a more periodic basis than the daily or weekly tasks: Change accounts and passwords, if it is necessary, according to your security plan. Review the maintenance plan to verify that scheduled maintenance tasks are scheduled correctly and effectively depending on configured site settings. Review the Configuration Manager hierarchy design for any required changes. Check network performance to ensure changes have not been made that affect site operations. Verify that Active Directory settings affecting site operations have not changed. For example, verify that subnets assigned to Active Directory sites that are used as boundaries for Configuration Manager site have not changed. Review your disaster recovery plan for any required changes.

536

Perform a site recovery according to the disaster recovery plan in a test lab by using a backup copy of the most recent backup created by the Backup Site Server maintenance task. Check hardware for any errors or for available hardware updates. Check the overall health of the site.

About the Built-In Maintenance Tasks

The following table lists the available maintenance tasks, at which site each task is available, and basic details about the task. For more information about each task and its available configurations, view the maintenance task Properties in the Configuration Manager console. Key: = By default, enabled = By default, not enabled

Maintenance task

Central administration site

Primary site

Secondary site

More information

Backup Site Server

Not available

Use this task to prepare for recovery of critical data by creating a backup of the critical information that you have to restore a site and the Configuration Manager database. For more information, see Backup and Recovery in Configuration Manager.

Check Application Title with Inventory Information

Not available

Use this task to maintain consistency between software titles reported in software inventory and software titles in the Asset Intelligence catalog. For more information, see Introduction to Asset Intelligence in Configuration Manager.

Clear Install Flag

Not available

Not available

Use this task to remove the installed flag for clients that do not submit a Heartbeat Discovery record during the
537

Maintenance task

Central administration site

Primary site

Secondary site

More information

Client Rediscovery period. The installed flag prevents automatic client push installation to a computer that might have an active Configuration Manager client. For more information, see How to Prevent the Client Software from Installing on Specific Computers in Configuration Manager. Delete Aged Application Request Data Not available Not available Use this task to delete aged application requests from the database. For more information about application requests, see Introduction to Application Management in Configuration Manager. Delete Aged Client Operations Not available Use this task to delete aged data for Endpoint Protection client operations from the database. This data includes requests that an administrative user made for clients to run a scan or download updated definitions. For more information about managing Endpoint Protection in Configuration Manager, see How to Manage Antimalware Policies and Firewall Settings for Endpoint Protection in Configuration Manager.
538

Maintenance task

Central administration site

Primary site

Secondary site

More information

Delete Aged Collected Files

Not available

Not available

Use this task to delete aged information about collected files from the database. This task also deletes the collected files from the site server folder structure at the selected site. By default, the five most recent copies of collected files are stored on the site server in the Inboxes\sinv.box\FileCol directory. For more information, see Planning for Software Inventory in Configuration Manager.

Delete Aged Computer Association Data

Not available

Not available

Use this task to delete aged Operating System Deployment computer association data from the database. This information is used as part of completing user state restores. For more information about computer associations, see Managing User State. Use this task to delete aged data from the database that has been created by Extraction Views. By default, Extraction Views are disabled and can only be enabled by use of the Configuration Manager SDK. Unless Extraction Views are enabled, there is no data for this task to delete.

Delete Aged Delete Detection Data

Not available

539

Maintenance task

Central administration site

Primary site

Secondary site

More information

Delete Aged Device Wipe Record

Not available

Not available

Use this task to delete aged data about mobile device wipe actions from the database. For information about managing mobile devices, see Determine How to Manage Mobile Devices in Configuration Manager.

Delete Aged Not available Devices Managed by the Exchange Server Connector

Not available

Use this task to delete aged data about mobile devices that are managed by using the Exchange Server connector from the database. For more information, see How to Manage Mobile Devices by Using the Exchange Server Connector in Configuration Manager.

Delete Aged Discovery Data

Not available

Not available

Use this task to delete aged discovery data from the database. This data can include records resulting from heartbeat discovery, network discovery, and Active Directory Domain Services discovery methods (System, User, and Group). When this task runs at one site, it removes the data from the database at all sites in the hierarchy. For information about Discovery, see Planning for Discovery in Configuration Manager.
540

Maintenance task

Central administration site

Primary site

Secondary site

More information

Delete Aged Endpoint Protection Health Status History Data

Not available

Not available

Use this task to delete aged status information for Endpoint Protection from the database. For more information about Endpoint Protection status information, see How to Monitor Endpoint Protection in Configuration Manager.

Delete Aged Enrolled Devices

Not available

Not available

Use this task to delete aged data about mobile devices that have enrolled at a site but that have reported any information to the site for a specified time from the database. For information about mobile device enrollment, see Determine How to Manage Mobile Devices in Configuration Manager.

Delete Aged Inventory History

Not available

Not available

Use this task to delete inventory data that has been stored longer than a specified time from the database. For information about inventory history, see How to Use Resource Explorer to View Hardware Inventory in Configuration Manager.

Delete Aged Log Data

Use this task to delete aged log data that is used for troubleshooting from the database. This data is not related to Configuration Manager component
541

Maintenance task

Central administration site

Primary site

Secondary site

More information

operations. Important By default, this task runs daily at each site. At a central administration site and primary sites, the task deletes data that is older than 30 days. When you use SQL Server Express at a secondary site, ensure that this task runs daily, and deletes data that has been inactive for 7 days. Delete Aged Replication 1 Tracking Data Use this task to delete aged data about database replication between Configuration Manager sites from the database. For more information, see the How to Monitor Database Replication Links and Replication Status section in the Monitor Configuration Manager Sites and Hierarchy topic. Delete Aged Software Metering Data Not available Not available Use this task to delete aged data for software metering that has been stored longer than a specified time from the database. For more information, see
542

Maintenance task

Central administration site

Primary site

Secondary site

More information

Maintenance Tasks for Software Metering in Configuration Manager. Delete Aged Software Metering Summary Data Not available Not available Use this task to delete aged summary data for software metering that has been stored longer than a specified time from the database. For more information, see Maintenance Tasks for Software Metering in Configuration Manager. Delete Aged Status Messages Not available Use this task to delete aged status message data as configured in status filter rules from the database. For information, see Monitor System Status for Configuration Manager the section in the topic Monitor Configuration Manager Sites and Hierarchy. Delete Aged Threat Data Not available Not available Use this task to delete aged Endpoint Protection threat data that has been stored longer than a specified time from the database. For information about Endpoint Protection, see Endpoint Protection in Configuration Manager. Delete Aged User Device Affinity Data Not available Not available Use this task to delete aged User Device Affinity data from the database. For more information, see How to Manage User Device
543

Maintenance task

Central administration site

Primary site

Secondary site

More information

Affinity in Configuration Manager. Delete Inactive Not available Client Discovery Data Not available Use this task to delete discovery data for inactive clients from the database. Clients are marked as inactive when the client is flagged as obsolete and by configurations made for Client status. This task operates only on resources that are Configuration Manager clients. It is different than the Delete Aged Discovery Data task which deletes any aged discovery data record. When this task runs at a site, it removes the data from the database at all sites in a hierarchy. Important When enabled, configure this task to run at an interval greater than the Heartbeat Discovery schedule. This enables active clients to send a Heartbeat Discovery record to mark their client record as active so this task does not delete them. For more information, see
544

Maintenance task

Central administration site

Primary site

Secondary site

More information

How to Configure Client Status in Configuration Manager. Delete Obsolete Alerts Not available Use this task to delete expired alerts that have been stored longer than a specified time from the database. For more information, see Planning for Alerts. Delete Obsolete Not available Client Discovery Data Not available Use this task to delete obsolete client records from the database. A record that is marked as obsolete has usually been replaced by a newer record for the same client. The newer record becomes the clients current record. Important When enabled, configure this task to run at an interval greater than the Heartbeat Discovery schedule. This enables the client to send a Heartbeat Discovery record that sets the obsolete status correctly. For information about Discovery, see Planning for Discovery in Configuration Manager. Delete Obsolete Not available Use this task to delete data
545

Maintenance task

Central administration site

Primary site

Secondary site

More information

Forest Discovery Sites and Subnets

about Active Directory sites, subnets, and domains that have not been discovered by the Active Directory Forest Discovery method in the last 30 days. This removes the discovery data but does not affect boundaries created from this discovery data. For more information, see Planning for Discovery in Configuration Manager.

Delete Unused Application Revisions

Not available

Not available

Use this task to delete application revisions that are no longer referenced. For more information, see How to Manage Application Revisions in Configuration Manager.

Evaluate Collection Members

Not available

Not available

In Configuration Manager with no service pack, use this task to change how often collection membership is incrementally evaluated. Incremental evaluation updates a collection membership with only new or changed resources. For more information, see How to Manage Collections in Configuration Manager. In Configuration Manager SP1, you configure the Collection Membership Evaluation as a site component. For information about site components, see Configuring Site
546

Maintenance task

Central administration site

Primary site

Secondary site

More information

Components in Configuration Manager. Evaluate Provisioned AMT Computer Certificates Not available Not available Use this task to check the validity period of the certificates issued to AMTbased computers. For more information see, How to Manage AMT Provisioning Information in Configuration Manager. Monitor Keys Not available Use this task to monitor the integrity of the Configuration Manager database primary keys. A primary key is a column or combination of columns that uniquely identify one row and distinguish it from any other row in a Microsoft SQL Server database table. Use this task to rebuild the Configuration Manager database indexes. An index is a database structure that is created on a database table to speed up data retrieval. For example, searching an indexed column is often much faster than searching a column that is not indexed. To improve performance, the Configuration Manager database indexes are frequently updated to remain synchronized with the constantly changing data stored in the database. This
547

Rebuild Indexes

Maintenance task

Central administration site

Primary site

Secondary site

More information

task creates indexes on database columns that are at least 50 percent unique, drops indexes on columns that are less than 50 percent unique, and rebuilds all existing indexes that meet the data uniqueness criteria. Summarize Installed Software Data Not available Not available Use this task to summarize the data for installed software from multiple records into one general record. Data summarization can compress the amount of data stored in the Configuration Manager database. For more information, see Planning for Software Inventory in Configuration Manager. Summarize Software Metering File Usage Data Not available Not available Use this task to summarize the data from multiple records for software metering file usage into one general record. Data summarization can compress the amount of data stored in the Configuration Manager database. You can use this task with the Summarize Software Metering Monthly Usage Data task to summarize software metering data, and to conserve disk space in the Configuration Manager
548

Maintenance task

Central administration site

Primary site

Secondary site

More information

database. For more information, see Maintenance Tasks for Software Metering in Configuration Manager. Summarize Software Metering Monthly Usage Data Not available Not available Use this task to summarize the data from multiple records for software metering monthly usage into one general record. Data summarization can compress the amount of data stored in the Configuration Manager database. You can use this task with the Summarize Software Metering File Usage Data task to summarize software metering data, and to conserve space in the Configuration Manager database. For more information, see Maintenance Tasks for Software Metering in Configuration Manager. Update Application 2 Catalog Tables Not available Use this task to synchronize the Application Catalog website database cache with the latest application information. For more information, see Configuring the Application Catalog and Software Center in Configuration Manager.

549

When you change the configuration of this maintenance task, the configuration applies to each applicable site in the hierarchy.
2

When you change the configuration of this maintenance task, the configuration applies to all primary sites in the hierarchy.

Planning for Alerts

System Center 2012 Configuration Manager generates alerts that you can use to monitor the status of objects as they perform a task. Alerts can indicate a completed task, an interim status of a task, or the failure of a task. Alerts are listed in several places in the Configuration Manager console. A complete list of alerts is provided in the Monitoring workspace in the Alerts node. The most recent active alerts are displayed in the Overview of the workspace that they are associated with. For example, select Assets and Compliance to see a list of the most recent alerts listed in the Assets and Compliance Overview. The list of the most recent alerts is updated whenever a new alert is generated or the state of an alert has changed for that workspace. For more information about managing alerts, see Configuring Alerts in Configuration Manager. For more information about what you can do when an alert is generated, see Monitor Alerts in Configuration Manager.

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for High Availability with Configuration Manager

System Center 2012 Configuration Manager sites, hierarchy of sites, and Configuration Manager clients can each take advantage of options that maintain a high level of available service. These include the following: Sites support multiple instances of site system servers that provide important services to clients. Central administration sites and primary sites support the backup of the site database. The site database contains all the configurations for sites and clients, and it is shared between sites in a hierarchy that contain a central administration site. Built-in site recovery options can reduce server downtime and include advanced options that simplify recovery when you have a hierarchy with a central administration site. Clients can automatically remediate typical issues without administrative intervention. Sites generate alerts about clients that fail to submit recent data, which alerts administrators to potential problems.
550

Configuration Manager provides several built-in reports that enable administrators to identify problems and trends before they become problems for server or client operations.

Configuration Manager does not provide a real-time service and you must expect it to operate with some data latency. Therefore, it is unusual for most scenarios that involve a temporary interruption of service to become a critical problem. When you have configured your sites and hierarchies with high availability in mind, downtime can be minimized, autonomy of operations maintained, and a high level of service provided. For example, Configuration Manager clients typically operate autonomously by using known schedules and configurations for operations, and schedules to submit data to the site for processing. When clients cannot contact the site, they cache data to be submitted until they can contact the site. Additionally, clients that cannot contact the site continue to operate by using the last known schedules and cached information, such as a previously downloaded application that they must run or install, until they can contact the site and receive new policies. The site monitors its site systems and clients for periodic status updates, and can generate alerts when these fail to register. Built-in reports provide insight to ongoing operations as well as historical operations and trends. Finally, Configuration Manager supports state-based messages that provide near realtime information for ongoing operations. Use the information in the following sections to help you understand the options to deploy Configuration Manager in a highly available configuration. High Availability for Configuration Manager Clients High Availability for Configuration Manager Sites Details for Sites and Site System Roles that are Highly Available Details for Sites and Site System Roles that are not Highly Available

High Availability for Configuration Manager Clients

The following table provides information about the operations of Configuration Manager clients that promote high availability.
Feature More information

Client operations are autonomous

Configuration Manager client autonomy includes the following: Clients do not require continuous contact with any specific site system servers. They use known configurations to perform preconfigured actions on a schedule. Clients can use any available instance of a site system role that provides services to clients, and they will attempt to contact known servers until an available server is
551

Feature

More information

located. Clients can run inventory, software deployments, and similar scheduled actions independent of direct contact with site system servers. Clients that are configured to use a fallback status point can submit details to the fallback status point when they cannot communicate with a management point.

Clients can repair themselves

Clients automatically remediate most typical issues without direct administrative intervention: Periodically, clients self-evaluate their status and take action to remediate typical problems by using a local cache of remediation steps and source files for repairs. When a client fails to submit status information to its site, the site can generate an alert. Administrative users that receive these alerts can take immediate action to restore the normal operation of the client.

Clients cache information to use in the future

When a client communicates with a management point, the client can obtain and cache the following information: Client settings. Client schedules. Information about software deployments and a download of the software the client is scheduled to install, when the deployment is configured for this action.

When a client cannot contact a management point the following actions are taken: Clients locally cache the status, state, and client information they report to the site, and transfer this data after they establish contact with a management point.

Client can submit status to a fallback status point

When you configure a client to use a fallback status point, you provide an additional point of contact for the client to submit important details
552

Feature

More information

about its operation: Clients that are configured to use a fallback status point continue to send status about their operations to that site system role even when the client cannot communicate with a management point.

Central management of client data and client identity

The site database rather than the individual client retains important information about each clients identity, and associates that data to a specific computer, or user. This has the following results: The client source files on a computer can be uninstalled and reinstalled without affecting the historical records that are associated with the computer where the client is installed. Failure of a client computer does not affect the integrity of the information that is stored in the database. This information can remain available for reporting.

High Availability for Configuration Manager Sites

At each site, you deploy site system roles to provide the services that you want clients to use at that site. The site database contains the configuration information for the site and for all clients. Use one or more of the available options to provide for high availability of the site database, and the recovery of the site and site database if needed. The following table provides information about the available options for Configuration Manager sites that support high availability.
Option More information

Use a SQL Server cluster to host the site database

When you use a SQL Server cluster for the database at a central administration site or primary site, you use the fail-over support built into SQL Server. Secondary sites cannot use a SQL Server cluster, and do not support backup or restoration of their site database. You recover a secondary site by reinstalling the secondary
553

Option

More information

site from its parent primary site.

Deploy a hierarchy of sites with a central administration site, and one or more child primary sites

This configuration can provide fault tolerance when your sites manage overlapping segments of your network. In addition, this configuration offers an additional recovery option to use the information in the shared database available at another site, to rebuild the site database at the recovered site. You can use this option to replace a failed or unavailable backup of the failed sites database. When you create and test a regular site backup, you can ensure that you have the data necessary to recover a site, and the experience to recover a site in the minimal amount of time.

Create regular backups at central administration sites and primary sites

Install multiple instances of site system roles

When you install multiple instances of critical site system roles such as the management point and distribution point, you provide redundant points of contact for clients in the event that a specific site system server is offline. The SMS Provider provides the point of administrative contact for one or more Configuration Manager consoles. When you install multiple SMS Providers, you can provide redundancy for contact points to administer your site and hierarchy.

Install multiple instances of the SMS Provider at a site

Details for Sites and Site System Roles that are Highly Available
The following table provides information about features available at sites, and the site system roles that are part of a high availability configuration.
Feature More information

Redundancy for important site system roles

You can install multiple instances of the following site system roles to provide important services to clients:
554

Feature

More information

Management point Distribution point State migration point System Health Validator point Application Catalog web service point Application Catalog website point Software update point (Configuration Manager SP1 only)

You can install multiple instance of the following site system role to provide redundancy for reporting on sites and clients: Reporting services point You can install the following site system role on a Windows Network Load Balancing (NLB) cluster to provide failover support: Software update point Note For Configuration Manager SP1, you must use Windows PowerShell if you want to configure an NLB software update point instead of using the automatic redundancy that Configuration Manager SP1 provides when you install multiple software update points. Built-in site backup Configuration Manager includes a built-in backup task to help you back up your site and critical information on a regular schedule. Additionally, the Configuration Manager Setup wizard supports site restoration actions to help you restore a site to operations. You can configure each site to publish data about site system servers and services to Active Directory Domain Services and to DNS. This enables clients to identify the most accessible server on the network, and to identify when new site system servers that can provide important services, such as
555

Publishing to Active Directory Domain Services and DNS

Feature

More information

management points, are available. SMS Providers and Configuration Manager consoles Configuration Manager supports installing multiple SMS Providers, each on a separate computer, to ensure multiple access points for Configuration Manager consoles. This ensures that if one SMS Provider computer is offline, you maintain the ability to view and reconfigure Configuration Manager sites and clients. When a Configuration Manager console connects to a site, it connects to an instance of the SMS Provider at that site. The instance of the SMS Provider is selected nondeterministically. If the selected SMS Provider is not available, you have the following options: Reconnect the console to the site. Each new connection request is nondeterministically assigned an instance of the SMS Provider and it is possible that the new connection will be assigned an available instance. Connect the console to a different Configuration Manager site and manage the configuration from that connection. This introduces a slight delay of configuration changes of no more than a few minutes. After the SMS Provider for the site is online, you can reconnect your Configuration Manager console directly to the site that you want to manage.

You can install the Configuration Manager console on multiple computers for use by administrative users. Each SMS Provider supports connections from multiple Configuration Manager consoles. Management point Install multiple management points at each primary site, and enable the sites to publish site data to your Active Directory infrastructure, and to DNS. Multiple management points help to loadbalance the use of any single management
556

Feature

More information

point by multiple clients. In addition, you can install one or more database replicas for management points to decrease the CPUintensive operations of the management point, and to increase the availability of this critical site system role. Because you can install only one management point in a secondary site, which must be located on the secondary site server, management points at secondary sites are not considered to have a highly available configuration. Note Mobile devices that are enrolled by Configuration Manager can connect to only one management point in a primary site. The management point is assigned by Configuration Manager to the mobile device during enrollment and then does not change. When you install multiple management points and enable more than one for mobile devices, the management point that is assigned to a mobile device client is non-deterministic. If the management point that a mobile device client uses becomes unavailable, you must resolve the problem with this management point or wipe the mobile device and re-enroll the mobile device so that it can assign to an operational management point that is enabled for mobile devices. Distribution point Install multiple distribution points, and deploy content to multiple distribution points. You can configure overlapping boundary groups for content location to ensure that clients on each subnet can access a deployment from two or more distribution points. Finally, consider configuring one or more distribution points as
557

Feature

More information

fallback locations for content. For more information about fallback locations for content, see the Planning for Preferred Distribution Points and Fallback section in the Planning for Content Management in Configuration Manager topic. Application Catalog web service point and Application Catalog website point You can install multiple instances of each site system role, and for best performance, deploy one of each on the same site system computer. Each Application Catalog site system role provides the same information as other instances of that site system role regardless of the location of this site server role in the hierarchy. Therefore, when a client makes a request for the Application Catalog and you have configured the Default Application Catalog website point device client setting for Automatically detect, the client can be directed to an available instance, with preference given to local Application Catalog site system servers, based on the current network location of the client. For more information about this client setting and how automatic detection works, see the Computer Agent client setting section in the About Client Settings in Configuration Manager topic.

Details for Sites and Site System Roles that are not Highly Available
Several site systems do not support multiple instances at a site or in the hierarchy. Use the information in the following table to help you plan if these site systems go off-line.
Site system server More information

Site server (site)

Configuration Manager does not support the installation of the site server for each site on a Windows Server cluster or NLB cluster. The following information can help you prepare
558

Site system server

More information

for when a site server fails or is not operational: Use the built-in backup task to regularly create a backup of the site. In a test environment, regularly practice restoring sites from a backup. Deploy multiple Configuration Manager primary sites in a hierarchy with a central administration site to create redundancy. If you experience a site failure, consider using Windows group policy or logon scripts to reassign clients to a functional site. If you have a hierarchy with a central administration site, you can recover the central administration site or a child primary site by using the option to recover a site database from another site in your hierarchy. Secondary sites cannot be restored, and must be reinstalled.

Asset Intelligence synchronization point (hierarchy)

This site system role is not considered mission critical and provides optional functionality in Configuration Manager. If this site system goes offline, use one of the following options: Resolve the reason for the site system to be off-line. Uninstall the role from the current server, and install the role on a new server.

Endpoint Protection point (hierarchy)

This site system role is not considered mission critical and provides optional functionality in Configuration Manager. If this site system goes offline, use one of the following options: Resolve the reason for the site system to be off-line. Uninstall the role from the current server, and install the role on a new server.

Enrollment point (site)

This site system role is not considered mission critical and provides optional functionality in Configuration Manager. If this site system goes offline, use one of the following options:
559

Site system server

More information

Enrollment proxy point (site)

Resolve the reason for the site system to be off-line. Uninstall the role from the current server, and install the role on a new server.

This site system role is not considered mission critical and provides optional functionality in Configuration Manager. However, you can install multiple instances of this site system role at a site, and at multiple sites in the hierarchy. If this site system goes offline, use one of the following options: Resolve the reason for the site system to be off-line. Uninstall the role from the current server, and install the role on a new server.

When you have more than one enrollment proxy server in a site, use a DNS alias for the server name. When you use this configuration, DNS round robin provides some fault tolerance and load balancing for when users enroll their mobile devices. For more information, see How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager. Fallback status point (site or hierarchy) This site system role is not considered mission critical and provides optional functionality in Configuration Manager. If this site system goes offline, use one of the following options: Resolve the reason for the site system to be off-line. Uninstall the role from the current server, and install the role on a new server. Because clients are assigned the fallback status point during client installation, you will need to modify existing clients to use the new site system server.

Out of band service point (site)

This site system role is not considered mission critical and provides optional functionality in Configuration Manager. If this site system goes offline, use one of the following options: Resolve the reason for the site system to
560

Site system server

More information

be off-line. Uninstall the role from the current server, and install the role on a new server.

See Also
Planning for Configuration Manager Sites and Hierarchy

Example Scenarios for Planning a Simplified Hierarchy with Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. The following scenarios provide examples of how you can implement System Center 2012 Configuration Manager to solve typical business requirements and simplify your overall hierarchy design.

Scenario 1: Remote Office Optimization

The remote office optimization scenario demonstrates an implementation of System Center 2012 Configuration Manager that reduces the administrative overhead required for managing information flow across the network.

Current Situation
The customer has a simple Configuration Manager 2007 hierarchy of one primary site with two secondary sites that include a warehouse and a remote district office location. The customer has 5,015 clients across four locations as shown in the following table.
Location Site type Deployment details Connection to headquarters

Headquarters

Primary

3,000 clients Two standard distribution points, one management point, and one

Not Applicable

561

Location

Site type

Deployment details

Connection to headquarters

software update point Warehouse Secondary District Office Secondary 500 clients One standard distribution point 1,500 clients One standard distribution point, one proxy management point, and one software update point 15 clients Use of Windows BranchCache Well Connected Slow Network Slow Network

Sales Office

None

Business Requirements
The System Center 2012 Configuration Manager hierarchy must support the following business requirements:
Business requirement Configuration Manager Information

The data transferred over the network must not use excessive bandwidth. Minimize the number of servers used.

Slow network connections must support bandwidth control. Install the minimum number of site system servers possible. Clients must regularly submit their hardware inventory data, status messages, and discovery information. Content must be available to clients, including large packages for operating system images.

Produce reports that provide current information about devices.

Deploy applications, software updates, and operating system deployments on a daily basis.

Planning Decisions
Design of the System Center 2012 Configuration Manager hierarchy includes the following planning considerations:
562

Challenges

Options and considerations

The transfer of deployment content from the primary site to remote locations represents the largest effect to the network and must be managed.

Content transmission to remote locations can be managed by: Distribution points enabled for bandwidth control Prestage for distribution points Windows BranchCache A local site to manage the network bandwidth used during site-to-site transfers

The flow of client information from large numbers of clients can slow down network.

Each remote location must be evaluated for network capacity, balancing the client settings, the number of clients at the location, and the available network bandwidth. Options include the following: A local primary or secondary site to manage the network bandwidth during siteto-site transfers. No site at the location allowing clients to transfer their data unmanaged across the network to an assigned primary site.

Steps Taken
After evaluation of requirements and options, client locations, and available network bandwidth, the following decisions are made:
Decision Details

A stand-alone primary site is deployed at the Headquarters location.

A System Center 2012 Configuration Manager primary site replaces the existing primary site as there are no administrative or content management benefits gained by the use of a central administration site for this environment. A primary site can support up to 100,000 clients. There is no planned expansion that could require additional primary sites to manage large numbers of clients across slow network connections.

563

Decision

Details

A distribution point enabled for bandwidth control is deployed to the warehouse location.

The effect of client information flowing up from the warehouse location will not overwhelm the available network bandwidth. In place of a secondary site, the locations needs can be met by the use of a distribution point enabled for bandwidth control deployed from the primary site to manage the downward flow of deployment content. This decision does not reduce the number of servers in use but does remove the requirement to manage an additional site. The current client activity is not sufficient to require management of upward-flowing client data. Only downward-flowing content requires management to avoid effect to the slow network connection. In the future, the distribution point can be replaced by a secondary site that can manage network traffic in both directions if it is needed.

A secondary site is deployed to the District Office Location.

After evaluation of the effect from the local clients, it is decided that a secondary site with the same configuration previously used will be required. 1,500 clients generate enough client information to exceed the available network connection to the primary site. A primary site is not required as there is no administrative benefit to be provided by a primary site, and the hierarchys combined client total is easily handled by the primary site at the Headquarters location.

The use of Windows BranchCache is maintained at the Sales Office location.

Because this location services only 15 clients and has a fast network connection to the
564

Decision

Details

Headquarters location, the current use of Windows BranchCache as a content deployment solution remains the best option.

Business Benefits
By using a single distribution point that is enabled for bandwidth control to replace a secondary site and its distribution point, the customer meets the business requirement for managing content across slow networks. Additionally, this change decreases the administrative workload and the time it takes for the site to receive client information.

Scenario 2: Infrastructure Reduction and Management of Client Settings

The infrastructure reduction and client settings scenario demonstrates an implementation of System Center 2012 Configuration Manager that reduces infrastructure in use while continuing to manage clients with customized client settings.

Current Situation
In this example, a company manages 25,000 clients across two physical locations by using a single Configuration Manager 2007 hierarchy that consists of one central site and three primary child sites. The central site and one primary site are located in Chicago, and two primary sites are located in London. The primary sites at each geographic location reside on the same physical network and have well-connected network links. However, there is limited bandwidth between Chicago and London. Current deployment details:
Location Type of site Deployment details

Chicago Headquarters

Primary central site

19,200 clients that are configured for the companys standard configuration for client agent settings. 300 clients on computers used by people in the Human Resources division. The site is configured for a custom remote control client agent setting.
565

Chicago Headquarters

Primary child of central

Location

Type of site

Deployment details

London Offices

Primary child of central

5,000 desktop clients that are configured for the companys standard configuration of client agent settings. 500 server clients that are configured for a custom hardware inventory client agent setting.

London Offices

Primary child of central

Business Requirements
The Configuration Manager hierarchy must meet the following business requirements:
Business requirements Configuration Manager information

Maintain centralized management of the hierarchy in Chicago.

Central administration from Chicago requires that content and client information is sent over the network for the 5,500 clients in London. The standard configuration for client settings must be available for all clients.

Assign a standard client configuration to all clients unless specific business requirements dictate otherwise. Employees in the human resource division must not have the Remote Control client agent enabled on their computers. Servers that are located in London must run hardware inventory no more than once a month.

These custom client settings must be assigned to the computers that are used by the employees in the human resource division. These custom client settings must be assigned to the clients on servers in London.

Control the network bandwidth when The slow network connection requires transferring data between Chicago and London. bandwidth control. Minimize the number of servers. Avoid installing site system servers where possible to reduce administrative tasks and infrastructure costs.

Planning Decisions
The System Center 2012 Configuration Manager hierarchy design includes the following planning considerations:
566

Challenges

Options and considerations

Central administration in Chicago.

Options for this requirement include the following: Deploy a stand-alone primary site in Chicago to manage clients at both network locations: The amount of client information from London that must be transferred over the slow network must be carefully assessed.

Deploy a primary site at each location, and a central administration site in Chicago: Central administration sites cannot have clients assigned to them. Central administration sites are required if there are two or more primary sites in the hierarchy.

The transfer of content from Chicago to London will consume a lot of network bandwidth and this data transfer must be controlled.

The transfer of content down the hierarchy can be managed by the following methods: Distribution points that are enabled for bandwidth control. Windows BranchCache. A London site that is configured to manage the network bandwidth for site-to-site transfers.

The requirement to manage the network bandwidth when client information is sent from London.

Assess the London location for the available network bandwidth and how this will be reduced by the data that is generated by the 5,500 clients. Options include the following: Allow clients to transfer their data unmanaged across the network to an assigned primary site at Chicago. Deploy a secondary site or primary site in London to manage the network bandwidth during site-to-site transfers to Chicago.

A standard set of client settings must be available at all locations. Two groups that contain employees from Human Resources and servers in London, require client settings that are different than the

A default set of Client Agent Settings are specified for the hierarchy. Collections are used to assign custom client settings.

567

Challenges

Options and considerations

standard configuration.

Steps Taken
After an evaluation of the business requirements, the network structure, and the requirements for client settings, a central administration site is deployed in Chicago with one child primary site in Chicago and one child primary site in London. The following table explains these design choices.
Decision Details

A central administration site is deployed in Chicago.

This meets the centralized administration requirement by providing a centralized location for reporting and hierarchy-wide configurations. Because the central administration site has access to all client and site data in the hierarchy and is a direct parent of both primary sites, it is ideally located to host the content for all locations. A primary site is required to manage clients at the Chicago location because the central administration site cannot have clients assigned to it. A local primary site is required to locally manage the 14,800 clients. Sites in System Center 2012 Configuration Manager are not used to configure client settings, which allows all clients at a location to be assigned to the same site. Site to site address configurations can control the network bandwidth when transferring content from the central administration site in Chicago. Sites in System Center 2012 Configuration Manager are not used to configure client settings, which allows all clients at a location to be assigned to the same site. A local primary site is deployed to manage the 5,500 local clients so that the clients do not send their information and client policy
568

One primary site is required in Chicago.

One primary site is deployed in London.

Decision

Details

requests across the network to Chicago. A primary site ensures that future growth in London can be managed with the hierarchy design they implement today. Note The decision to deploy a primary site or secondary site can include consideration of the following: A standard configuration for client settings is applied to each client in the hierarchy. Assessing the available hardware for a site server The current number of clients at a location Expectations for additional clients in the future Political reasons Local point of administrative contact

Default Client Agent Settings are configured and applied to every client in the hierarchy, which results in a consistent configuration for every client. This collection is configured with custom client settings that disable Remote Control. These settings modify the hierarchy-wide defaults and provide the collection members with the customized client settings that are required for Human Resource employees. Because this collection is dynamically updated, new employees in Human Resources automatically receive the customized client settings. Because collections are shared with all sites, these customizations are applied to Human Resource employees at any location in the hierarchy without having to consider which site their computer is assigned to. This collection is configured with custom client settings, so that the servers are configured with custom settings for
569

A collection is created to contain the user accounts for the employees that work in the Human Resource division. This collection is configured to update regularly so that new accounts can be added to the collection soon after they are created.

A collection is configured to contain the servers located in London.

Decision

Details

hardware inventory.

Business Benefits
By using custom client settings in System Center 2012 Configuration Manager, the business requirements are met as follows: The infrastructure requirements are reduced by removing sites that were used only to provide custom client settings to subsets of clients. Administration is simplified because the central administration site applies a standard configuration for client settings to all clients in the hierarchy. Two collections of clients are configured for the required customized client settings. Network bandwidth is controlled when transferring data between Chicago and London.

See Also
Planning for Configuration Manager Sites and Hierarchy

Configuring Sites and Hierarchies in Configuration Manager

Use the information in the following topics to configure System Center 2012 Configuration Manager in your environment.

Configuration Topics
Prepare the Windows Environment for Configuration Manager Install Sites and Create a Hierarchy for Configuration Manager Expand a Stand-Alone Primary Site into a Hierarchy with a Central Administration Site Upgrade Configuration Manager to a New Service Pack Configure Sites and the Hierarchy in Configuration Manager Install and Configure Site System Roles for Configuration Manager Configure Database Replicas for Management Points Migrate Data from Configuration Manager 2007 to Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Site Administration for System Center 2012 Configuration Manager
570

Prepare the Windows Environment for Configuration Manager

Use the information in the following sections to help you configure your Windows environment to support System Center 2012 Configuration Manager. Prepare Active Directory for Configuration Manager Extend the Active Directory Schema Create the System Management Container Set Security Permissions on the System Management Container Remote Differential Compression Internet Information Services (IIS) Request Filtering for IIS

Configure Windows-Based Servers for Configuration Manager Site System Roles

Prepare Active Directory for Configuration Manager

When you extend the Active Directory schema, this action is a forest-wide configuration that you must do one time per forest. Extending the schema is an irreversible action and must be done by a user who is a member of the Schema Admins Group or who has been delegated sufficient permissions to modify the schema. If you decide to extend the Active Directory schema, you can extend it before or after Setup. For information to help you decide whether to extend the Active Directory schema, see Determine Whether to Extend the Active Directory Schema for Configuration Manager. Tip If the Active Directory schema was extended with the Configuration Manager 2007 schema extensions, you do not have to extend the schema for System Center 2012 Configuration Manager. The Active Directory schema extensions are unchanged from Configuration Manager 2007. Three actions are required to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources: Extend the Active Directory schema. Create the System Management container. Set security permissions on the System Management container.

571

Extend the Active Directory Schema

Configuration Manager supports two methods to extend the Active Directory schema. The first is to use the extadsch.exe utility. The second is to use the LDIFDE utility to import the schema extension information by using the ConfigMgr_ad_schema.ldf file. Note Before you extend your Active Directory schema, test the schema extensions for conflicts with your current Active Directory schema. For information about how to test the Active Directory schema extensions, see Testing for Active Directory Schema Extension Conflicts in the Active Directory Domain Services documentation.

Extend the Active Directory Schema by Using ExtADSch.exe

You can extend the Active Directory schema by running the extadsch.exe file located in the SMSSETUP\BIN\X64 folder on the Configuration Manager installation media. The extadsch.exe file does not display output when it runs but does provide feedback when you run it from a command console as a command line. When extadsch.exe runs, it generates a log file in the root of the system drive named extadsch.log, which indicates whether the schema update completed successfully or any problems that were encountered while extending the schema. Tip In addition to generating a log file, the extadsch.exe program displays results in the console window when it is run from the command line. The following are limitations to using extadsch.exe: Extadsch.exe is not supported when run on a Windows 2000 based computers. To extend the Active Directory schema from a Windows 2000 based computer, use the ConfigMgr_ad_schema.ldf. To enable the extadsch.log to be created when you run extadsch.exe on a Windows Vista computer, you must be logged onto the computer with an account that has local administrator permissions. To extend the Active Directory schema by using Extadsch.exe 1. Create a backup of the schema master domain controllers system state. 2. Ensure that you are logged on to the schema master domain controller with an account that is a member of the Schema Admins security group. Important You must be logged on as a member of the Schema Admins security group in order to successfully extend the schema. Running the extadsch.exe file by using the Run As command to attempt to extend the schema using alternate credentials will fail. 3. Run extadsch.exe, located at \SMSSETUP\BIN\X64 on the installation media, to add the new classes and attributes to the Active Directory schema.
572

4. Verify that the schema extension was successful by reviewing the extadsch.log located in the root of the system drive. 5. If the schema extension procedure was unsuccessful, restore the schema master's previous system state from the backup created in step 1. Note To restore the system state on a Windows domain controller, the system must be restarted in Directory Services Restore Mode. For more information about Directory Services Restore Mode, see Restart the Domain Controller in Directory Services Restore Mode Locally.

Extend the Active Directory Schema by Using an LDIF File

You can use the LDIFDE command-line utility to import directory objects into Active Directory Domain Services by using LDAP Data Interchange Format (LDIF) files. For greater visibility of the changes being made to the Active Directory schema than the extadsch.exe utility provides, you can use the LDIFDE utility to import schema extension information by using the ConfigMgr_ad_schema.ldf file located in the SMSSETUP\BIN\X64 folder on the Configuration Manager installation media. Note The ConfigMgr_ad_schema.ldf file is unchanged from the version provided with Configuration Manager 2007. To extend the Active Directory schema by using the ConfigMgr_ad_schema.ldf file 1. Create a backup of the schema master domain controllers system state. 2. Open the ConfigMgr_ad_schema.ldf file, located in the SMSSETUP\BIN\X64 directory of the Configuration Manager installation media and edit the file to define the Active Directory root domain to extend. All instances of the text DC=x in the file must be replaced with the full name of the domain to extend. For example, if the full name of the domain to extend is named widgets.microsoft.com, change all instances of DC=x in the file to DC=widgets, DC=microsoft, DC=com. 3. Use the LDIFDE command-line utility to import the contents of the ConfigMgr_ad_schema.ldf file into Active Directory Domain Services. For example, the following command line will import the schema extensions into Active Directory Domain Services, turn on verbose logging, and create a log file during the import process: ldifde i f ConfigMgr_ad_schema.ldf v j <location to store log file> 4. To verify that the schema extension was successful, you can review the log file created by the command line used in step 3. 5. If the schema extension procedure was unsuccessful, restore the schema master's previous system state from the backup created in step 1.

573

Note To restore the system state on a Windows domain controller, the system must be restarted in Directory Services Restore Mode. For more information about Directory Services Restore Mode, see Restart the Domain Controller in Directory Services Restore Mode Locally.

Create the System Management Container

Configuration Manager does not automatically create the System Management container in Active Directory Domain Services when the schema is extended. The container must be created one time for each domain that includes a Configuration Manager primary site server or secondary site server that publishes site information to Active Directory Domain Services Tip You can grant the site servers computer account Full Control permission to the System container in Active Directory Domain Services, which results in the site server automatically creating the System Management container when site information is first published to Active Directory Domain Services. However, it is more secure to manually create the System Management container. Use ADSI Edit to create the System Management container in Active Directory Domain Services. For more information about how to install and use ADSI Edit, see ADSI Edit (adsiedit.msc) in the Active Directory Domain Services documentation. To manually create the System Management container 1. Log on as an account that has the Create All Child Objects permission on the System container in Active Directory Domain Services. 2. Run ADSI Edit, and connect to the domain in which the site server resides. 3. Expand Domain <computer fully qualified domain name>, expand <distinguished name>, right-click CN=System, click New, and then click Object. 4. In the Create Object dialog box, select Container, and then click Next. 5. In the Value box, type System Management, and then click Next. 6. Click Finish to complete the procedure.

Set Security Permissions on the System Management Container

After you have created the System Management container in Active Directory Domain Services, you must grant the site server's computer account the permissions that are required to publish site information to the container. Important The primary site server computer account must be granted Full Control permissions to the System Management container and all its child objects. If you have secondary sites,
574

the secondary site server computer account must also be granted Full Control permissions to the System Management container and all its child objects. You can grant the necessary permissions by using the Active Directory Users and Computers administrative tool or the Active Directory Service Interfaces Editor (ADSI Edit). For more information about how to install and use ADSI Edit, see ADSI Edit (adsiedit.msc). Note The following procedures are provided as examples of how to configure Windows Server 2008 R2 computers. If you are using a different operating system version, please refer to that operating systems documentation for information on how to make similar configurations. To apply permissions to the System Management container by using the Active Directory Users and Computers administrative tool 1. Click Start, click Run, and then enter dsa.msc to open the Active Directory Users and Computers administrative tool. 2. Click View, and then click Advanced Features. 3. Expand the System container, right-click System Management, and then click Properties. 4. In the System Management Properties dialog box, click the Security tab, and then click Add to add the site server computer account. Grant the account Full Control permissions. 5. Click Advanced, select the site servers computer account, and then click Edit. 6. In the Apply to list, select This object and all descendant objects. 7. Click OK and then close the Active Directory Users and Computers administrative tool to complete the procedure. To apply permissions to the System Management container by using the ADSI Edit console 1. Click Start, click Run, and enter adsiedit.msc to open the ADSIEdit console. 2. If necessary, connect to the site server's domain. 3. In the console pane, expand the site server's domain, expand DC=<server distinguished name>, and then expand CN=System. Right-click CN=System Management, and then click Properties. 4. In the CN=System Management Properties dialog box, click the Security tab, and then click Add to add the site server computer account. Grant the account Full Control permissions. 5. Click Advanced, select the site servers computer account, and then click Edit. 6. In the Apply onto list, select This object and all descendant objects. 7. Click OK to close the ADSIEdit console and complete the procedure.

575

Configure Windows-Based Servers for Configuration Manager Site System Roles

Before you can use a Windows Server with System Center 2012 Configuration Manager, you must ensure the computer is configured to support Configuration Manager operations. Use the information in the following sections to configure Windows servers for Configuration Manager. For more information about site system role prerequisites, see the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic. Note The procedures in the following sections are provided as examples of how to configure Windows Server 2008 or Windows Server 2008 R2 computers. If you are using a different operating system version, please refer to that operating systems documentation for information on how to make similar configurations.

Remote Differential Compression

Site servers and distribution points require Remote Differential Compression (RDC) to generate package signatures and perform signature comparison. If RDC is not enabled, you must enable it on these site system servers. Use the following procedure as an example of how to enable Remote Differential Compression on Windows Server 2008 and Windows Server 2008 R2 computers. If you have a different operating system version, refer to your operating system documentation for the equivalent procedure. To configure Remote Differential Compression for Windows Server 2008 or Windows Server 2008 R2 1. On the Windows Server 2008 or Windows Server 2008 R2 computer, navigate to Start / All Programs / Administrative Tools / Server Manager to start Server Manager. In Server Manager, select the Features node and click Add Features to start the Add Features Wizard. 2. On the Select Features page, select Remote Differential Compression, and then click Next. 3. Complete the wizard and close Server Manager to complete the configuration.

Internet Information Services (IIS)

Several site system roles require Internet Information Services (IIS). If IIS is not already enabled, you must enable it on site system servers before you install a site system role that requires IIS. In addition to the site system server, the following site systems roles require IIS: Application Catalog web service point Application Catalog website point Distribution point
576

Enrollment point Enrollment proxy point Fallback status point Management point Software update point

The minimum version of IIS that Configuration Manager requires is the default version that is supplied with the operating system of the server that runs the site system. For example, when you enable IIS on a Windows Server 2008 computer that you plan to use as a distribution point, IIS 7.0 is installed. You can also install IIS 7.5. If you enable IIS on a Windows 7 computer for a distribution point, IIS 7.5 is automatically installed. You cannot use IIS version 7.0 for distribution point that runs Windows 7. Use the following procedure as an example of how to install IIS on a Windows Server 2008 or Windows Server 2008 R2 computer. If you have a different operating system version, refer to your operating system documentation for the equivalent procedure. To install Internet Information Services (IIS) on Windows Server 2008 and Windows Server 2008 R2 computers 1. On the Windows Server 2008 or Windows Server 2008 R2 computer, navigate to Start / All Programs / Administrative Tools / Server Manager to start Server Manager. In Server Manager, select the Features node and click Add Features to start the Add Features Wizard. 2. On the Select Features page of the Add Features Wizard, install any additional features that are required to support the site system roles you install on this computer. For example, to add BITS Server Extensions: For Windows Server 2008, select the BITS Server Extensions check box. For Windows Server 2008 R2, select the Background Intelligent Transfer Services (BITS) check box. When prompted, click Add Required Role Services to add the dependent components, including the Web Server (IIS) role, and then click Next. Tip If you are configuring computer that will be a site server or distribution point, ensure the check box for Remote Differential Compression is selected. 3. On the Web Server (IIS) page of the Add Features Wizard, click Next. 4. On the Select Role Services page of the Add Features Wizard install any additional role services that are required to support the site system roles you install on this computer. For example, to add ASP.NET and Windows Authentication: For Application Development, select the ASP.NET check box and, when prompted, click Add Required Role Services to add the dependent components. For Security, select the Windows Authentication check box.

5. In the Management Tools node, for IIS 6 Management Compatibility, ensure that both the IIS 6 Metabase Compatibility and IIS 6 WMI Compatibility check boxes are selected, and then click Next.
577

6. On the Confirmation page, click Install, complete the wizard, and close Server Manager to complete the configuration.

Request Filtering for IIS

By default, IIS blocks several file name extensions and folder locations from access by HTTP or HTTPS communication. If your package source files contain extensions that are blocked in IIS, you must configure the requestFiltering section in the applicationHost.config file on distribution point computers. The following file name extensions are used by Configuration Manager for packages and applications. Allow the following file name extensions on distribution points: .PCK .PKG .STA .TAR

For example, you might have source files for a software deployment that include a folder named bin, or that contain a file with the . mdb file name extension. By default, IIS request filtering blocks access to these elements. When you use the default IIS configuration on a distribution point, clients that use BITS fail to download this software deployment from the distribution point. In this scenario, the clients indicate that they are waiting for content. To enable the clients to download this content by using BITS, on each applicable distribution point, edit the requestFiltering section of the applicationHost.config file to allow access to the files and folders in the software deployment. Important Modifications to the requestFiltering section apply to all websites on that server. This configuration increases the attack surface of the computer. The security best practice is to run Configuration Manager on a dedicated web server. If you must run other applications on the web server, use a custom website for Configuration Manager. For information about custom websites, see the Planning for Custom Websites with Configuration Manager section in Planning for Site Systems in Configuration Manager. Use the following procedure as an example of how to modify requestFiltering on a Windows Server 2008 or Windows Server 2008 R2 computer. If you have a different operating system version, refer to your operating system documentation for the equivalent procedure. To configure request filtering for IIS on distribution points 1. On the distribution point computer, open the applicationHost.config file located in the %Windir%\System32\Inetsrv\Config\ directory. 2. Search for the <requestFiltering> section. 3. Determine the file name extensions and folder names that you will have in the packages on this distribution point. For each extension and folder name that you require, perform the following steps:
578

If it is listed as a fileExtension element, set the value for allowed to true. For example, if your content contains a file with an .mdb extension, change the line <add fileExtension=".mdb" allowed="false" /> to <add fileExtension=".mdb" allowed="true" />. Allow only the file name extensions required for your content.

If it is listed as a <hiddenSegments> element, delete the entry that matches the file name extension or folder name from the file. For example, if your content contains a folder with the label of bin, remove the line <add segment=bin /> from the file.

4. Save and close the applicationHost.config file to complete the configuration.

See Also
Configuring Sites and Hierarchies in Configuration Manager

Install Sites and Create a Hierarchy for Configuration Manager

You can use the Setup Wizard in System Center 2012 Configuration Manager to install and uninstall sites, create a Configuration Manager hierarchy, recover a site, and perform site maintenance. Use the following sections in this topic to help you to install sites, create a hierarchy, and learn more about the Setup options. Whats New in Configuration Manager Things to Consider Before You Run Setup Pre-Installation Applications Setup Downloader Prerequisite Checker

Manual Steps to Prepare for Site Server Installation System Center 2012 Configuration Manager Setup Wizard Install a Configuration Manager Console Manage Configuration Manager Console Languages Install a Central Administration Site Install a Primary Site Server Install a Secondary Site Install a Site Server

Upgrade an Evaluation Installation to a Full Installation Using Command-Line Options with Setup Configuration Manager Unattended Setup
579

Decommission Sites and Hierarchies Remove a Secondary Site from a Hierarchy Uninstall a Primary Site Uninstall a Primary Site that is Configured with Distributed Views Uninstall the Central Administration Site

Configuration Manager Site Naming

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following options in Setup for site installation are new or have changed since Configuration Manager 2007. Central administration site The top-level Configuration Manager 2007 site in a multi-primary site hierarchy was known as a central site. In System Center 2012 Configuration Manager, the central administration site replaces the central site. The central administration site is not a primary site at the top of the hierarchy, but rather a site that is used for reporting and to facilitate communication between primary sites in the hierarchy. A central administration site supports a limited selection of site system roles and does not directly support clients or process client data. Installation of site system roles The following site system roles can be installed and configured for a primary site during Setup: Management point Distribution point

You can install the site system roles locally on the site server or on a different computer. After installation, you can use the Configuration Manager console to install additional site system roles. No secondary site installation option Secondary sites can only be installed from the Configuration Manager console. For more information about installing a secondary site, see the Install a Secondary Site section in the topic. Optional Configuration Manager console installation You can choose to install the Configuration Manager console during setup or install the console after setup by using the Configuration Manager console installer (Consolesetup.exe). Server and client language selections You are no longer required to install your site servers by using source files for a specific language or install International Client Packs when you want to support different languages on the client. From Setup, you can choose the server and client languages that are supported
580

in your Configuration Manager hierarchy. Configuration Manager uses the display language of the server or client computer when you have configured support for the language. English is the default language that is used when Configuration Manager does not support the display language of the server or client computer. Warning You cannot select specific languages for mobile device clients. Instead, you must enable all available client languages or use English only. Unattended installation script Setup automatically creates the unattended installation script when you confirm the settings on the Summary page of the wizard. The unattended installation script contains the settings that you selected in the wizard. You can modify the script to install other sites in your hierarchy. Setup creates the script in %TEMP%\ConfigMgrAutoSave.ini. Database replication When you have more than one System Center 2012 Configuration Manager site in your hierarchy, Configuration Manager uses database replication to transfer data and merge changes that are made to a sites database with the information that is stored in the database at other sites in the hierarchy. This hierarchy enables all sites to share the same information. When you have a primary site without any other sites, database replication is not used. Database replication is enabled when you install a primary site that reports to a central administration site or when you connect a secondary site to a primary site. Setup Downloader Setup Downloader (SetupDL.exe) is a stand-alone application that downloads the files that Setup requires. You can manually run Setup Downloader, or Setup can run it during site installation. You can see the progress of files that are downloaded and verified. Only the required files are downloaded while avoiding files and files that have been updated. For more information about Setup Downloader, see the Setup Downloader section in this topic. Prerequisite Checker Prerequisite Checker (Prereqchk.exe) is a stand-alone application that verifies server readiness for a specific site system role. In addition to the site server, site database server, and provider computer, Prerequisite Checker now checks management point and distribution point site systems. You can run Prerequisite Checker manually, or Setup runs it automatically as part of the site installation. For more information about Prerequisite Checker, see the Prerequisite Checker section in this topic.

Things to Consider Before You Run Setup

There are many business and security decisions that you must consider before you run Setup and install your site. Base your System Center 2012 Configuration Manager hierarchy design on careful planning for your network infrastructure, business requirements, budget limitations, and so on. Ideally, read the entire Planning for Configuration Manager Sites and Hierarchy section in the Site Administration for System Center 2012 Configuration Manager guide, but for brevity, the
581

following list provides several important planning steps from the guide that you must consider before you run Setup. Important Installing System Center 2012 Configuration Manager in your production environment without thorough planning is unlikely to result in a fully functional site that meets your business and security requirements.
Item Description More information

Network infrastructure and Business requirements

Identify your network infrastructure and how it influences your Configuration Manager hierarchy, and what your business requirements are for using Configuration Manager. Verify that your servers meet the supported configurations for installing Configuration Manager. Review the public key infrastructure (PKI) certificates that you might require for your Configuration Manager site system servers and clients. Determine whether to install a central administration site, a child primary site, or a standalone primary site. When you create a hierarchy, you must install the central administration site first. Prepare the Windows environment for the site server and site system installation. Plan for and configure your site database server.

Identify Your Network and Business Requirements to Plan a Configuration Manager Hierarchy

Supported configurations

Supported Configurations for Configuration Manager

PKI certificates

PKI Certificate Requirements for Configuration Manager

Site hierarchy

Planning for Sites and Hierarchies in Configuration Manager

Windows environment

Prepare the Windows Environment for Configuration Manager Planning for Database Servers in Configuration Manager

Site database

582

Pre-Installation Applications
There are two applications, Setup Downloader and Prerequisite Checker, that you can optionally run before you install the site. They download updated files for Setup and verify server readiness for the site server or site system server.

Setup Downloader
Configuration Manager Setup Downloader is a stand-alone application that verifies and downloads required prerequisite redistributable files, language packs, and the latest product updates for Setup. When you install a Configuration Manager site, you can specify a folder that contains required files, or Setup can automatically start the Setup Downloader to download the latest files from the Internet. You might choose to run Setup Downloader before you run Setup and store the files on a network shared folder or removable hard drive. This approach is necessary when the planned site server computer does not have Internet access, or a firewall prevents the files from downloading. After you download the latest files, you can use the same path to the download folder to install multiple sites. When you install sites, always verify that the path to the download folder contains the most recent version of the files. Security To prevent an attacker from tampering with the files, use a local path to the folder that stores the files. If you use a network shared folder for the files, use Server Message Block (SMB) signing or Internet Protocol security (IPsec) to secure the location for the files. You can open Setup Downloader and specify a path to the folder to host the downloaded files, or you can run Setup Downloader at a command prompt and specify command-line options. Use the following procedures to start Setup Downloader and download the latest Configuration Manager files that Setup requires. To start Setup Downloader from Windows Explorer 1. On a computer that has Internet access, open Windows Explorer, and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64. 2. Double-click Setupdl.exe. The Setup Downloader opens. 3. Specify the path for the folder that will host the updated installation files, and then click Download. Setup Downloader verifies the files that are currently in the download folder and downloads only the files that are missing or are newer than the existing files. Setup Downloader creates subfolders for the downloaded languages. Setup Downloader will create the folder if it does not exist. Security To run the Setup Downloader application, you must have Full Control NTFS file system permissions to the download folder. 4. View the ConfigMgrSetup.log file in the root of the drive C to review the download results.
583

To start Setup Downloader at a command prompt 1. Open a Command Prompt window and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64. 2. Type setupdl.exe to open Setup Downloader. Optionally, you can use the following command-line options: /VERIFY: Use this option to verify the files in the download folder, which include language files. Review the ConfigMgrSetup.log file in the root of the drive C for a list of files that are outdated. No files are downloaded when you use this option. /VERIFYLANG: Use this option to verify the language files in the download folder. Review the ConfigMgrSetup.log file in the root of the drive C for a list of language files that are outdated. /LANG: Use this option to download only the language files to the download folder. /NOUI: Use this option to start Setup Downloader without displaying the user interface. When you use this option, you must specify the download path as part of the command line. <DownloadPath>: You can specify the path to the download folder to automatically start the verification or download process. You must specify the download path when you use the /NOUI option. When you do not specify a download path, you must specify the path when Setup Downloader opens. Setup Downloader will create the folder if it does not exist. Security To run the Setup Downloader application, you must have Full Control NTFS file system permissions to the download folder. Usage examples: setupdl \\MyServer\MyShare\ConfigMgrUpdates Setup Downloader starts, verifies the files in the \\MyServer\MyShare\ConfigMgrUpdates folder, and downloads only the files that are missing or are newer than the existing files. setupdl /VERIFY c:\ConfigMgrUpdates Setup Downloader starts and verifies the files in the C:\ConfigMgrUpdates folder. setupdl /NOUI c:\ConfigMgrUpdates Setup Downloader starts, verifies the files in the \\MyServer\MyShare\ConfigMgrUpdates folder, and downloads only the files that are missing or are newer than the existing files. setupdl /LANG c:\ConfigMgrUpdates Setup Downloader starts, verifies the language files in the C:\ConfigMgrUpdates folder, and downloads only the language files that are missing or are newer than the existing files.
584

setupdl /VERIFY Setup Downloader starts, you must specify the path to the download folder, and after you click Verify, Setup Downloader verifies the files in the download folder.

3. View the ConfigMgrSetup.log file in the root of the drive C to review the download results.

Prerequisite Checker
Prerequisite Checker (Prereqchk.exe) is a stand-alone application that verifies server readiness for a site server or specific site system roles. Before site installation, Setup runs Prerequisite Checker. You might choose to manually run Prerequisite Checker on potential site servers or site systems to verify server readiness. This process lets you to remediate any issues that you find before you run Setup. When you run Prerequisite Checker without command-line options, the local computer is scanned for an existing site server, and only the checks that are applicable to the site are run. If no existing sites are detected, all prerequisite rules are run. You can run Prerequisite Checker at a command prompt and specify specific command-line options to perform only checks that are associated with the site server or site systems that you specified in the command line. When you specify another server to check, you must have administrative user rights on the server for Prerequisite Checker to complete the checks. For more information about the prerequisite checks that Prerequisite Checker performs, see Technical Reference for the Prerequisite Checker in Configuration Manager. When you are planning to upgrade a Configuration Manager site to a new service pack, you can manually run the Prerequisite Checker on each site to verify that sites readiness for upgrade. To do so, use the Prerequisite Checker files from the source media of that new version of Configuration Manager. When you run the Prerequisite Checker for upgrade, you do not specify command-line options. Use the following procedures to run Prerequisite Checker on site servers or site system servers. To move Prerequisite Checker files to another computer 1. In Windows Explorer, browse to one of the following locations: <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64. <ConfigMgrInstallationPath>\SMSSETUP\BIN\X64.

2. Copy the following files to the destination folder on the other computer: Prereqchk.exe Prereqcore.dll Basesql.dll Basesvr.dll Baseutil.dll

585

To start Prerequisite Checker and run default checks 1. In Windows Explorer, browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64 or <ConfigMgrInstallationPath>\SMSSETUP\BIN\X64. 2. Open prereqchk.exe to start Prerequisite Checker. Prerequisite Checker detects existing sites, and if found, performs checks for upgrade readiness. If no sites are found, all checks are performed. The Site Type column provides information about the site server or site system with which the rule is associated. To start Prerequisite Checker at a command prompt and run all checks 1. Open a Command Prompt window and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64 or <ConfigMgrInstallationPath>\SMSSETUP\BIN\X64. 2. Type prereqchk.exe /LOCAL to start Prerequisite Checker and run all prerequisite checks on the server. To start Prerequisite Checker at a command prompt and run primary site checks 1. Open a Command Prompt window and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64 or <ConfigMgrInstallationPath>\SMSSETUP\BIN\X64. 2. Type prereqchk.exe and choose from the following command-line options to check requirements for a primary site installation.
Command-line option Required Description

/NOUI

No

Starts Prerequisite Checker without displaying the user interface. You must specify this option before any other option in the command line. Verifies that the local computer meets the requirements for the primary site. Verifies that the specified computer meets the requirements for SQL Server to host the
586

/PRI

Yes

/SQL <FQDN of SQL Server>

Yes

Configuration Manager site database. /SDK <FQDN of SMS Provider> Yes Verifies that the specified computer meets the requirements for the SMS Provider. Verifies that the local computer meets the requirements for connecting to the central administration site server. Verifies that the specified computer meets the requirements for the management point site system role. This option is only supported when you use the /PRI option. Verifies that the specified computer meets the requirements for the distribution point site system role. This option is only supported when you use the /PRI option. Verifies that a firewall exception is in effect to allow communication for the SQL Server Service Broker (SSB) port. The default is port number 4022. Verifies minimum disk space on requirements for site installation.

/JOIN <FQDN of central administration site>

No

/MP <FQDN of management point>

No

/DP <FQDN of distribution point>

No

/Ssbport

No

InstallDir <ConfigMgrInstallationPath>

No

Usage examples (optional options are displayed in brackets): prereqchk.exe [/NOUI] /PRI /SQL <FQDN of SQL Server> /SDK <FQDN of SMS Provider> [/JOIN <FQDN of central administration site>] [/MP <FQDN of
587

management point>] [/DP <FQDN of distribution point>] When you run the command, unless you use the NOUI option, Prerequisite Checker opens and starts scanning the specified servers by using prerequisite checks that are applicable to the specified command-line options. Prerequisite Checker creates a list in the Prerequisite result section for any detected problems. 3. Click an item in the list for details about how to resolve the problem. You must resolve all items in the list that have an Error status before you install the site server, site system, or Configuration Manager console. You can also open the ConfigMgrPrereq.log file in the root of the system drive to review Prerequisite Checker results. The log file can contain additional information that are not displayed in the user interface. To start Prerequisite Checker at a command prompt and run central administration site checks 1. Open a Command Prompt window and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64 or <ConfigMgrInstallationPath>\SMSSETUP\BIN\X64. 2. Type prereqchk.exe and choose from the following command-line options to check requirements for a central administration site installation.
Command-line option Required Description

/NOUI

No

Starts Prerequisite Checker without displaying the user interface. You must specify this option before any other option in the command line. Verifies that the local computer meets the requirements for the central administration site. Verifies that the specified computer meets the requirements for SQL Server to host the Configuration Manager site database. Verifies that the specified computer meets the requirements for the SMS
588

/CAS

Yes

/SQL <FQDN of SQL Server>

Yes

/SDK <FQDN of SMS Provider>

Yes

Provider. /Ssbport No Verifies that a firewall exception is in effect to allow communication on the SSB port. The default is port number 4022. Verifies minimum disk space on requirements for site installation.

InstallDir <ConfigMgrInstallationPath>

No

Usage examples (optional options are displayed in brackets): prereqchk.exe /CAS /SQL <FQDN of SQL Server> /SDK <FQDN of SMS Provider> /Ssbport 4022 prereqchk.exe /NOUI /CAS /SQL <FQDN of SQL Server> /SDK <FQDN of SMS Provider>

When you run the command, unless you use the NOUI option, Prerequisite Checker opens and starts scanning the specified servers by using prerequisite checks that are applicable to the specified command-line options. Prerequisite Checker creates a list in the Prerequisite result section for any problems that are found. 3. Click an item in the list for details about how to resolve the problem. You must resolve all items in the list that have an Error status before you install the site server, site system, or Configuration Manager console. You can also open the ConfigMgrPrereq.log file in the root of the system drive to review the prerequisite checker results. The log file can contain additional information that are not displayed in the user interface. To start Prerequisite Checker at a command prompt from a primary site and run secondary site checks 1. On the primary site server from which you plan to install the secondary site, open a Command Prompt window and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64 or <ConfigMgrInstallationPath>\SMSSETUP\BIN\X64. 2. Type prereqchk.exe and choose from the following command-line options to check requirements for a secondary site installation on a remote server.
Command-line option Required Description

/NOUI

No

Starts Prerequisite Checker without displaying the user interface. You must specify this option before
589

any other option in the command line. /SEC <FQDN of secondary site server> Yes Verifies that the specified computer meets the requirements for the secondary site. Verifies that SQL Server Express can be installed on the specified computer. Verifies that a firewall exception is in effect to allow communication for the SQL Server Service Broker (SSB) port. The default is port number 4022. Verifies that a firewall exception is in effect to allow communication for the SQL Server service port and that the port is not in use by another named instance of SQL Server. The default port is 1433. Verifies minimum disk space on requirements for site installation. Verifies that the computer account of the secondary site can access the folder that hosts the source files for Setup.

/INSTALLSQLEXPRESS

No

/Ssbport

No

/Sqlport

No

InstallDir <ConfigMgrInstallationPath>

No

SourceDir

No

Usage examples (optional options are displayed in brackets): prereqchk.exe /SEC /Ssbport 4022 /SourceDir <Source Folder Path> prereqchk.exe [/NOUI] /SEC <FQDN of secondary site> [/INSTALLSQLEXPRESS]
590

When you run the command, unless you use the NOUI option, Prerequisite Checker opens and starts scanning the specified servers by using prerequisite checks that are applicable to the specified command-line options. Prerequisite Checker creates a list in the Prerequisite result section for any problems that are found. 3. Click an item in the list for details about how to resolve the problem. You must resolve all items in the list that have an Error status before you install the site server, site system, or Configuration Manager console. You can also open the ConfigMgrPrereq.log file in the root of the system drive to review the prerequisite checker results. The log file can contain additional information that is not displayed in the user interface. To start Prerequisite Checker at a command prompt and run Configuration Manager console checks 1. On the primary site server from which you install the secondary site, open a Command Prompt window and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64 or <ConfigMgrInstallationPath>\SMSSETUP\BIN\X64. 2. Type prereqchk.exe /Adminui to check requirements for Configuration Manager console installation on the local computer. When you run the command, Prerequisite Checker opens and starts scanning the specified servers by using prerequisite checks that are applicable to the specified command-line options. Prerequisite Checker creates a list in the Prerequisite result section for any detected problems. 3. Click an item in the list for details about how to resolve the problem. You must resolve all items in the list that have an Error status before you install the site server, site system, or Configuration Manager console. You can also open the ConfigMgrPrereq.log file in the root of the system drive to review the prerequisite checker results. The log file can contain additional information that is not displayed in the user interface.

Manual Steps to Prepare for Site Server Installation

Before you install a site server on a computer, consider the following manual steps to prepare for site server installation.
Manual step Description

Install the latest security updates on the site server computer.

Use Windows Update to install the latest security updates on the site server computer.

Install the hotfix that is described in KB2552033 The hotfix that is described in KB2552033 must on site servers that run Windows be installed on site servers that run Windows Server 2008 R2. Server 2008 R2 when client push installation is enabled.
591

System Center 2012 Configuration Manager Setup Wizard

When you run Setup, the local computer is scanned for an existing site server and provides only the options that are applicable, based on the scan results. The options that are available in Setup also differ when you run Setup from installation media, the Configuration Manager DVD or a network shared folder, or if you run Setup from the Start menu or by opening Setup.exe from the installation path on an existing site server. The Configuration Manager Setup Wizard provides the following options to install, upgrade, or uninstall a site: Install a Configuration Manager primary site server: When you choose to install a new primary site, you can manually configure the site settings in the wizard, or let Setup configure the site with a default installation path, to use a local installation of the default instance of SQL Server for the site database, to install a management point on the site server, and to install a distribution point on the site server. Note You must start Setup from installation media to select this option. Install a Configuration Manager central administration site: The central administration site is used for reporting and to coordinate communication between primary sites in the hierarchy. There is only one central administration site in a Configuration Manager hierarchy. The central administration site must be the first site that you install. Note You must start Setup from installation media to select this option. Upgrade an existing Configuration Manager installation: Choose this option to upgrade an existing version of System Center 2012 Configuration Manager. Note You must start Setup from installation media to select this option. Uninstall a Configuration Manager site server: When an existing site is detected on the local computer, and the version of the site is the same version as Setup, you have the option to uninstall the site server. You can start Setup from either the installation media or from the local site server to select this option. Note For more information about site maintenance and site reset options that are available in Setup, see Manage Site and Hierarchy Configurations.

Install a Configuration Manager Console

Administrative users use the Configuration Manager console to manage the Configuration Manager environment. Each Configuration Manager console connects to either a central administration site or a primary site. After the initial connection is made, the Configuration
592

Manager console can connect to other sites. However, you cannot connect a Configuration Manager console to a secondary site. Note The objects that are displayed for the administrative user who is running the console depend on the rights that are assigned to the administrative user. For more information about role-based administration, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic. You can install the Configuration Manager console during the site server installation in the Setup Wizard, or run the stand-alone application. Use the following procedure to install a Configuration Manager console by using the stand-alone application. To install a Configuration Manager console 1. Verify that the administrative user who runs the Configuration Manager console application has the following security rights: Local Administrator rights on the computer on which the console will run. Read permission to the location for the Configuration Manager console installation files. From the Configuration Manager source media, browse to <ConfigMgrSourceFiles>\Smssetup\Bin\I386. On the site server, browse to <ConfigMgrSiteServerInstallationPath>\Tools\ConsoleSetup. Important As a best practice, initiate the Configuration Manager console installation from a site server rather than the System Center 2012 Configuration Manager installation media. The site server installation method copies the Configuration Manager console installation files and the supported language packs for the site to the Tools\ConsoleSetup subfolder. If you install the Configuration Manager console from the System Center 2012 Configuration Manager installation media, this installation method always installs the English version, regardless of the supported languages on the site server or the language settings for the operating system that is running on the computer. Optionally, you can copy the ConsoleSetup folder to an alternate location to start the installation. 3. Double-click consolesetup.exe. The Configuration Manager Console Setup Wizard opens. Important Always install the Configuration Manager console by using ConsoleSetup.exe. The Configuration Manager console Setup can be initiated by running the AdminConsole.msi, but there are no prerequisite or dependency checks, and the
593

2. Browse to one of the following locations:

installation might likely not install correctly. 4. On the opening page, click Next. 5. On the Site Server page, specify the fully qualified domain name (FQDN) of the site server to which the Configuration Manager console will connect, and then click Next. 6. On the Installation Folder page, specify the installation folder for the Configuration Manager console, and then click Next. The folder path must not contain trailing spaces or Unicode characters. 7. On the Customer Experience Improvement Program page, choose whether to join the Customer Experience Improvement Program, and then click Next. 8. On the Ready to Install page, click Install to install the Configuration Manager console. To install a Configuration Manager console at a command prompt 1. On the server from which you install the Configuration Manager console, open a Command Prompt window and browse to one of the following locations: <ConfigMgrSiteServerInstallationPath>\Tools\ConsoleSetup <ConfigMgrInstallationMedia>\SMSSETUP\BIN\I386 Important When you install a Configuration Manager console at a command prompt, it always installs the English version regardless of the language setting for the operating system that is running on the computer. To install the Configuration Manager console in another language, you must use the previous procedure to install it. 2. Type consolesetup.exe and choose from the following command-line options.
Command-line option Description

/q

Installs the Configuration Manager console unattended. The EnableSQM and DefaultSiteServerName options are required when you use this option. Uninstalls the Configuration Manager console. You must specify this option first when you use it with the /q option. Specifies the path to the folder that contains the language files. You can use Setup Downloader to download the language files. If you do not use this option, Setup looks for the language folder in the current folder. If the language folder is not found, Setup continues to install English only. For more information about
594

/uninstall

LangPackDir

Setup Downloader, see Setup Downloader in this topic. TargetDir Specifies the installation folder to install the Configuration Manager console. This option is required when it is used with the /q option. Specifies whether to join the Customer Experience Improvement Program (CEIP). Use a value of 1 to join the Customer Experience Improvement Program, and a value of 0 to not join the program. This option is required when it is used with the /q option. Specifies the FQDN of the site server to which the console connects when it opens. This option is required when it is used with the /q option.

EnableSQM

DefaultSiteServerName

Usage examples: consolesetup.exe /q TargetDir="D:\Program Files\ConfigMgr" EnableSQM=1 DefaultSiteServerName=MyServer.Contoso.com consolesetup.exe /q LangPackDir=C:\Downloads\ConfigMgr TargetDir="D:\Program Files\ConfigMgr" Console EnableSQM=1 DefaultSiteServerName=MyServer.Contoso.com consolesetup.exe /uninstall /q

Manage Configuration Manager Console Languages

During site server installation, the Configuration Manager console installation files and supported language packs for the site are copied to the <ConfigMgrInstallationPath>\Tools\ConsoleSetup subfolder on the site server. When you start the Configuration Manager console installation from this folder on the site server, the Configuration Manager console and supported language pack files are copied to the computer. When a language pack is available for the current language setting on the computer, the Configuration Manager console opens in that language. If the associated language pack is not available for the Configuration Manager console, the console opens in English. For example, consider a scenario where you install the Configuration Manager console from a site server that supports English, German, and French. If you open the Configuration Manager console on a computer with a configured language setting of French, the console opens in French. If you open the Configuration Manager console on a computer with a

595

configured language of Japanese, the console opens in English because the Japanese language pack is not available. Each time the Configuration Manager console opens, it determines the configured language settings for the computer, verifies whether an associated language pack is available for the Configuration Manager console, and then opens the console by using the appropriate language pack. When you want to open the Configuration Manager console in English regardless of the configured language settings on the computer, you must manually remove or rename the language pack files on the computer. Use the following procedures to start the Configuration Manager console in English regardless of the configured locale setting on the computer. To install an English-only version of the Configuration Manager console on computers 1. In Windows Explorer, browse to <ConfigMgrInstallationPath>\Tools\ConsoleSetup\LanguagePack. 2. Rename the .msp and .mst files. For example, you could change <file name>.MSP to <file name>.MSP.disabled. 3. Install the Configuration Manager console on the computer. Important When new server languages are configured for the site server, the .msp and .mst files are recopied to the LanguagePack folder, and you must repeat this procedure to install new Configuration Manager consoles in only English. To temporarily disable a console language on an existing Configuration Manager console installation 1. On the computer that is running the Configuration Manager console, close the Configuration Manager console. 2. In Windows Explorer, browse to <ConsoleInstallationPath>\Bin\ on the Configuration Manager console computer. 3. Rename the appropriate language folder for the language that is configured on the computer. For example, if the language settings for the computer were set for German, you could rename the de folder to de.disabled. 4. To open the Configuration Manager console in the language that is configured for the computer, rename the folder to the original name. For example, rename de.disabled to de.

Install a Site Server

Your Configuration Manager deployment consists of either a hierarchy of sites or a stand-alone site. A hierarchy consists of multiple sites, each with one or more site system servers. A standalone site also consists of one or more site system servers. Site system servers extend the functionality of Configuration Manager. For example, you might install a site system at a site to
596

support software update deployment or to manage mobile devices. To successfully plan your hierarchy of sites and identify the best network and geographical locations to place site servers, make sure that you review the information about each site type and the alternatives to sites that content deployment-related site systems offer. For more information, see the Planning a Hierarchy in Configuration Manager section in the Planning for Sites and Hierarchies in Configuration Manager topic. You must have a forest trust to support any Configuration Manager sites that are located in other Active Directory forests. When you install a Configuration Manager site in a trusted forest, Configuration Manager does not require any additional configuration steps. However, make sure that any intervening firewalls and network devices do not block the network packets that Configuration Manager requires, that name resolution is working between the forests, and that you use an account that has sufficient permissions to install the site. For more information, see the Planning for Communications Across Forests in Configuration Manager section in the Planning for Communications in Configuration Manager topic. Configuration Manager central administration site and primary site installation requires SQL Server to be installed before you run Setup. You can install SQL Server on a secondary site server before you run Setup, or let Setup install SQL Server Express as part of the secondary site installation. For more information about supported SQL Server versions for site installation, see the SQL Server Site Database Configurations section in the Supported Configurations for Configuration Manager topic. To set up a new site in Configuration Manager, you can use either the Configuration Manager Setup Wizard, or perform an unattended installation by using the scripted installation method. When you use the Configuration Manager Setup Wizard, you can install a primary site server or central administration site. You install a secondary site from the Configuration Manager console. For more information about the command-line options that are available with Setup, see the Using Command-Line Options with Setup section in this topic. For more information about running Setup by using an unattended script, see the Configuration Manager Unattended Setup section in this topic. Important After Setup is finished, you cannot change the program files installation directory, site code, or site description for the site. To change the installation directory, site code, or site name, you must uninstall the site, and then reinstall the site by using the new values. Use the following sections to help you install a site by using the Setup Wizard.

Install a Central Administration Site

Use a central administration site to configure hierarchy-wide settings and to monitor all sites and objects in the hierarchy. You must install the central administration site before you install the primary site that is connected to the Configuration Manager hierarchy. If you install a primary site before you install the central administration site, the only way to connect the primary site to the Configuration Manager hierarchy is to uninstall the primary site, install the central administration
597

site, and then reinstall the primary site and connect it to the central administration site during Setup. However, with Configuration Manager SP1, you can expand an existing stand-alone primary site into a hierarchy that includes a new central administration site. After you install the new central administration site, you can install additional new primary sites. For more information, see the Planning to Expand a Stand-Alone Primary Site section in the Planning for Sites and Hierarchies in Configuration Manager topic. Use the following procedure to install a central administration site. To install a central administration site 1. Verify that the administrative user who runs Setup has the following security rights: Local Administrator rights on the central administration site server computer. Local Administrator rights on each computer that hosts one of the following: The site database An instance of the SMS Provider for the site A management point for the site A distribution point for the site

Sysadmin (SA) rights on the instance of SQL Server that hosts the site database.

2. On the central administration site computer, open Windows Explorer and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64. 3. Double-click Setup.exe. The Configuration Manager Setup Wizard opens. 4. On the Before You Begin page, click Next. 5. On the Getting Started page, select Install a Configuration Manager central administration site, and then click Next. 6. On the Product Key page, choose whether to install Configuration Manager as an evaluation or a full installation. Enter your product key for the full installation of Configuration Manager. Click Next. If you install Configuration Manager as an evaluation, after 180 days the Configuration Manager console becomes read-only until you activate the product with a product key from the Site Maintenance page in Setup. 7. On the Microsoft Software License Terms page, read and accept the license terms, and then click Next. 8. On the Prerequisite Licenses page, read and accept the license terms for the prerequisite software, and then click Next. Setup downloads and automatically installs the software on site systems or clients when it is required. You must select all check boxes before you can continue to the next page. 9. On the Prerequisite Downloads page, specify whether Setup must download the latest prerequisite redistributable files, language packs, and the latest product updates from the Internet or use previously downloaded files, and then click Next. If you previously downloaded the files by using Setup Downloader, select Use previously downloaded files and specify the download folder. For information about Setup Downloader, see the
598

Setup Downloader section in this topic. Note When you use previously downloaded files, verify that the path to the download folder contains the most recent version of the files. 10. On the Server Language Selection page, select the languages that are available for the Configuration Manager console and for reports, and then click Next. English is selected by default and cannot be removed. 11. On the Client Language Selection page, select the languages that are available to client computers, specify whether to enable all client languages for mobile device clients, and then click Next. English is selected by default and cannot be removed. Important If you are installing a central administration site to expand a stand-alone primary site, select the same client languages that are installed at the stand-alone primary site. 12. On the Site and Installation Settings page, specify the site code and site name for the site. For more information about site code naming, including best practices and limitations, see the Configuration Manager Site Naming section in this topic. 13. Specify the installation folder and whether Setup will install the Configuration Manager console on the local computer, and then click Next. The folder path must not contain trailing spaces or Unicode characters. Warning You cannot change the installation folder after Setup is finished. Verify that the disk drive has enough disk space before you continue. 14. If you are using Configuration Manager with no service pack, skip to step 15. On the Central Administration Site Installation page, select the option that is appropriate to your scenario: To install a central administration site as the first site of a new hierarchy, select Install as the first site in a new hierarchy, and then click Next to continue. To install a central administration site to expand an existing stand-alone primary site into a hierarchy, select Expand an existing stand-alone primary into a hierarchy, specify the FQDN of the stand-alone primary site server, and then click Next to continue. Note The stand-alone primary site must run the same version of Configuration Manager as the version that you use to install the central administration site. 15. On the Database Information page, specify the information for the site database server and the SQL Server Service Broker (SSB) port that the SQL Server is to use, and then click Next. You must specify a valid port that no other site or service is using, and that no firewall restrictions block. Important
599

With Configuration Manager with no service pack, when you configure the site database to use the default instance of SQL Server, you must configure the SQL Server service port to use TCP port 1433, the default port. With Configuration Manager SP1, you can use a nondefault TCP port for the default instance. Note Typically, the Service Broker is configured to use TCP port 4022, but other ports are supported. 16. On the SMS Provider Settings page, specify the FQDN for the server that hosts the SMS Provider, and then click Next. You can configure additional SMS providers for the site after the initial installation. 17. On the Customer Experience Improvement Program Configuration page, choose whether to participate, and then click Next. 18. On the Settings Summary page, review the setting and verify that they are accurate. Click Next to start Prerequisite Checker to verify server readiness for the central administration site server. 19. On the Prerequisite Installation Check page, if no problems are listed, click Next to install the central administration site. When Prerequisite Checker finds a problem, click an item in the list for details about how to resolve the problem. You must resolve all items in the list that have an Error status before you continue setup. After you resolve the issue, click Run Check to restart prerequisite checking. You can also open the ConfigMgrPrereq.log file in the root of the system drive to review the Prerequisite Checker results. The log file can contain additional information that is not displayed in the user interface. For a complete list of installation prerequisite rules and descriptions, see Technical Reference for the Prerequisite Checker in Configuration Manager. 20. On the Installation page, Setup displays the overall installation status. When Setup completes the core site server installation, you can close the wizard. Site configuration continues in the background. Note You can connect a Configuration Manager console to the central administration site before the site installation finishes, but the console connects to the site by using a read-only console. The read-only console lets you view objects and configuration settings but prevents you from introducing any change that could be lost when the site installation finishes.

Install a Primary Site Server

During Setup, you must choose whether to join the primary site to an existing central administration site or install it as a stand-alone primary site. Important When you create a Configuration Manager hierarchy, you must install the central administration site first.
600

When you install a new primary site in your production environment, manually configure the installation options in the wizard. Typically, you only select the Use typical installation options for a stand-alone primary site option to install a stand-alone primary site in your test environment. When you select this option, Setup automatically configures the site as a standalone primary site, uses a default installation path, a local installation of the default instance of SQL Server for the site database, a local management point, a local distribution point, and configures the site with English and the display language of the operating system on the primary site server if it matches one of the languages that Configuration Manager supports. Use one of the following procedures to install a primary site. To install a primary site that joins an existing Configuration Manager hierarchy 1. Verify that the administrative user that runs Setup has the following security rights: Local Administrator rights on the central administration site server computer Sysadmin rights on the site database of the central administration site Local Administrator rights on the primary site server computer Local Administrator rights on each computer that hosts one of the following at the primary site: The site database An instance of the SMS Provider for the site A management point for the site A distribution point for the site

Sysadmin rights on the instance of SQL Server that hosts the site database Role-based administration rights that are equivalent to the security role of Infrastructure Administrator or Full Administrator Note Setup automatically configures the-sender address to use the computer account for the primary site server. This account must have Read, Write, Execute, and Delete NTFS file system permissions on the SMS\Inboxes\Despoolr.box\Receive folder on the central administration site server. Also, your security policy must allow the account Access this computer from the network rights on the central administration site. After Setup is finished, you can change the account to a Windows user account if it is required. For example, you must change the account to a Windows user account if your central administration site is in a different forest. For more information about communication requirements across forest trusts, see Planning for Communications Across Forests in Configuration Manager.

2. On the new primary site computer, open Windows Explorer and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64. 3. Double-click Setup.exe. The Configuration Manager Setup Wizard opens. 4. On the Before You Begin page, click Next.
601

5. On the Getting Started page, select Install a Configuration Manager primary site, verify that Use typical installation options for a stand-alone primary site is cleared, and then click Next. 6. On the Product Key page, choose whether to install Configuration Manager as an evaluation or a full installation. Enter your product key for the full installation of Configuration Manager. Click Next. If you install Configuration Manager as an evaluation, after 180 days the Configuration Manager console becomes read-only until you activate the product from the Site Maintenance page in the Setup Wizard. 7. On the Microsoft Software License Terms page, read and accept the license terms, and then click Next. 8. On the Prerequisite Licenses page, read and accept the license terms for the prerequisite software, and then click Next. Setup downloads and automatically installs the software on site systems or clients when it is required. You must select all check boxes before you can continue to the next page. 9. On the Prerequisite Downloads page, specify whether Setup will download the latest prerequisite redistributable files, language packs, and the latest product updates from the Internet or use previously downloaded files, and then click Next. If you previously downloaded the files by using Setup Downloader, select Use previously downloaded files and specify the download folder. For information about Setup Downloader, see the Setup Downloader section in this topic. Note When you use previously downloaded files, verify that the path to the download folder contains the most recent version of the files. 10. On the Server Language Selection page, select the languages that are available for the Configuration Manager console and for reports, and then click Next. English is selected by default and cannot be removed. 11. On the Client Language Selection page, select the languages that are available to client computers, specify whether to enable all client languages for mobile device clients, and then click Next. English is selected by default and cannot be removed. 12. On the Site and Installation Settings page, specify the site code and site name for the site. For more information about site code naming, including best practices and limitations, see the Configuration Manager Site Naming section in this topic. 13. Specify the installation folder and whether Setup will install the Configuration Manager console on the local computer, and then click Next. The folder path must not contain trailing spaces or Unicode characters. Warning You cannot change the installation folder after Setup is finished. Verify that the disk drive has enough disk space before you proceed. 14. On the Primary Site Installation page, select Join the primary site to an existing hierarchy, specify the FQDN for the central administration site, and then click Next. Setup verifies that the primary site server has access to the central administration site
602

server, and that the site code for the central administration site can be retrieved by using the security credentials of the administrative user that is running Setup. 15. On the Database Information page, specify the information for the site database server and the SQL Server Service Broker (SSB) port that SQL Server is to use, and then click Next. You must specify a valid port that no other site or service is using, and that no firewall restrictions block. Typically, the Service Broker is configured to use TCP port 4022, but other ports are supported. Important With Configuration Manager without a service pack, when you configure the site database to use the default instance of SQL Server, you must configure the SQL Server service port to use TCP port 1433, the default port. With Configuration Manager SP1, you can use a nondefault TCP port for the default instance. 16. On the SMS Provider Settings page, specify the FQDN for the server that will host the SMS Provider, and then click Next. You can configure additional SMS providers for the site after the initial installation. 17. On the Client Computer Communication Settings page, choose whether to configure all site systems to accept only HTTPS communication from clients or for the communication method to be configured for each site system role, and then click Next. When you select All site system roles accept only HTTPS communication from clients, the client computer must have a valid PKI certificate for client authentication. When you select Configure the communication method on each site system role, you can choose Clients will use HTTPS when they have a valid PKI certificate and HTTPS-enabled site roles are available. This ensures that the client selects a site system that is configured for HTTPS if is available. For more information about PKI certificate requirements, see PKI Certificate Requirements for Configuration Manager. 18. On the Site System Roles page, choose whether to install a management point or distribution point. When selected for installation, enter the FQDN for site system and select the client connection method. Click Next. If you selected All site system roles accept only HTTPS communication from clients on the previous page, the client connection settings are automatically configured for HTTPS and cannot be changed unless you go back and change the setting. Note The site system installation account is automatically configured to use the primary sites computer account to install the site system role. If you have to use an alternate installation account for remote site systems, you should not select the roles in the Setup Wizard and install them later from the Configuration Manager console. 19. On the Customer Experience Improvement Program Configuration page, choose whether to participate, and then click Next. 20. On the Settings Summary page, review the setting and verify that they are accurate. Click Next to start Prerequisite Checker to verify server readiness for the primary site server and for specified site system roles. 21. On the Prerequisite Installation Check page, if no problems are listed, click Next to
603

install the primary site and site system roles that you selected. When Prerequisite Checker finds a problem, click an item on the list for details about how to resolve the problem. You must resolve all items in the list that have an Error status before you continue setup. After you resolve the issue, click Run Check to restart prerequisite checking. You can also open the ConfigMgrPrereq.log file in the root of the system drive to review the Prerequisite Checker results. The log file can contain additional information that is not displayed in the user interface. For a complete list of installation prerequisite rules and descriptions, see Technical Reference for the Prerequisite Checker in Configuration Manager. 22. On the Installation page, Setup displays the overall installation status. When Setup completes the core site server and site system installation, you can close the wizard. Site configuration continues in the background. Note You can connect a Configuration Manager console to a primary site before the site installation finishes, but the console will connect to the site by using a readonly console. The read-only console lets you view objects and configuration settings but prevents you from introducing any change that could be lost when the site installation finishes. To install a stand-alone primary site 1. Verify that the administrative user who runs Setup has the following security rights: Local Administrator rights on the primary site server computer Local Administrator rights on each computer that hosts one of the following: The site database An instance of the SMS Provider for the site A management point for the site A distribution point for the site

Sysadmin rights on the instance of SQL Server that hosts the site database.

2. On the new primary site computer, open Windows Explorer and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64. 3. Double-click Setup.exe. The Configuration Manager Setup Wizard opens. 4. On the Before You Begin page, click Next. 5. On the Getting Started page, select Install a Configuration Manager primary site, verify that Use typical installation options for a stand-alone primary site is not selected, and then click Next. 6. On the Product Key page, choose whether to install Configuration Manager as an evaluation or a full installation. Enter your product key for the full installation of Configuration Manager. Click Next. If you install Configuration Manager as an evaluation, after 180 days the Configuration Manager console becomes read-only until you activate the product with a product key
604

from the Site Maintenance page in Setup. 7. On the Microsoft Software License Terms page, read and accept the license terms, and then click Next. 8. On the Prerequisite Licenses page, read and accept the license terms for the prerequisite software, and then click Next. Setup downloads and automatically installs the software on site systems or clients when it is required. You must select all check boxes before you can continue to the next page. 9. On the Prerequisite Downloads page, specify whether Setup will download the latest prerequisite redistributable files, language packs, and the latest product updates from the Internet or use previously downloaded files, and then click Next. If you previously downloaded the files by using Setup Downloader, select Use previously downloaded files and specify the download folder. For information about Setup Downloader, see the Setup Downloader section in this topic. Note When you use previously downloaded files, verify that the path to the download folder contains the most recent version of the files. 10. On the Server Language Selection page, select the languages that will be available for the Configuration Manager console and for reports, and then click Next. English is selected by default and cannot be removed. 11. On the Client Language Selection page, select the languages that will be available to client computers, specify whether to enable all client languages for mobile device clients, and then click Next. By default, English is selected and cannot be removed. 12. On the Site and Installation Settings page, specify the site code and site name for the site. For more information about site code naming, including best practices and limitations, see the Configuration Manager Site Naming section in this topic. 13. Specify the installation folder and whether Setup will install the Configuration Manager console on the local computer, and then click Next. The folder path must not contain trailing spaces or Unicode characters. Warning You cannot change the installation folder after Setup finishes. Verify that the disk drive has enough disk space before you proceed. Important If you selected Use typical installation options for a stand-alone primary site, skip to step 17 - the Customer Experience Improvement Program Configuration page. 14. On the Primary Site Installation page, select Install the primary site as a stand-alone site, and then click Next. Click Yes to confirm that you want to install the site as a standalone site. Important You cannot join the stand-alone primary site to a central administration site after
605

Setup finishes. 15. On the Database Information page, specify the information for the site database server and the SQL Server Service Broker (SSB) port that SQL Server is to use, and then click Next. You must specify a valid port that no other site or service is using, and that no firewall restrictions block. Typically, the Service Broker is configured to use TCP port 4022, but other ports are supported. Important With Configuration Manager with no service pack, when you configure the site database to use the default instance of SQL Server, you must configure the SQL Server service port to use TCP port 1433, the default port. With Configuration Manager SP1, you can use a nondefault TCP port for the default instance. 16. On the SMS Provider Settings page, specify the FQDN for the server that will host the SMS Provider, and then click Next. You can configure additional SMS providers for the site after the initial installation. 17. On Client Communication Settings page, choose whether to configure all site systems to accept only HTTPS communication from clients or for the communication method to be configured for each site system role, and then click Next. When you select to All site system roles accept only HTTPS communication from clients, client computer must have a valid PKI certificate for client authentication. For more information about PKI certificate requirements, see PKI Certificate Requirements for Configuration Manager. 18. On the Site System Roles page, choose whether to install a management point or distribution point. When selected for installation, enter the FQDN for site system and choose the client connection method. Click Next. When you selected All site system roles accept only HTTPS communication from clients on the previous page, the client connection settings are automatically configured for HTTPS and cannot be changed unless you go back and change the setting. Note The site system installation account is automatically configured to use the primary sites computer account to install the site system role. If you have to use an alternate installation account for remote site systems, you should not select the roles in the Setup Wizard and install them later from the Configuration Manager console. 19. On the Customer Experience Improvement Program Configuration page, choose whether to participate, and then click Next. 20. On the Settings Summary page, review the setting and verify that they are accurate. Click Next to start Prerequisite Checker to verify server readiness for the primary site server and site system roles. 21. On the Prerequisite Installation Check page, if no problems are listed, click Next to install the primary site and site system roles. When Prerequisite Checker finds a problem, click an item on the list for details about how to resolve the problem. You must resolve all items in the list that have an Error status before you continue Setup. After you resolve the issue, click Run Check to restart prerequisite checking. You can also open the ConfigMgrPrereq.log file in the root of the system drive to review the Prerequisite
606

Checker results. The log file can contain additional information that is not displayed in the user interface. For a complete list of installation prerequisite rules and descriptions, see Technical Reference for the Prerequisite Checker in Configuration Manager. 22. On the Installation page, Setup displays the overall installation status. When Setup completes the core site server and site system installation, you can close the wizard. Site configuration continues in the background. Note You can connect a Configuration Manager console to the primary site before the site installation finishes, but the console will connect to the site by using a readonly console. The read-only console lets you view objects and configuration settings but prevents you from introducing any change that could be lost when the site installation finishes.

Install a Secondary Site

Use secondary sites to manage the transfer of deployment content and client data across low bandwidth networks. You manage a secondary site from a central administration site or the secondary sites parent primary site, and they are frequently used in locations that do not have an administrative user with Local Administrator rights. After a secondary site is attached to a primary site, you cannot move it to a different parent site without uninstalling it, and then reinstalling it at the new site. The secondary site requires SQL Server for its site database. Setup automatically installs SQL Server Express during site installation if a local instance of SQL Server is not available. Before Setup starts the secondary site installation, it runs Prerequisite Checker on the secondary site computer to verify requirements. During the secondary site installation, Setup configures database replication with its parent primary site, and automatically installs the management point and distribution point site system roles on the secondary site. Note For more information about supported versions of SQL Server for secondary sites, see the SQL Server Site Database Configurations section in the Supported Configurations for Configuration Manager topic. Note Setup automatically configures the secondary site to use the client communication ports that are configured at the parent primary site. Use the following procedure to create a secondary site. To create a secondary site 1. Verify that the following security rights exist: The administrative user who configures the installation of the secondary site in the Configuration Manager console must have role-based administration rights that are
607

equivalent to the security role of Infrastructure Administrator or Full Administrator. The computer account of the parent primary site must be a Local Administrator on the secondary site server computer. When the secondary site uses a previously installed instance of SQL Server to host the secondary site database: The computer account of the parent primary site must have sysadmin rights on the instance of SQL Server on the secondary site server computer. The Local System account of the secondary site server computer must have sysadmin rights on the instance of SQL Server on the secondary site server computer.

2. In the Configuration Manager console, click Administration. 3. In the Administration workspace, expand Site Configuration, and then click Sites. 4. On the Home tab, in the Site group, click Create Secondary Site. The Create Secondary Site Wizard opens. 5. On the Before You Begin page, confirm that the primary site that is listed is the site in which you want this secondary site to be a child, and then click Next. 6. On the General page, specify the following settings: Site code: Specify a site code for the secondary site. For more information about site code naming, including best practices and limitations, see the Configuration Manager Site Naming section in this topic. Site server name: Specify the FQDN for the secondary site server. Verify that the server meets the requirements for secondary site installation. For more information about supported configurations, see Supported Configurations for Configuration Manager. Site name: Specify a name for the secondary site. Installation folder: Specify the installation folder to create on the secondary site server.

Click Next. Important You can click Summary to use the default settings in the wizard and go directly to the Summary page. Use this option only when you are familiar with the settings in this wizard. Boundary groups are not associated with the distribution point when you use the default settings. As a result, clients do not use the distribution point that is installed on this secondary site as a content source location. For more information about boundary groups, see the Create and Configure Boundary Groups for Configuration Manager section in the Configuring Boundaries and Boundary Groups in Configuration Manager topic. 7. On the Installation Source Files page, specify the location for the installation files for the secondary site, and then click Next. You can copy the files from the parent site to the secondary site, use the source files from a network location, or use source files that are already available locally on the secondary site server.
608

When you choose the Use the source files at the following network location or Use the source files at the following location on the secondary site computer options, the location must contain the Redist subfolder with the prerequisite redistributable files, language packs, and the latest product updates for Setup. Use Setup Downloader to download the required files to the Redist folder before you install the secondary site. The secondary site installation will fail if the files are not available in the Redist subfolder. For more information about Setup Downloader, see Setup Downloader in this topic. Note The folder or share name that you choose for the Setup installation source files must use only ASCII characters. Security The computer account for the secondary site must have Read NTFS file system permissions and share permissions to the Setup source folder and share. Avoid using administrative network shares (for example, C$ and D$) because they require the secondary site computer account to be an administrative user on the remote computer. 8. On the SQL Server Settings page, specify whether the secondary site will use SQL Server Express or an existing instance of SQL Server for the site database, and then configure the associated settings. Important With Configuration Manager with no service pack, when you configure the site database to use the default instance of SQL Server, you must configure the SQL Server service port to use TCP port 1433, the default port. With Configuration Manager SP1, you can use a nondefault TCP port for the default instance. Install and configure a local copy of SQL Express on the secondary site computer SQL Server Service port: Specify the SQL Server service port for SQL Server Express to use. The service port is typically configured to use TCP port 1433, but you can configure another port. SQL Server Broker port: Specify the SQL Server Service Broker (SSB) port for SQL Server Express to use. The Service Broker is typically configured to use TCP port 4022, but you can configure a different port. You must specify a valid port that no other site or service is using, and that no firewall restrictions block.

Use an existing SQL Server instance SQL Server FQDN: Review the FQDN for the SQL Server computer. You must use a local SQL Server to host the secondary site database and cannot modify this setting. SQL Server instance: Specify the instance of SQL Server to use as the secondary site database. Leave this option blank to use the default instance. ConfigMgr site database name: Specify the name to use for the secondary site database.
609

SQL Server Broker port: Specify the SQL Server Service Broker (SSB) port for SQL Server to use. You must specify a valid port that no other site or service is using, and that no firewall restrictions block. Note Setup does not validate the information that you enter on this page until it starts the installation. Before you continue, verify these settings.

Click Next. 9. On the Distribution Point page, configure the general distribution point settings. Install and configure IIS if required by Configuration Manager: Select this setting to let Configuration Manager install and configure Internet Information Services (IIS) on the server if it is not already installed. IIS must be installed on all distribution points. If IIS is not installed on the server and you do not select this setting, you must install IIS before the distribution point can be installed successfully. Configure how client devices communicate with the distribution point. There are advantages and disadvantages for using HTTP and HTTPS. For more information, see Security Best Practices for Content Management section in the Security and Privacy for Content Management in Configuration Manager topic. Important You must select HTTPS when the parent primary site is configured to communicate only by using HTTPS. For more information about client communication to the distribution point and other site systems, see the Planning for Client Communications in Configuration Manager section in the Planning for Communications in Configuration Manager topic. Allow clients to connect anonymously: This setting specifies whether the distribution point will allow anonymous connections from Configuration Manager clients to the content library. Warning When you deploy a Windows Installer application on a Configuration Manager client, Configuration Manager downloads the file to the local cache on the client and the files are eventually removed after the installation finishes. The Configuration Manager client updates the Windows Installer source list for the installed Windows Installer applications with the content path for the content library on associated distribution points. Later, if you start the Repair action from Add/Remove Programs on a Configuration Manager client that is running Windows XP, MSIExec attempts to access the content path by using an anonymous user. You must select the Allow clients to connect anonymously setting, or the repair fails for clients that are running Windows XP. For all other operating systems, the client connects to the distribution point by using the logged-on user account. Create a self-signed certificate or import a public key infrastructure (PKI) client certificate for the distribution point. The certificate has the following purposes:
610

It authenticates the distribution point to a management point before the distribution point sends status messages. When you select the Enable PXE support for clients check box on the PXE Settings page, the certificate is sent to computers that perform a PXE boot so that they can connect to a management point during the deployment of the operating system.

When all your management points in the site are configured for HTTP, create a selfsigned certificate. When your management points are configured for HTTPS, import a PKI client certificate. To import the certificate, browse to a Public Key Cryptography Standard (PKCS #12) file that contains a PKI certificate with the following requirements for Configuration Manager: Intended use must include client authentication. The private key must be enabled to be exported. Note There are no specific requirements for the certificate subject or subject alternative name (SAN), and you can use the same certificate for multiple distribution points. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example deployment of this certificate, see the Deploying the Client Certificate for Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. Enable this distribution point for prestaged content: Select this setting to enable the distribution point for prestaged content. When this setting is selected, you can configure distribution behavior when you distribute content. You can choose whether you always want to prestage the content on the distribution point, prestage the initial content for the package, but use the normal content distribution process when there are updates to the content, or always use the normal content distribution process for the content in the package.

10. On the Drive Settings page, specify the drive settings for the distribution point. You can configure up to two disk drives for the content library and two disk drives for the package share, although Configuration Manager can use additional drives when the first two reach the configured drive space reserve. The Drive Settings page configures the priority for the disk drives and the amount of free disk space to remain on each disk drive. Drive space reserve (MB): The value that you configure for this setting determines the amount of free space on a drive before Configuration Manager chooses a different drive and continues the copy process to that drive. Content files can span multiple drives. Content Locations: Specify the content locations for the content library and package share. Configuration Manager copies content to the primary content location until the
611

amount of free space reaches the value that is specified for Drive space reserve (MB). By default, the content locations are set to Automatic, and the primary content location will be set to the disk drive that has the most disk space at installation and the secondary location that is assigned the disk drive that has the second most free disk space. When the primary and secondary drives reach the drive space reserve, Configuration Manager selects another available drive with the most free disk space and continues the copy process. 11. On the Content Validation page, specify whether to validate the integrity of content files on the distribution point. When you enable content validation on a schedule, Configuration Manager initiates the process at the scheduled time, and all content on the distribution point is verified. You can also configure the content validation priority. To view the results of the content validation process, click the Monitoring workspace, expand Distribution Status, and click the Content Status node. The content for each package type (for example, Application, Software Update Package, and Boot Image) is displayed. 12. On the Boundary Groups page, manage the boundary groups for which this distribution point is assigned. During content deployment, clients must be in a boundary group that is associated with the distribution point to use it as a source location for content. You can select the Allow fallback source location for content option to allow clients outside these boundary groups to fall back and use the distribution point as a source location for content when no preferred distribution points are available. For more information about preferred distribution points, see the Planning for Preferred Distribution Points and Fallback section in the Planning for Content Management in Configuration Manager topic. 13. On the Summary page, verify the settings, and then click Next to install the secondary site. 14. On the Completion page, click Close to exit the wizard. Tip The Windows PowerShell cmdlet, New-CMSecondarySite, performs the same function as this procedure. For more information, see New-CMSecondarySite in the System Center 2012 Configuration Manager SP1 Cmdlet Reference documentation. To verify the secondary site installation status 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. Select the secondary site server to check installation status, and then on the Home tab, in the Site group, click Show Install Status. 4. Verify that the secondary site successfully finished. Note When you install more than one secondary site at a time, the prerequisite check runs against a single site at a time, and must complete for a site before it starts to check the next site.

612

Upgrade an Evaluation Installation to a Full Installation

If you install Configuration Manager as an evaluation, after 180 days the Configuration Manager console becomes read-only until you activate the product from the Site Maintenance page in Setup. Note When you connect a Configuration Manager console to an evaluation installation of Configuration Manager, the title bar of the console displays the number of days that remain before the evaluation installation expires. The number of days does not automatically refresh and only updates when you make a new connection to a site. Use the following procedure to upgrade an evaluation installation to a full installation. To upgrade an evaluation installation to a full installation 1. On the site server, click Start, and then point to All Programs. Point to Microsoft System Center 2012, click Configuration Manager, and then click Configuration Manager Setup. Important When you run Setup from installation media, site maintenance options are not available. 2. On the Before You Begin page, click Next. 3. On the Getting Started page, select Perform site maintenance or reset the Site, and then click Next. 4. On the Site Maintenance page, select Convert from Evaluation to Full Product Version, enter a valid product key, and then click Next. 5. On the Microsoft Software License Terms page, read and accept the license terms, and then click Next. 6. On the Configuration page, click Close to complete the wizard. Note When you have a Configuration Manager console connected to the site when you upgrade the site to the full installation, the title bar might indicate that the site is still an evaluation version until you reconnect the console to the site.

Using Command-Line Options with Setup

There are many options available when you run Configuration Manager Setup at a command prompt. These options can be used to start a scripted installation or upgrade, test a site's ability to be upgraded, perform a site reset, manage installed languages, and so on.

613

The following table provides a list of command-line options for Setup. For information about how to use Setup script files to perform unattended installations, see the Configuration Manager Unattended Setup section in this topic.
Command-line option Description

/DEINSTALL

Uninstalls the site. You must run Setup from the site server computer. Install a site, but prevent the Site Component Manager service from starting. Until the Site Component Manager service starts, the site is not active. The Site Component Manager is responsible for installing and starting the SMS_Executive service, and additional processes at the site. After the site install is completed, when you start the Site Component Manager service, it will then install the SMS_Executive and additional processes necessary for the site to operate. Hides the user interface during setup. This option must be used in conjunction with the /SCRIPT option, and the unattended script file must provide all required options, or Setup fails. Disables user input during Setup, but display the Setup Wizard interface. This option must be used in conjunction with the /SCRIPT option, and the unattended script file must provide all required options, or Setup fails. Performs a site reset that resets the database and service accounts for the site. You must run Setup from <ConfigMgrInstallationPath>\BIN\X64 on the site server. For more information about the site reset, see the Perform a Site Reset section in the Manage Site and Hierarchy Configurations topic. Performs a test on a backup of the site database to ensure that it is capable of an upgrade. You must provide the instance name and database name for the site database. If you specify only the database name, Setup uses
614

/DONTSTARTSITECOMP

/HIDDEN

/NOUSERINPUT

/RESETSITE

/TESTDBUPGRADE <InstanceName\DatabaseName>

Command-line option

Description

the default instance name. Important It is not supported to run this command-line option on your production site database. Doing so upgrades the site database and could render your site inoperable. /UPGRADE For Configuration Manager SP1 only: Runs an unattended upgrade of a site. When you use /UPGRADE, you must also specify the product key, including the dashes (-). Additionally, you must specify the path to the previously downloaded Setup prerequisite files. Example: setupwpf.exe /UPGRADE xxxxxxxxxx-xxxxx-xxxxx-xxxxx <path to external component files> For more information about Setup prerequisite files, see the Setup Downloader section in this topic. /SCRIPT <SetupScriptPath> Performs unattended installations. A Setup initialization file is required when you use the /SCRIPT option. For more information about how to run Setup unattended, see the Configuration Manager Unattended Setup section in this topic. Installs the SMS Provider on the specified computer. You must provide the FQDN for the SMS Provider computer. For more information about the SMS Provider, see the Site System Roles in Configuration Manager section in the Planning for Site Systems in Configuration Manager topic. Uninstalls the SMS Provider on the specified computer. You must provide the FQDN for the SMS Provider computer. Manages the languages that are installed at a previously installed site. To use this option, you must run Setup from
615

/SDKINST <FQDN>

/SDKDEINST <FQDN>

/MANAGELANGS <LanguageScriptPath>

Command-line option

Description

<ConfigMgrInstallationPath>\BIN\X64 on the site server and provide the location for the language script file that contains the language settings. For more information about the language options available in the language setup script file, see the How to use a Command-Line Option to Manage Languages section in this topic.

How to use a Command-Line Option to Manage Languages

Use the /MANAGELANGS command-line option to run Configuration Manager Setup to manage the languages that are supported at a central administration site or primary site that you previously installed. To use the command-line option, you must run Setup from <ConfigMgrInstallationPath>\Bin\X64 on the site server and specify a language script file that contains the language settings. For example, use the following command syntax: setupwpf.exe /MANAGELANGS <language script file> You use the language script file to specify the server and client languages for which you want to add or remove support at a site. You can also manage the languages for mobile devices. The following table lists the script keys and available values for the language script file.
Section Key name Require d Values Description

Identificatio Action n

Yes

ManageLanguages

Manages the server, client, and mobile client language support at a site. Specifies the server languages that will be available for the Configuration Manager console, reports, and Configuration Manager objects. English is
616

Options

AddServerLanguages

No

For Configuration Manager with no service pack: DEU, FRA, RUS, CHS, or JPN For Configuration Manager with SP1: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, TRK, or ZHH

Section

Key name

Require d

Values

Description

available by default. AddClientLanguages No For Configuration Manager with no service pack: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, or TRK For Configuration Manager with SP1: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, TRK, or ZHH DeleteServerLanguag es No For Configuration Manager with no service pack: DEU, FRA, RUS, CHS, or JPN For Configuration Manager with SP1: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, TRK, or ZHH Specifies the languages that will be available to client computers. English is available by default.

Specifies the languages to remove that will no longer be available for the Configuration Manager console, reports, and Configuration Manager objects. English is available by default and cannot be removed. Specifies the languages to remove that will no longer be available to client computers. English is available by default and cannot be
617

DeleteClientLanguag es

No

For Configuration Manager with no service pack: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, or TRK For Configuration Manager with SP1: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK,

Section

Key name

Require d

Values

Description

PTB, PTG, SVE, TRK, or ZHH MobileDeviceLangua ge Yes 0 or 1 0 = do not install 1 = install PrerequisiteComp Yes 0 or 1 0 = download 1 = already downloaded

removed.

Specifies whether the mobile device client languages are installed. Specifies whether Setup prerequisite files have already been downloaded. For example, if you use a value of 0, Setup downloads the files. Specifies the path to the Setup prerequisite files. Depending on the PrerequisiteCo mp value, Setup uses this path to store downloaded files or to locate previously downloaded files.

PrerequisitePath

Yes

<PathToSetupPrerequisiteFil es>

Configuration Manager Unattended Setup

To perform an unattended installation for a new Configuration Manager central administration site or primary site, you can create an unattended installation script and use Setup with the /SCRIPT command-line option. The script provides the same type of information that the Setup Wizard prompts for, except that there are no default settings. All values must be specified for the setup keys that apply to the type of installation that you are using. Note
618

You cannot use the unattended script file to upgrade an evaluation site to a full installation of Configuration Manager. When you run Setup to install Configuration Manager by using the user interface, Setup automatically creates the unattended installation script for you when you confirm the settings on the Summary page of the wizard. The unattended installation script contains the settings that you select in the wizard. After the script is created, you can modify the script to install other sites in your hierarchy. Setup creates the script in %TEMP%\ConfigMgrAutoSave.ini. You can then use this script to perform an unattended setup of Configuration Manager. When Setup creates the unattended installation script, it is populated with the product key value that you enter during setup. This can be a valid product key, or it is equal to EVAL when you install an evaluation version of Configuration Manager. The product key value in the script is populated to enable the prerequisite check to finish. When Setup starts the actual site installation, the automatically created script is written to again to clear the product key value in the script that it creates. Before using the script for an unattended installation of a new site, you can edit the script to provide a valid product key or specify an evaluation installation of Configuration Manager. Tip In Configuration Manager with no service pack, an unattended installation does not run Prerequisite Checker. Therefore, plan to manually run Prerequisite Checker before starting the installation. In Configuration Manager SP1, an unattended installation does run Prerequisite Checker. For information about Prerequisite Checker, see Technical Reference for the Prerequisite Checker in Configuration Manager You can run Configuration Manager Setup unattended by using an initialization file with the /SCRIPT Setup command-line option. Unattended setup is supported for new installations of a Configuration Manager central administration site, primary site, and Configuration Manager console. To use the /SCRIPT Setup command-line option, you must create an initialization file and specify the initialization file name after the /SCRIPT Setup command-line option. The name of the file must have the .ini file name extension. When you reference the Setup initialization file at the command prompt, you must provide the full path to the file. For example, if your Setup initialization file is named Setup.ini, and it is stored in the C:\Setup folder, at the command prompt, type: setup /script c:\setup\setup.ini. Security You must have administrative credentials to run Setup. When you run Setup with the unattended script, start the command prompt by using Run as administrator. The script contains section names, key names, and values. Required section key names vary depending on the installation type that you are scripting. The order of the keys within sections, and the order of sections within the file, is not important. The keys are not case sensitive. When you provide values for keys, the name of the key must be followed by an equals sign (=) and the value for the key.

619

Unattended Setup Script File Keys

To run Setup unattended, you must specify the /SCRIPT command-line option and configure the Setup script file with required keys and values. You must configure the following four sections in the script file to install or configure a site: Identification, Options, SQLConfigOptions, and HierarchyOptions. To recover a site, you must use the following sections of the script file: Identification and Recovery. For more information about for backup and recovery, see the Unattended Site Recovery Script File Keys section in the Backup and Recovery in Configuration Manager topic. Use the following sections to help you to create your script for unattended Setup. The tables list the available Setup script keys, their corresponding values, whether they are required, which type of installation they are used for, and a short description for the key.

Install a Central Administration Site Unattended

Use the following section to install a central administration site by using an unattended Setup script file.
Section Key name Requir ed Values Details

Identification

Action

Yes

InstallCAS

Installs a central administration site

Options

ProductID

Yes

xxxxx-xxxxx-xxxxx-xxxxx-xxxxx Specifies the Configuration or Manager Eval installation product key, including the dashes. Enter Eval to install the evaluation version of Configuration Manager. <SiteCode> Specifies three alphanumeric characters that uniquely identify the site in your hierarchy. For more information
620

SiteCode

Yes

Section

Key name

Requir ed

Values

Details

about site code restrictions, see Configuration Manager Site Naming. SiteName Yes <SiteName> Specifies the name for this site. Specifies the installation folder for the Configuration Manager program files. Specifies the FQDN for the server that will host the SMS Provider. You can configure additional SMS Providers for the site after the initial installation. For more information about the SMS Provider, see the Site System Roles in Configuration Manager section in the Planning for Site Systems in Configuration Manager topic. PrerequisiteComp Yes 0 or 1 Specifies
621

SMSInstallDir

Yes

<ConfigMgrInstallationPath>

SDKServer

Yes

<FQDN of SMS Provider>

Section

Key name

Requir ed

Values

Details

0 = download 1 = already downloaded

whether Setup prerequisite files have already been downloaded. For example, if you use a value of 0, Setup will download the files.

PrerequisitePath

Yes

<PathToSetupPrerequisiteFiles Specifies the > path to the Setup prerequisite files. Depending on the PrerequisiteCo mp value, Setup uses this path to store downloaded files or to locate previously downloaded files. 0 or 1 0 = do not install 1 = install Specifies whether to install the Configuration Manager console. Specifies whether to join the Customer Experience Improvement Program. Specifies the server languages that will be available for the Configuration
622

AdminConsole

Yes

JoinCEIP

Yes

0 or 1 0 = do not join 1 = join

AddServerLangua ges

No

For Configuration Manager with no service pack: DEU, FRA, RUS, CHS, or JPN For Configuration Manager

Section

Key name

Requir ed

Values

Details

with SP1: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, TRK, or ZHH

Manager console, reports, and Configuration Manager objects. English is available by default. Specifies the languages that will be available to client computers. English is available by default.

AddClientLanguag es

No

For Configuration Manager with no service pack: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, or TRK For Configuration Manager with SP1: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, TRK, or ZHH

DeleteServerLang uages

No

For Configuration Manager with no service pack: DEU, FRA, RUS, CHS, or JPN For Configuration Manager with SP1: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, TRK, or ZHH

Modifies a site after it is installed. Specifies the languages to remove that will no longer be available for the Configuration Manager console, reports, and Configuration Manager objects. English is available by default and cannot be removed. Modifies a site
623

DeleteClientLangu

No

For Configuration Manager

Section

Key name

Requir ed

Values

Details

ages

with no service pack: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, or TRK For Configuration Manager with SP1: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, TRK, or ZHH

after it is installed. Specifies the languages to remove that will no longer be available to client computers. English is available by default and cannot be removed. Specifies whether the mobile device client languages are installed. Specifies the name of the server, or name of the clustered instance, that is running SQL Server. It will host the site database. Specifies the name of the SQL Server database to create or use to install the central administration site database. Important You must specify
624

MobileDeviceLang uage

Yes

0 or 1 0 = do not install 1 = install

SQLConfigOpt SQLServerName ions

Yes

<SQLServerName>

DatabaseName

Yes

<SiteDatabaseName> or <InstanceName>\<SiteDataba seName>

Section

Key name

Requir ed

Values

Details

the instance name and site database name if you do not use the default instance. With Configur ation Manager with no service pack, when you configure the site database to use the default instance of SQL Server, you must configure the SQL Server service port to use TCP port 1433, the default port.
625

Section

Key name

Requir ed

Values

Details

With Configur ation Manager SP1, you can use a nondefau lt TCP port for the default instance. SQLSSBPort No <SSBPortNumber> Specifies the SQL Server Service Broker (SSB) port that SQL Server uses. Typically, SSB is configured to use TCP port 4022, but other ports are supported.

Install a Primary Site Unattended

Use the following section to install a primary site by using an unattended Setup script file.
Section Key name Requi red Values Details

Identification

Action

Yes

InstallPrimarySite

Installs a primary site. Specifies the Configuration Manager installation product key, including the
626

Options

ProductID

Yes

xxxxx-xxxxx-xxxxx-xxxxxxxxxx or Eval

Section

Key name

Requi red

Values

Details

dashes. Enter Eval to install the evaluation version of Configuration Manager. SiteCode Yes <SiteCode> Specifies the three alphanumericch aracters that uniquely identify the site in your hierarchy. For more information about site code restrictions, see Configuration Manager Site Naming. Specifies the name for this site. Specifies the installation folder for the Configuration Manager program files. Specifies the FQDN for the server that will host the SMS Provider. You can configure additional SMS Providers for the
627

SiteName

Yes

<SiteName>

SMSInstallDir

Yes

<ConfigMgrInstallationPath >

SDKServer

Yes

<FQDN of SMS Provider>

Section

Key name

Requi red

Values

Details

site after the initial installation. For more information about the SMS Provider, see the Site System Roles in Configuration Manager section in the Planning for Site Systems in Configuration Manager topic. PrerequisiteComp Yes 0 or 1 0 = download 1 = already downloaded Specifies whether Setup prerequisite files have already been downloaded. For example, if you use a value of 0, Setup downloads the files.

PrerequisitePath

Yes

<PathToSetupPrerequisiteF Specifies the iles> path to the Setup prerequisite files. Depending on the PrerequisiteCo mp value, Setup uses this path to store downloaded files or to locate previously downloaded
628

Section

Key name

Requi red

Values

Details

files. AdminConsole Yes 0 or 1 0 = do not install 1 = install Specifies whether to install the Configuration Manager console. Specifies whether to join the Customer Experience Improvement Program. Specifies the FQDN of the server that will host the management point site system role. Specifies the protocol to use for the management point. Specifies the protocol to use for the management point. Specifies the protocol to use for the distribution point. Specifies whether to
629

JoinCEIP

Yes

0 or 1 0 = do not join 1 = join

ManagementPoint

No

<Management point site server FQDN>

ManagementPointP No rotocol

HTTPS or HTTP

DistributionPoint

No

<Distribution Point site server FQDN>

DistributionPointPro No tocol

HTTPS or HTTP

RoleCommunicatio nProtocol

Yes

EnforceHTTPS or

Section

Key name

Requi red

Values

Details

HTTPorHTTPS

configure all site systems to accept only HTTPS communication from clients or for the communication method to be configured for each site system role. When you select to EnforceHTTPS, client computer must have a valid PKI certificate for client authentication. For more information about PKI certificate requirements, see PKI Certificate Requirements for Configuration Manager. Specifies whether clients will use a client PKI certificate to communicate with site system roles. For more information about PKI certificate
630

ClientsUsePKICertif Yes icate

0 or 1 0 = do not use 1 = use

Section

Key name

Requi red

Values

Details

requirements, see PKI Certificate Requirements for Configuration Manager. AddServerLanguag es No For Configuration Manager with no service pack: DEU, FRA, RUS, CHS, or JPN Specifies the server languages that For Configuration Manager will be available with SP1: DEU, FRA, RUS, for the Configuration CHS, JPN, CHT, CSY, Manager ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, console, reports, and TRK, or ZHH Configuration Manager objects. English is available by default. For Configuration Manager with no service pack: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, or TRK For Configuration Manager with SP1: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, TRK, or ZHH DeleteServerLangu ages No For Configuration Manager with no service pack: DEU, FRA, RUS, CHS, or JPN For Configuration Manager with SP1: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, Specifies the languages that will be available to client computers. English is available by default.

AddClientLanguage No s

Use when modifying a site after it is installed. Specifies the languages to remove that will
631

Section

Key name

Requi red

Values

Details

NLD, PLK, PTB, PTG, SVE, no longer be TRK, or ZHH available for the Configuration Manager console, reports, and Configuration Manager objects. English is available by default and cannot be removed. DeleteClientLangua No ges For Configuration Manager with no service pack: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, or TRK Use when modifying a site after it is installed.

Specifies the languages to For Configuration Manager remove and that with SP1: DEU, FRA, RUS, will no longer be CHS, JPN, CHT, CSY, available to ESN, HUN, ITA, KOR, client NLD, PLK, PTB, PTG, SVE, computers. TRK, or ZHH English is available by default and cannot be removed. MobileDeviceLangu Yes age 0 or 1 0 = do not install 1 = install Specifies whether the mobile device client languages are installed. Specifies the name of the server or name of the clustered instance that
632

SQLConfigOption s

SQLServerName

Yes

<SQLServerName>

Section

Key name

Requi red

Values

Details

runs SQL Server that will host the site database. DatabaseName Yes <SiteDatabaseName> Specifies the name of the or SQL Server <InstanceName>\<SiteData database to baseName> create or use to install the primary site database. Important You must specify the instance name and site databas e name if you do not use the default instance . With Configur ation Manage r with no service pack, when you configur e the site
633

Section

Key name

Requi red

Values

Details

databas e to use the default instance of SQL Server, you must configur e the SQL Server service port to use TCP port 1433, the default port. With Configur ation Manage r SP1, you can use a nondefa ult TCP port for the default instance . SQLSSBPort No <SSBPortNumber> Specifies the SQL Server Service Broker (SSB) port that
634

Section

Key name

Requi red

Values

Details

SQL Server uses. Typically, SSB is configured to use TCP port 4022, but other ports are supported. HierarchyExpansi onOption CCARSiteServer No <FQDN of central administration site> Specifies the central administration site that a primary site will attach to when it joins the Configuration Manager hierarchy. You must specify the central administration site during Setup. After Setup finishes, you cannot join a stand-alone primary site to a central administration site. Specifies the retry interval (in minutes) to attempt a connection to the central administration site after the connection fails. For example, if
635

CASRetryInterval

No

<Interval>

Section

Key name

Requi red

Values

Details

the connection to the central administration site fails, the primary site waits the number of minutes that you specify for CASRetryInterv al, and then reattempts the connection. WaitForCASTimeo ut No <Timeout> Specifies the maximum timeout value (in minutes) for a primary site to connect to the central administration site. For example, if a primary site fails to connect to a central administration site, the primary site retries the connection to the central administration site, based on the CASRetryInterv al until the WaitForCASTim eout period is reached. You can specify a
636

Section

Key name

Requi red

Values

Details

value of 0 to 100.

Recover a Central Administration Site Unattended

Use the following section to recover a central administration site by using an unattended Setup script file.
Section Key name Required Values Details

Identificati on Recovery Options

Action

Yes

RecoverCCAR

Recovers a central administration site

ServerRecover yOptions

Yes

1, 2, or 4

Specifies whether Setup will recover 1 = Recovery site server and SQL Server. the site server, SQL Server, or 2 = Recover site server both. The only. associated keys 4 = Recover SQL are required when Server only. you set the following value for the ServerRecoveryO ptions setting: Value = 1: You have the option to specify a value for the SiteServerBa ckupLocation key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it
637

Section

Key name

Required

Values

Details

from a backup set. Value = 2: You have the option to specify a value for the SiteServerBa ckupLocation key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a backup set. Value = 4: The BackupLocati on key is required when you configure a value of 10 for the DatabaseRec overyOptions key, which is to restore the site database from backup.

DatabaseRecov See Details eryOptions

10, 20, 40, 80 10 = Restore the site database from backup. 20 = Use a site database that has been manually recovered by using another method. 40 = Create a new

Specifies how Setup recovers the site database in SQL Server. This key is required when the ServerRecovery Options setting has a value of 1 or
638

Section

Key name

Required

Values

Details

database for the site. 4. Use this option when there is no site database backup available. Global and site data is recovered through replication from other sites. 80 = skip database recovery. ReferenceSite See Details <ReferenceSiteFQDN> Specifies the reference primary site that the central administration site uses to recover global data if the database backup is older than the change tracking retention period or when you recover the site without a backup. When you do not specify a reference site and the backup is older than the change tracking retention period, all primary sites are reinitialized with the restored data from the central administration site. When you do not specify a reference site and
639

Section

Key name

Required

Values

Details

the backup is within the change tracking retention period, only changes after the backup are replicated from primary sites. When there are conflicting changes from different primary sites, the central administration site uses the first one that it receives. This key is required when the DatabaseRecove ryOptions setting has a value of 40. SiteServerBack upLocation No <PathToSiteServerBac kupSet> Specifies the path to the site server backup set. This key is optional when the ServerRecovery Options setting has a value of 1 or 2. Specify a value for the SiteServerBacku pLocation key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a backup set.
640

Section

Key name

Required

Values

Details

BackupLocation See Details

<PathToSiteDatabaseB ackupSet>

Specifies the path to the site database backup set. The BackupLocation key is required when you configure a value of 1 or 4 for the ServerRecovery Options key, and configure a value of 10 for the DatabaseRecove ryOptions key. Specifies the Configuration Manager installation product key, including the dashes. Enter Eval to install the evaluation version of Configuration Manager. Specifies three alphanumeric characters that uniquely identify the site in your hierarchy. You must specify the site code that the site used before the failure. For more information about site code restrictions, see the Configuration Manager Site
641

Options

ProductID

Yes

xxxxx-xxxxx-xxxxxxxxxx-xxxxx Eval

SiteCode

Yes

<SiteCode>

Section

Key name

Required

Values

Details

Naming section in the Install Sites and Create a Hierarchy for Configuration Manager topic. SiteName No <SiteName> Specifies the name for this site.

SMSInstallDir

See Details

< ConfigMgrInstallationP ath>

Specifies the installation folder for the Configuration Manager program files.

SDKServe r

See Details

<FQDN of SMS Provider>

Specifies the FQDN for the server that will host the SMS Provider. You must specify the server that hosted the SMS Provider before the failure. You can configure additional SMS Providers for the site after the initial installation. For more information about the SMS Provider, see the Site System Roles in
642

Section

Key name

Required

Values

Details

Configuration Manager section in the Planning for Site Systems in Configuration Manager topic. Prerequisit eComp Yes 0 or 1 0 = download 1 = already downloaded Specifies whether Setup prerequisite files have already been downloaded. For example, if you use a value of 0, Setup downloads the files. Specifies the path to the Setup prerequisite files. Depending on the PrerequisiteComp value, Setup uses this path to store downloaded files or to locate previously downloaded files. Specifies whether to install the Configuration Manager console. This key is required except when the ServerRecoveryOptio ns setting has a value of 4. Specifies whether to join the Customer Experience Improvement Program. <SQLServerName> Specifies the name of the server, or name of the clustered instance that is running
643

Prerequisit ePath

Yes

<PathToSetupPrer equisiteFiles>

AdminCon sole

See Details

0 or 1 0 = do not install 1 = install

JoinCEIP

Yes

0 or 1 0 = do not join 1 = join

SQLConfig SQLServerNam See Details Options e

Section

Key name

Required

Values

Details

SQL Server that will host the site database. You must specify the same server that hosted the site database before the failure. DatabaseName See Details <SiteDatabaseName> or <InstanceName>\<Site DatabaseName> Specifies the name of the SQL Server database to create or use to install the central administration site database. You must specify the same database name that was used before the failure. Important You must specify the instance name and site database name if you do not use the default instance. SQLSSBPort See Details <SSBPortNumber> Specifies the SQL Server Service Broker (SSB) port that SQL Server uses. Typically, SSB is
644

Section

Key name

Required

Values

Details

configured to use TCP port 4022. You must specify the same SSB port that was used before the failure.

Recover a Primary Site Unattended

Use the following section to recover a primary site by using an unattended Setup script file.
Section Key name Requi red Values Details

Identification

Action

Yes

RecoverPrimarySite

Recovers a primary site Specifies whether Setup will recover the site server, SQL Server, or both. The associated keys are required when you set the following value for the ServerRecoveryOp tions setting: Value = 1: You have the option to specify a value for the SiteServerBac kupLocation key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled
645

RecoveryOptions

ServerRecoveryO ptions

Yes

1, 2, or 4 1 = Recovery site server and SQL Server. 2 = Recover site server only. 4 = Recover SQL Server only.

Section

Key name

Requi red

Values

Details

without restoring it from a backup set. Value = 2: You have the option to specify a value for the SiteServerBac kupLocation key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a backup set. Value = 4: The BackupLocati on key is required when you configure a value of 10 for the DatabaseRec overyOptions key, which is to restore the site database from backup.

DatabaseRecover See 10, 20, 40, 80 yOptions Detail 10 = Restore the site s database from backup. 20 = Use a site database that has been manually recovered by using another method.

Specifies options for Setup to recover the site database in SQL Server. This key is required when the ServerRecoveryO
646

Section

Key name

Requi red

Values

Details

40 = Create a new ptions setting has database for the site. Use a value of 1 or 4. this option when there is no site database backup available. 80 = skip database recovery. SiteServerBackup No Location <PathToSiteServerBackup Set> Specifies the path to the site server backup set. This key is optional when the ServerRecoveryO ptions setting has a value of 1 or 2. Specify a value for the SiteServerBackup Location key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a backup set. Specifies the path to the site database backup set. The BackupLocation key is required when you configure a value of 1 or 4 for the ServerRecoveryO ptions key, and configure a value
647

BackupLocation

See <PathToSiteDatabaseBack Detail upSet> s

Section

Key name

Requi red

Values

Details

of 10 for the DatabaseRecover yOptions key. Options ProductID Yes xxxxx-xxxxx-xxxxx-xxxxxxxxxx or Eval Specifies the Configuration Manager installation product key, including the dashes. Enter Eval to install the evaluation version of Configuration Manager. Specifies three alphanumeric characters that uniquely identify the site in your hierarchy. You must specify the site code that the site used before the failure. For more information about site code restrictions, see the Configuration Manager Site Naming section in the Install Sites and Create a Hierarchy for Configuration Manager topic. Specifies the name for this site. Specifies the installation folder for the
648

SiteCode

Yes

<SiteCode>

SiteName

No

<SiteName>

SMSInstallDir

See <ConfigMgrInstallationPath Detail >

Section

Key name

Requi red

Values

Details

Configuration Manager program files. Specifies the FQDN for the server that will host the SMS Provider. You must specify the server that hosted the SMS Provider before the failure. You can configure additional SMS Providers for the site after the initial installation. For more information about the SMS Provider, see the Site System Roles in Configuration Manager section in the Planning for Site Systems in Configuration Manager topic.

SDKServer

See <FQDN of SMS Provider> Detail s

PrerequisiteComp Yes

0 or 1 0 = download 1 = already downloaded

Specifies whether Setup prerequisite files have already been downloaded. For example, if you use a value of 0, Setup downloads the files. Specifies the path to the Setup prerequisite files.
649

PrerequisitePath

Yes

<PathToSetupPrerequisite Files>

Section

Key name

Requi red

Values

Details

Depending on the PrerequisiteComp value, Setup uses this path to store downloaded files or to locate previously downloaded files. AdminConsole See 0 or 1 Detail 0 = do not install s 1 = install Specifies whether to install the Configuration Manager console. This key is required except when the ServerRecoveryO ptions setting has a value of 4. Specifies whether to join the Customer Experience Improvement Program. Specifies the name of the server, or the name of the clustered instance that is running SQL Server that will host the site database. You must specify the same server that hosted the site database before the failure. The name of the SQL Server database to create
650

JoinCEIP

Yes

0 or 1 0 = do not join 1 = join

SQLConfigOption s

SQLServerName

See <SQLServerName> Detail s

DatabaseName

See <SiteDatabaseName> Detail or

Section

Key name

Requi red

Values

Details

<InstanceName>\<SiteDat abaseName>

or use to install the central administration site database. You must specify the same database name that was used before the failure. Important You must specify the instance name and site database name if you do not use the default instance.

SQLSSBPort

See <SSBPortNumber> Detail s

Specify the SQL Server Service Broker (SSB) port that SQL Server uses. Typically, SSB is configured to use TCP port 4022. You must specify the same SSB port that was used before the failure.

HierarchyExpansi onOption

CCARSiteServer

See <SiteCodeForCentralAdmin Specifies the Detail istrationSite> central s administration site to which a primary site attaches when it joins the
651

Section

Key name

Requi red

Values

Details

Configuration Manager hierarchy. This setting is required if the primary site was attached to a central administration site before the failure. You must specify the site code that was used for the central administration site before the failure. CASRetryInterval No <Interval> Specifies the retry interval (in minutes) to attempt a connection to the central administration site after the connection fails. For example, if the connection to the central administration site fails, the primary site waits the number of minutes that you specify for CASRetryInterval, and then attempts the connection again. Specifies the maximum time-out value (in minutes) for a primary site to connect to the
652

WaitForCASTime out

No

<Timeout>

Section

Key name

Requi red

Values

Details

central administration site. For example, if a primary site fails to connect to a central administration site, the primary site retries the connection to the central administration site, based on the CASRetryInterval until the WaitForCASTime out period is reached. You can specify a value of 0 to 100.

Decommission Sites and Hierarchies

To decommission hierarchies, start at the bottom of the hierarchy and move upward. Remove secondary sites attached to primary sites, primary sites from the central administration site, and then the central administration site itself. Use the information in this section to remove individual sites or decommission a hierarchy of sites.

Remove a Secondary Site from a Hierarchy

You cannot move or reassign secondary sites to a new parent primary site. To remove a secondary site from a hierarchy, it must be deleted from its direct parent site. Use the Delete Secondary Site Wizard from the Configuration Manager console to remove the secondary site. When you remove a secondary site, you must choose whether to delete or uninstall the secondary site: Uninstall the secondary site: Use this option to remove a functional secondary site that is accessible from the network. This option uninstalls Configuration Manager from the secondary site server, and then deletes all information about the site and its resources from the Configuration Manager hierarchy. If Configuration Manager installed SQL Server Express as part of the secondary site installation, Configuration Manager will uninstall SQL Express
653

when it uninstalls the secondary site. If SQL Server Express was installed before you installed the secondary site, Configuration Manager will not uninstall SQL Server Express. Delete the secondary site: Use this option if one of the following is true: A secondary site failed to install. The secondary site continues to display in the Configuration Manager console after you uninstall it.

This option deletes all information about the site and its resources from the Configuration Manager hierarchy, but leaves Configuration Manager installed on the secondary site server. Note You can also use the Hierarchy Maintenance Tool and the /DELSITE option to delete a secondary site. For more information, see Technical Reference for the Hierarchy Maintenance Tool (Preinst.exe) in Configuration Manager. To uninstall or delete a secondary site 1. Verify the administrative user that runs Setup has the following security rights: Administrative rights on the secondary site computer. Local Administrator rights on the remote site database server for the primary site, if it is remote. Infrastructure Administrator or Full Administrator security role on the parent primary site. Sysadmin rights on the site database of the secondary site.

2. In the Configuration Manager console, click Administration. 3. In the Administration workspace, expand Site Configuration, and then click Sites. 4. Select the secondary site server to remove. 5. On the Home tab, in the Site group, click Delete. 6. On the General page, select whether to uninstall or delete the secondary site, and then click Next. 7. On the Summary page, verify the settings, and then click Next. 8. On the Completion page, click Close to exit the wizard.

Uninstall a Primary Site

You can run Configuration Manager Setup to uninstall a primary site that does not have an associated secondary site. Before you uninstall a primary site, consider the following: When Configuration Manager clients are within the boundaries configured at the site, and the primary site is part of a Configuration Manager hierarchy, consider adding the boundaries to a different primary site in the hierarchy before you uninstall the primary site. When the primary site server is no longer available, you must use the Hierarchy Maintenance Tool at the central administration site to delete the primary site from the site database. For more information, see Technical Reference for the Hierarchy Maintenance Tool (Preinst.exe) in Configuration Manager.
654

Use the following procedure to uninstall a primary site. To uninstall a primary site 1. Verify the administrative user that runs Setup has the following security rights: Local Administrator rights on the central administration site server. Local Administrator rights on the remote site database server for the central administration site, if it is remote. Sysadmin rights on the site database of the central administration site. Local Administrator rights on the primary site computer. Local Administrator rights on the remote site database server for the primary site, if it is remote. User name associated with the Infrastructure Administrator or Full Administrator security role on the central administration site.

2. Start Configuration Manager Setup on the primary site server by using one of the following methods: On Start, click Configuration Manager Setup. Open Setup.exe from <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64. Open Setup.exe from <ConfigMgrInstallationPath>\SMSSETUP\BIN\X64.

3. On the Before You Begin page, click Next. 4. On the Getting Started page, select Uninstall a Configuration Manager site, and then click Next. 5. On the Uninstall the Configuration Manager Site, specify whether to remove the site database from the primary site server and whether to remove the Configuration Manager console. By default, Setup removes both items. Important When a secondary site is attached to the primary site, you must remove the secondary site before you can uninstall the primary site. 6. Click Yes to confirm to uninstall the Configuration Manager primary site.

Uninstall a Primary Site that is Configured with Distributed Views

Before you uninstall a child primary site that has distributed views configured on its replication link to the central administration site, you must disable distributed views in your hierarchy. Use the following information to disable distributed views before you uninstall a primary site. To uninstall a primary site that is configured with distributed views 1. Before you uninstall any primary site, you must disable distributed views on each link in the hierarchy between the central administration site and a primary site. 2. After you disable distributed views on each link, confirm that the data from the primary
655

site completes reinitialization at the central administration site. You can monitor the initialization of data when you view the link in the Database Replication node of the Monitoring workspace of the Configuration Manager console. 3. After the data successfully reinitializes with the central administration site, you can uninstall the primary site. To uninstall a primary site, see the Uninstall a Primary Site section in this topic. 4. After the primary site is completely uninstalled, you can reconfigure distributed views on links to primary sites. Important If you uninstall the primary site before you disable distributed views at each site, or before the data from the primary site successfully reinitializes at the central administration site, replication of data between primary sites and the central administration site can fail. In this scenario, you must disable distributed views for each link in your hierarchy, and then, after the data successfully reinitializes with the central administration site, you can reconfigure distributed views.

Uninstall the Central Administration Site

You can run Configuration Manager Setup to uninstall a central administration site without child primary sites. Use the following procedure to uninstall the central administration site. To uninstall a central administration site 1. Verify that the administrative user who runs Setup has the following security rights: Local Administrator rights on the central administration site server. Local Administrator rights on the site database server for the central administration site, when the site database server is not installed on the site server.

2. Start Configuration Manager Setup on the central administration site server by using one of the following methods: On Start, click Configuration Manager Setup. Open Setup.exe from <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64. Open Setup.exe from <ConfigMgrInstallationPath>\SMSSETUP\BIN\X64.

3. On the Before You Begin page, click Next. 4. On the Getting Started page, select Uninstall a Configuration Manager site, and then click Next. 5. On the Uninstall the Configuration Manager Site, specify whether to remove the site database from the central administration site server and whether to remove the Configuration Manager console. By default, Setup removes both items. Important When there is a primary site attached to the central administration site, you must uninstall the primary site before you can uninstall the central administration site.
656

6. Click Yes to confirm to uninstall the Configuration Manager central administration site.

Configuration Manager Site Naming

Site codes and site names are used to identify and manage the sites in a Configuration Manager hierarchy. In the Configuration Manager console, the site code and site name are displayed in the <site code> - <site name> format. Every site code that you use in your Configuration Manager hierarchy must be unique. If the Active Directory schema is extended for Configuration Manager, and sites are publishing data, the site codes used within an Active Directory forest must be unique even if they are used in a different Configuration Manager hierarchy or if they have been used in previous Configuration Manager installations. Be sure to carefully plan your site codes and site names before you deploy your Configuration Manager hierarchy.

Specify a Site Code and Site Name

During Configuration Manager Setup, you are prompted for a site code and site name for the central administration site, and each primary and secondary site installation. The site code must uniquely identify each Configuration Manager site in the hierarchy. Because the site code is used in folder names, never use Windows-reserved names for the site code, such as AUX, CON, NUL, or PRN. Note Configuration Manager Setup does not verify that the site code that you specify is not already in use. To enter the site code for a site during Configuration Manager Setup, you must enter three alphanumeric characters. Only the letters A through Z, numbers 0 through 9, or combinations of the two are allowed when specifying site codes. The sequence of letters or numbers has no effect on the communication between sites. For example, it is not necessary to name a primary site ABC and a secondary site DEF. The site name is a friendly name identifier for the site. Use only the standard characters A through Z, a through z, 0 through 9, and the hyphen (-) in site names. Important Changing the site code or site name after installation is not supported.

Re-Using Site Codes

Site codes cannot be used more than one time in a Configuration Manager hierarchy for a central administration site or primary sites. If you reuse a site code, you run the risk of having object ID conflicts in your Configuration Manager hierarchy. You can reuse the site code for a secondary site if it is no longer in use in your Configuration Manager hierarchy or in the Active Directory forest.

657

See Also
Configuring Sites and Hierarchies in Configuration Manager

Expand a Stand-Alone Primary Site into a Hierarchy with a Central Administration Site
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. With System Center 2012 Configuration Manager SP1, you can expand an existing stand-alone primary site into a hierarchy with a central administration site. Before you run Setup to expand a stand-alone primary site, review the following sections in the Planning for Sites and Hierarchies in Configuration Manager topic: Prerequisites for Expanding a Stand-Alone Primary Site Considerations when Expanding a Stand-Alone Primary Site

Expand a Stand-Alone Primary Site

To expand your stand-alone primary site, run Setup from the Configuration Manager SP1 source media, and use the procedure To install a central administration site from the Install a Central Administration Site section in the Install Sites and Create a Hierarchy for Configuration Manager topic. During Setup, ensure that you make the following selections in the Configuration Manager Setup Wizard: 1. On the Getting Started page, select Install a Configuration Manager central administration site. 2. On the Client Language Selection page, select the same client languages that the primary site supports. 3. On the Central Administration Site Installation page, select the option Expand an existing stand-alone primary site into a hierarchy. After Setup finishes, your stand-alone primary site is now a child primary site. After the new central administration site is installed, restart any Configuration Manager consoles that are open and remain connected to the primary site. If there are software update points at the primary site, install a software update point at the central administration site and configure it to synchronize software updates with Windows Server Update Services (WSUS). This is because the child primary automatically reconfigures its software update points to synchronize with a software update point at the central administration site. For information about how to configure software update points, see Configuring Software Updates in Configuration Manager.

658

See Also
Configuring Sites and Hierarchies in Configuration Manager

Upgrade Configuration Manager to a New Service Pack

Use the information in the following sections to help you upgrade your System Center 2012 Configuration Manager site and hierarchy to a new service pack successfully.

Pre-Upgrade Configurations for Configuration Manager Sites

Before you upgrade a site to a new service pack, review the applicable upgrade checklist to understand any pre-upgrade configurations that the site or hierarchy requires. Additionally, plan to record details about any configurations and settings that you use and that do not persist after an upgrade to that service pack version. For more information about pre-upgrade tasks and configurations, see the applicable sections in the Planning to Upgrade System Center 2012 Configuration Manager topic. For upgrades to Configuration Manager SP1: Configuration Manager SP1 Upgrade Checklist Considerations when Upgrading to Configuration Manager SP1

Test the Configuration Manager Site Database for the Upgrade

Before you upgrade a site, test a copy of that sites database for the upgrade. To test the database for an upgrade, you first restore a copy of the site database to an instance of SQL Server that does not host a Configuration Manager site. The version of SQL Server that you use to host the database copy must be a version of SQL Server that the version of Configuration Manager supports that is the source of the database copy. Next, after you restore the site database, on the SQL Server computer, run Configuration Manager Setup from the Configuration Manager service pack media, with the /TESTDBUPGRADE command-line option. For information about how to create and restore a backup of a site database, see Backup and Recovery in Configuration Manager. For information about the /TESTDBUPGRADE command-line option, see the table in the Using Command-Line Options with Setup section of the Install Sites and Create a Hierarchy for Configuration Manager topic.
659

For information about the supported versions of SQL Server, see the Configurations for the SQL Server Site Database section in the Supported Configurations for Configuration Manager topic.

Use the following procedure on each central administration site and primary site that you plan to upgrade. To test a Configuration Manager site database for upgrade 1. Make a copy of the site database, and then restore that copy to an instance of SQL Server that uses the same edition as your site database and that does not host a Configuration Manager site. For example, if the site database runs on an instance of the Enterprise edition of SQL Server, make sure you restore the database to an instance of SQL Server that also runs the Enterprise edition of SQL Server. 2. After you restore the database copy, run Setup from the Configuration Manager SP1 source media. When you run Setup, use the /TESTDBUPGRADE command-line option. If the SQL Server instance that hosts the database copy is not the default instance, you must also provide the command-line arguments to identify the instance that hosts the site database copy. For example, you plan to upgrade a site database with the database name SMS_ABC. You restore a copy of this site database to a supported instance of SQL Server with the instance name DBTest. To test an upgrade of this copy of the site database, use the following command line: Setup.exe /TESTDBUPGRADE DBtest\CM_ABC You can find Setup.exe in the following location on the source media for Configuration Manager SP1: SMSSETUP\BIN\X64. 3. On the instance of SQL Server where you run the database upgrade test, monitor the ConfigMgrSetup.log in the root of the system drive for progress and success: If the test upgrade fails, resolve any issues related to the site database upgrade failure, create a new backup of the site database, and then test the upgrade of the new copy of the site database. After the process is successful, you can delete the database copy. Note It is not supported to restore the copy of the site database that you use for the test upgrade for use as a site database at any site. After you successfully upgrade a copy of the site database, proceed with the upgrade of the Configuration Manager site and its site database.

Upgrade a Configuration Manager Site

After you complete pre-upgrade configurations for your site, test the upgrade of the site database on a database copy, and download prerequisite files and language packs for the service pack version that you plan to install, you are ready to upgrade your Configuration Manager site.

660

When you upgrade a site in a hierarchy, you upgrade the top-level site of the hierarchy first. This top-level site is either a central administration site or a stand-alone primary site. After the upgrade of a central administration site is completed, you can upgrade child primary sites in any order that you want. After you upgrade a primary site, you can upgrade that sites child secondary sites, or upgrade additional primary sites before you upgrade any secondary sites. To upgrade a central administration site or primary site, you run Setup from the Configuration Manager service pack media. However, you do not run Setup to upgrade secondary sites. Instead, you use the Configuration Manager console to upgrade a secondary site after you complete the upgrade of its primary parent site. Before you upgrade a site, close the Configuration Manager console that is installed on the site server until after the site upgrade is completed. Also close each Configuration Manager console that runs on computers other than the site server. You can reconnect the console after the site upgrade is completed. However, until you upgrade a Configuration Manager console to Configuration Manager SP1, that console cannot display some objects and information that are available in Configuration Manager SP1. Use the following procedures to upgrade Configuration Manager sites: To upgrade a central administration site or primary site 1. Verify that the user who runs Setup has the following security rights: Local Administrator rights on the site server computer. Local Administrator rights on the remote site database server for the site, if it is remote.

2. On the site server computer, open Windows Explorer and browse to <ConfigMgrServicePackInstallationMedia>\SMSSETUP\BIN\X64. 3. Double-click Setup.exe. The Configuration Manager Setup wizard opens. 4. On the Before You Begin page, click Next. 5. On the Getting Started page, select Upgrade this Configuration Manager site, and then click Next. 6. On the Product Key page, click Next. If you previously installed Configuration Manager Evaluation, you can select Install the licensed edition of this product, and then enter your product key for the full installation of Configuration Manager to convert the site to the full version. 7. On the Microsoft Software License Terms page, read and accept the license terms, and then click Next. 8. On the Prerequisite Licenses page, read and accept the license terms for the prerequisite software, and then click Next. Setup downloads and automatically installs the software on site systems or clients when it is required. You must select all check boxes before you can continue to the next page. 9. On the Prerequisite Downloads page, specify whether Setup downloads the latest prerequisite redistributable files, language packs, and the latest product updates from the Internet or use previously downloaded files, and then click Next. If you previously
661

downloaded the files by using Setup Downloader, select Use previously downloaded files and specify the download folder. For information about Setup Downloader, see the Setup Downloader section in the Install Sites and Create a Hierarchy for Configuration Manager topic. Note When you use previously downloaded files, verify that the path to the download folder contains the most recent version of the files. 10. On the Server Language Selection page, view the list of languages that are currently installed for the site. Select additional languages that are available at this site for the Configuration Manager console and for reports, or clear languages that you no longer want to support at this site, and then click Next. By default, English is selected and cannot be removed. Important Configuration Manager SP1 cannot use language packs from Configuration Manager with no service pack. To enable support for a language at a Configuration Manager SP1 site, you must use the Configuration Manager SP1 version of the language pack. During upgrade, if the Configuration Manager SP1 version of a language pack is not available with the prerequisite files you download, support for that language cannot be installed. If the language is already installed for Configuration Manager with no service pack, support for that language is uninstalled when the site upgrades. 11. On the Client Language Selection page, view the list of languages that are currently installed for the site. Select additional languages that are available at this site for client computers, or clear languages that you no longer want to support at this site. Specify whether to enable all client languages for mobile device clients, and then click Next. By default, English is selected and cannot be removed. Important Configuration Manager SP1 cannot use language packs from Configuration Manager with no service pack. To enable support for a language at a Configuration Manager SP1 site, you must use the Configuration Manager SP1 version of the language pack. During upgrade, if the Configuration Manager SP1 version of a language pack is not available with the prerequisite files that you download, support for that language cannot be installed. If the language is already installed for Configuration Manager with no service pack, support for that language is uninstalled when the site upgrades. 12. On the Settings Summary page, click Next to start Prerequisite Checker to verify server readiness for the upgrade of the site. 13. On the Prerequisite Installation Check page, if there are no problems listed, click Next to upgrade the site and site system roles. When Prerequisite Checker finds a problem, click an item on the list for details about how to resolve the problem. Resolve all items in the list that have an Error status before you continue Setup. After you resolve the issue, click Run Check to restart prerequisite checking. You can also open the
662

ConfigMgrPrereq.log file in the root of the system drive to review the Prerequisite Checker results. The log file can contain additional information that is not displayed in the user interface. For a complete list of installation prerequisite rules and descriptions, see Technical Reference for the Prerequisite Checker in Configuration Manager. On the Upgrade page, Setup displays the overall progress status. When Setup completes the core site server and site system installation, you can close the wizard. Site configuration continues in the background. To upgrade a secondary site 1. Verify that the administrative user that runs Setup has the following security rights: Local Administrator rights on the secondary site computer Infrastructure Administrator or a Full Administrator security role on the parent primary site System administrator (SA) rights on the site database of the secondary site

2. In the Configuration Manager console, click Administration. 3. In the Administration workspace, expand Site Configuration, and then click Sites. 4. Select the secondary site that you want to upgrade, and then, on the Home tab, in the Site group, click Upgrade. 5. Click Yes to confirm the decision, and to start the upgrade of the secondary site. The secondary site upgrade progresses in the background. After the upgrade is completed, you can confirm the status in the Configuration Manager console. To confirm the status, select the secondary site server, and then on the Home tab, in the Site group, click Show Install Status.

Perform Post-Upgrade Tasks on Configuration Manager Sites

After you upgrade a site to a new service pack, you might have to complete additional tasks to finish the upgrade or reconfigure the site. These tasks can include the upgrade of Configuration Manager clients or Configuration Manager consoles, re-enabling database replicas for management points, or restoring settings for Configuration Manager functionality that you use and that does not persist after the service pack upgrade. For more information about these tasks and settings, see the applicable sections in the Planning to Upgrade System Center 2012 Configuration Manager topic. For upgrades to Configuration Manager SP1: Configuration Manager SP1 Upgrade Checklist Considerations when Upgrading to Configuration Manager SP1

663

See Also
Configuring Sites and Hierarchies in Configuration Manager

Configure Sites and the Hierarchy in Configuration Manager

After you install a Configuration Manager site, you might need to customize several features and configurations for use by your organization. Use this topic to help you configure settings that are used at individual sites and by the hierarchy. In most situations you will not need to configure the following options in any specific order. However, some build upon each other, such as boundaries and boundary groups. Several of these configurations have default values you can use without configuration changes, at least temporarily. Others, such as boundary groups and distribution point groups, require you to configure them before you can use them. Plan to review these configurations over the lifecycle of your Configuration Manager deployment and to adjust them to meet changing business requirements or evolving network configurations. Use the information in the following sections of this topic to help you manage these configurations:

Site and Hierarchy Configuration Topics

Configuring Security for Configuration Manager Configuring Discovery in Configuration Manager Configuring Sites to Publish to Active Directory Domain Services Configuring Settings for Client Management in Configuration Manager Configuring Distribution Point Groups in Configuration Manager Configuring Boundaries and Boundary Groups in Configuration Manager Configuring Alerts in Configuration Manager Configuring Site Components in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Site Administration for System Center 2012 Configuration Manager

664

Configuring Security for Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. Use the information in this topic to help you configure the following security-related options: Configure Settings for Client PKI Certificates Configure Signing and Encryption Configure Role-Based Administration Manage Accounts that Are Used by Configuration Manager

Configure Settings for Client PKI Certificates

If you want to use public key infrastructure (PKI) certificates for client connections to site systems that use Internet Information Services (IIS), use the following procedure to configure settings for these certificates. To configure client PKI certificate settings 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then click the primary site to configure. 3. On the Home tab, in the Properties group, click Properties, and then click the Client Computer Communication tab. Note This tab is available on a primary site only. If you do not see the Client Computer Communication tab, check that you are not connected to a central administration site or a secondary site. 4. Click HTTPS only when you want clients that are assigned to the site to always use a client PKI certificate when they connect to site systems that use IIS. Or, click HTTPS or HTTP when you do not require clients to use PKI certificates. 5. If you selected HTTPS or HTTP, click Use client PKI certificate (client authentication capability) when available when you want to use a client PKI certificate for HTTP connections. The client uses this certificate instead of a self-signed certificate to authenticate itself to site systems. This option is automatically selected if you select HTTPS only. Note When clients are detected to be on the Internet, or they are configured for
665

Internet-only client management, they always use a client PKI certificate. 6. Click Modify to configure your chosen client selection method for when more than one valid PKI client certificate is available on a client, and then click OK. Note For more information about the client certificate selection method, see Planning for PKI Client Certificate Selection. 7. Select or clear the check box for clients to check the Certificate Revocation list (CRL). Note For more information about CRL checking for clients, see Planning for PKI Certificate Revocation. 8. If you must specify trusted root certification authority (CA) certificates for clients, click Set, import the root CA certificate files, and then click OK. Note For more information about this setting, see Planning for the PKI Trusted Root Certificates. 9. Click OK to close the properties dialog box for the site. Repeat this procedure for all primary sites in the hierarchy.

Configure Signing and Encryption

Configure the most secure signing and encryption settings for site systems that all clients in the site can support. These settings are especially important when you let clients communicate with site systems by using self-signed certificates over HTTP. To configure signing and encryption for a site 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then click the primary site to configure. 3. On the Home tab, in the Properties group, click Properties, and then click the Signing and Encryption tab. Note This tab is available on a primary site only. If you do not see the Signing and Encryption tab, check that you are not connected to a central administration site or a secondary site. 4. Configure the signing and encryption options that you want, and then click OK. Warning Do not select Require SHA-256 without first verifying that all clients that might be assigned to the site can support this hash algorithm, or they have a valid PKI
666

client authentication certificate. You might have to install updates or hotfixes on clients to support SHA-256. For example, computers that run Windows Server 2003 SP2 must install a hotfix that is referenced in the KB article 938397. If you select this option and clients cannot support SHA-256 and use self-signed certificates, Configuration Manager rejects them. In this scenario, the SMS_MP_CONTROL_MANAGER component logs the message ID 5443. 5. Click OK to close the Properties dialog box for the site. Repeat this procedure for all primary sites in the hierarchy.

Configure Role-Based Administration

Use the information in this section to help you configure role-based administration in Configuration Manager. Role-based administration combines security roles, security scopes, and assigned collections to define the administrative scope for each administrative user. An administrative scope includes the objects that an administrative user can view in the Configuration Manager console, and the tasks related to those objects that the administrative user has permission to perform. Role-based administration configurations are applied at each site in a hierarchy. The information in the following procedures can help you create and configure role-based administration and related security settings. Create Custom Security Roles Configure Security Roles Configure Security Scopes for an Object Configure Collections to Manage Security Create a New Administrative User Modify the Administrative Scope of an Administrative User Important Role-based administration uses security roles, security scopes, and collections. These combine to define an administrative scope for each administrative user. Your own administrative scope defines the objects and settings that you can assign when you configure role-based administration for another administrative user.

Create Custom Security Roles

Configuration Manager provides several built-in security roles. If you require additional security roles, you can create a custom security role by creating a copy of an existing security role, and then modifying the copy. You might create a custom security role to grant administrative users the additional security permissions they require that are not included in a currently assigned security

667

role. By using a custom security role, you can grant them only the permissions they require, and avoid assigning a security role that grants more permissions than they require. Use the following procedure to create a new security role by using an existing security role as a template. To create custom security roles 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Security Roles. Use one of the following processes to create the new security role: To create a new custom security role, perform the following actions: i. ii. Select an existing security role to use as the source for the new security role. On the Home tab, in the Security Role group, click Copy. This creates a copy of the source security role.

iii. In the Copy Security Role wizard, specify a Name for the new custom security role. iv. In Security operation assignments, expand each Security Operations node to display the available actions. v. To change the setting for a security operation, click the down arrow in the Value column, and then select either Yes or No. Caution When you configure a custom security role, ensure not to grant permissions that are not required by administrative users that are associated with the new security role. For example, the Modify value for the Security Roles security operation grants administrative users permission to edit any accessible security role, even if they are not associated with that security role. vi. After you configure the permissions, click OK to save the new security role. To import a security role that was exported from another System Center 2012 Configuration Manager hierarchy, perform the following actions: i. ii. On the Home tab, in the Create group, click Import Security Role. Specify the .xml file that contains the security role configuration that you want to import, and click Open to complete the procedure and save the security role. Note After you import a security role, you can edit the security role properties to change the object permissions that are associated with the security role.

668

Configure Security Roles

The groups of security permissions that are defined for a security role are called security operation assignments. Security operation assignments represent a combination of object types and actions that are available for each object type. You can modify which security operations are available for any custom security role, but you cannot modify the built-in security roles that Configuration Manager provides. Use the following procedure to modify the security operations for a security role. To modify security roles 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Security Roles. 3. Select the custom security role that you want to modify. 4. On the Home tab, in the Properties group, click Properties. 5. Click the Permissions tab. 6. In Security operation assignments, expand each Security Operations node to display the available actions. 7. To change the setting for a security operation, click the down arrow in the Value column, and then select either Yes or No. Caution When you configure a custom security role, ensure not to grant permissions that are not required by administrative users that are associated with the new security role. For example, the Modify value for the Security Roles security operation grants administrative users permission to edit any accessible security role, even if they are not associated with that security role. 8. When you have finished configuring security operation assignments, click OK to save the new security role.

Configure Security Scopes for an Object

You manage the association of a security scope for an object from the object and not from the security scope. The only direct configurations that security scopes support are changes to its name and description. To change the name and description of a security scope when you view the security scope properties, you must have the Modify permission for the Security Scopes securable object. When you create a new object in Configuration Manager, the new object is associated with each security scope that is associated with the security roles of the account that is used to create the object when those security roles provide the Create permission, or Set Security Scope permission. Only after the object is created, can you change the security scopes it is associated with.

669

For example, you are assigned a security role that grants you permission to create a new boundary group. When you create a new boundary group, you have no option to which you can assign specific security scopes. Instead, the security scopes available from the security roles you are associated with are automatically assigned to the new boundary group. After you save the new boundary group, you can edit the security scopes associated with the new boundary group. Use the following procedure to configure the security scopes assigned to an object. To configure security scopes for an object 1. In the Configuration Manager console, select an object that supports assignment to a security scope. 2. On the Home tab, in the Classify group, click Set Security Scopes. 3. In the Set Security Scopes dialog box, select or clear the security scopes that this object is associated with. Each object that supports security scopes must be assigned to at least one security scope. 4. Click OK to save the assigned security scopes. Note When you create a new object, you can assign the object to multiple security scopes. To modify the number of security scopes associated with the object, you must change this assignment after the object is created.

Configure Collections to Manage Security

There are no procedures to configure collections for role-based administration. Collections do not have a role-based administration configuration; instead, you assign collections to an administrative user when you configure the administrative user. The collection security operations that are enabled in the users assigned security roles determine the permissions an administrative user has for collections and collection resources (collection members). When an administrative user has permissions to a collection, they also have permissions to collections that are limited to that collection. For example, your organization uses a collection named All Desktops, and there exist a collection named All North America Desktops that is limited to the All Desktops collection. If an administrative user has permissions to All Desktops, they also have those same permissions to the All North America Desktops collection. In addition, an administrative user cannot use the Delete or Modify permission on collection that is directly assigned to them, but can use these permissions on the collections that are limited to that collection. Using the previous example, the administrative user can delete or modify the All North America Desktops collection, but cannot delete or modify the All Desktops collection.

Create a New Administrative User

To grant individuals or members of a security group access to manage Configuration Manager, create an administrative user in Configuration Manager and specify the Windows account of the User or User Group. Each administrative user in Configuration Manager must be assigned at
670

least one security role and one security scope. You can also assign collections to limit the administrative scope of the administrative user. Use the following procedures to create new administrative users. To create a new administrative user 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Administrative Users. 3. On the Home tab, in the Create group, click Add User or Group. 4. Click Browse and then select the user account or group to use for this new administrative user. Note For console-based administration, only domain users or security groups can be specified as an administrative user. 5. For Associated security roles, click Add to open a list of the available security roles, select the check box for one or more security roles, and then click OK. 6. Select one of the following two options to define the securable object behavior for the new user: All securable objects that are relevant to their associated security roles: This option associates the administrative user with the All security scope and the root level, built-in collections for All Systems, and All Users and User Groups. The security roles assigned to the user define access to objects. New objects that this administrative user creates are assigned to the Default security scope. Only securable objects in specified security scopes or collections: By default, this option associates the administrative user with the Default security scope and the All Systems and All Users and User Groups collections. However, the actual security scopes and collections are limited to those that are associated with the account that you used to create the new administrative user. This option supports the addition or removal of security scopes and collections to customize the administrative scope of the administrative user. Important The preceding options associate each assigned security scope and collection to each security role assigned to the administrative user. A third option, Only securable objects as determined by the security roles of the administrative user, can be used to associate individual security roles to specific security scopes and collections. This third option is available after you create the new administrative user, when you modify the administrative user. 7. Depending on your selection in step 6, take the following action: If you selected All securable objects that are relevant to their associated security roles, click OK to complete this procedure. If you selected Only securable objects in specified security scopes or
671

collections, you can click Add to select additional collections and security scopes, or select one or more objects in the list, and then click Remove to remove them. Click OK to complete this procedure.

Modify the Administrative Scope of an Administrative User

You can modify the administrative scope of an administrative user by adding or removing security roles, security scopes, and collections that are associated with the user. Each administrative user must be associated with at least one security role and one security scope. You might have to assign one or more collections to the administrative scope of the user. Most security roles interact with collections and do not function correctly without an assigned collection. When you modify an administrative user, you can change the behavior for how securable objects are associated with the assigned security roles. The three behaviors that you can select are as follows: All securable objects that are relevant to their associated security roles : This option associates the administrative user with the All scope and the root level built-in collections for All Systems, and All Users and User Groups. The security roles that are assigned to the user define access to objects. Only securable objects in specified security scopes or collections: This option associates the administrative user to the same security scopes and collections that are associated to the account you use to configure the administrative user. This option supports the addition or removal of security roles and collections to customize the administrative scope of the administrative user. Only securable objects as determined by the security roles of the administrative user: This option lets you create specific associations between individual security roles and specific security scopes and collections for the user. Note This option is available only when you modify the properties of an administrative user. The current configuration for the securable object behavior changes the process that you use to assign additional security roles. Use the following procedures that are based on the different options for securable objects to help you manage an administrative user. Use the following procedure to view and manage the configuration for securable objects for an administrative user: To view and manage the securable object behavior for an administrative user 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Administrative Users. 3. Select the administrative user that you want to modify. 4. On the Home tab, in the Properties group, click Properties. 5. Click the Security Scopes tab to view the current configuration for securable objects for
672

this administrative user. 6. To modify the securable object behavior, select a new option for securable object behavior. After you change this configuration, reference the appropriate procedure for further guidance to configure security scopes and collections, and security roles for this administrative user. 7. Click OK to complete the procedure. Use the following procedure to modify an administrative user that has the securable object behavior set to All securable objects that are relevant to their associated security roles : Option: All securable objects that are relevant to their associated security roles 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Administrative Users. 3. Select the administrative user that you want to modify. 4. On the Home tab, in the Properties group, click Properties. 5. Click the Security Scopes tab to confirm that the administrative user is configured for All securable objects that are relevant to their associated security roles . 6. To modify the assigned security roles, click the Security Roles tab. To assign additional security roles to this administrative user, click Add, select the check box for each additional security role that you want to assign, and then click OK. To remove security roles, select one or more security roles from the list, and then click Remove.

7. To modify the securable object behavior, click the Security Scopes tab and select a new option for the securable object behavior. After you change this configuration, reference the appropriate procedure for further guidance to configure security scopes and collections, and security roles for this administrative user. Note When the securable object behavior is set to All securable objects that are relevant to their associated security roles, you cannot add or remove specific security scopes and collections. 8. Click OK to complete this procedure. Use the following procedure to modify an administrative user that has the securable object behavior set to Only securable objects in specified security scopes or collections. Option: Only securable objects in specified security scopes or collections 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Administrative Users. 3. Select the administrative user that you want to modify.
673

4. On the Home tab, in the Properties group, click Properties. 5. Click the Security Scopes tab to confirm that the user is configured for Only securable objects in specified security scopes or collections. 6. To modify the assigned security roles, click the Security Roles tab. To assign additional security roles to this user, click Add, select the check box for each additional security role that you want to assign, and then click OK. To remove security roles, select one or more security roles from the list, and then click Remove.

7. To modify the security scopes and collections associated with security roles, click the Security Scopes tab. To associate new security scopes or collections with all security roles that are assigned to this administrative user, click Add and select one of the four options. If you select Security Scope or Collection, select the check box for one or more objects to complete that selection, and then click OK. To remove a security scope or collection, select the object, and then click Remove.

8. Click OK to complete this procedure. Use the following procedure to modify an administrative user that has the securable object behavior set to Only securable objects as determined by the security roles of the administrative user. Option: Only securable objects as determined by the security roles of the administrative user 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Administrative Users. 3. Select the administrative user that you want to modify. 4. On the Home tab, in the Properties group, click Properties. 5. Click the Security Scopes tab to confirm that the administrative user is configured for Only securable objects in specified security scopes or collections. 6. To modify the assigned security roles, click the Security Roles tab. To assign additional security roles to this administrative user, click Add. On the Add Security Role dialog box, select one or more available security roles, click Add, and select an object type to associate with the selected security roles. If you select Security Scope or Collection, select the check box for one or more objects to complete that selection, and then click OK. Note You must configure at least one security scope before the selected security roles can be assigned to the administrative user. When you select multiple security roles, each security scope and collection that you configure is associated with each of the selected security roles. To remove security roles, select one or more security roles from the list, and then
674

click Remove. 7. To modify the security scopes and collections associated with a specific security role, click the Security Scopes tab, select the security role, and then click Edit. To associate new objects with this security role, click Add, and select an object type to associate with the selected security roles. If you select Security Scope or Collection, select the check box for one or more objects to complete that selection, and then click OK. Note You must configure at least a one security scope. To remove a security scope or collection that is associated with this security role, select the object, and then click Remove. When you have finished modifying the associated objects, click OK.

8. Click OK to complete this procedure. Caution When a security role grants administrative users the collection deployment permission, those administrative users can distribute objects from any security scope for which they have object read permissions, even if that security scope is associated with a different security role.

Manage Accounts that Are Used by Configuration Manager

Configuration Manager supports Windows accounts for many different tasks and uses. Use the following procedure to view which accounts are configured for different tasks, and to manage the password that Configuration Manager uses for each account. To manage accounts that are used by Configuration Manager 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Accounts to view the accounts that are configured for Configuration Manager. 3. To change the password for an account that is configured for Configuration Manager, select the account. 4. On the Home tab, in the Properties group, click Properties. 5. Click Set to open the Windows User Account dialog box and specify the new password for Configuration Manager to use for the account. Note The password that you specify must match the password that is specified for the account in Active Directory Users and Computers. 6. Click OK to complete the procedure.
675

See Also
Configure Sites and the Hierarchy in Configuration Manager

Configuring Discovery in Configuration Manager

Discovery identifies computer and user resources that you can manage by using Configuration Manager, and it also discovers network infrastructure in your environment. Use the information in the following sections to help you configure discovery in System Center 2012 Configuration Manager. How to Enable a Discovery Method Configure Heartbeat Discovery Configure Active Directory Discovery for Computers, Users, or Groups Configure Active Directory Forest Discovery Configure Network Discovery About Configuring Network Discovery How to Configure Network Discovery How to Verify that Network Discovery Has Finished

How to Enable a Discovery Method

With the exception of the Heartbeat Discovery method, you must enable all configurable discovery methods in Configuration Manager before they can discover resources on a network. You can also disable each method by using the same procedure you use to enable it. In addition to enabling a discovery method, you might have to configure it to successfully discover resources in your environment. Note Heartbeat Discovery is enabled when you install a Configuration Manager primary site and does not have to be enabled. Keep Heartbeat Discovery enabled as this method ensures that the discovery data records (DDRs) for devices are up-to-date. For more information about Heartbeat discovery, see About Heartbeat Discovery. To enable a discovery method 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and click Discovery Methods. 3. Select the discovery method for the site where you want to enable discovery. 4. On the Home tab, in the Properties group, click Properties, and then on the General
676

tab, select the Enable <discovery method> check box. Note If this check box is already selected, you can disable the discovery method by clearing the check box. 5. Click OK to save the configuration.

Configure Active Directory Discovery for Computers, Users, or Groups

Use the information in the following sections to configure discovery of computers, users, or groups, by using one of the following discovery methods: Active Directory System Discovery Active Directory User Discovery Active Directory Group Discovery Note The information in this section does not apply to Active Directory Forest Discovery. While each of these discovery methods is independent of the others, they share similar options. For more information about these configuration options, see About Active Directory Discovery for Systems, Users, and Groups. Warning The Active Directory polling by each of these discovery methods can generate significant network traffic. Consider scheduling each discovery method to run at a time when this network traffic does not adversely affect business uses of your network. Use the following procedures to configure each discovery method. To configure Active Directory System Discovery 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and then click Discovery Methods. 3. Select the method for the site where you want to configure discovery. 4. On the Home tab, in the Properties group, click Properties. 5. On the General tab, select the check box to enable discovery, or you can configure discovery now, and then return to enable discovery later. 6. Click the New icon to specify a new Active Directory container, and in the Active Directory Container dialog box, complete the following configurations: a. Specify one or more locations to search. b. For each location, specify options that modify the search behavior. c. For each location, specify the account to use as the Active Directory Discovery
677

Account. Tip For each location that you specify, you can configure a set of discovery options and a unique Active Directory Discovery Account. d. Click OK to save the Active Directory container configuration. 7. On the Polling Schedule tab, configure both the full discovery polling schedule and delta discovery. 8. Optionally, on the Active Directory Attributes tab, you can configure additional Active Directory attributes for computers that you want to discover. The default object attributes are also listed. 9. Optionally, on the Option tab, you can configure options to filter out, or exclude, stale computer records from discovery. 10. When you are have finished configuring Active Directory System Discovery for this site, click OK to save the configuration. To configure Active Directory User Discovery 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and then click Discovery Methods. 3. Select the Active Directory User Discovery method for the site where you want to configure discovery. 4. On the Home tab, in the Properties group, click Properties. 5. On the General tab, select the check box to enable discovery, or you can configure discovery now, and return to enable discovery later. 6. Click the New icon to specify a new Active Directory container, and in the Active Directory Container dialog box, complete the following configurations: a. Specify one or more locations to search. b. For each location, specify options that modify the search behavior. c. For each location, specify the account to use as the Active Directory Discovery Account. Note For each location that you specify, you can configure a unique set of discovery options and a unique Active Directory Discovery Account. d. Click OK to save the Active Directory container configuration. 7. On the Polling Schedule tab, configure both the full discovery polling schedule and delta discovery. 8. Optionally, on the Active Directory Attributes tab, you can configure additional Active Directory attributes for computers that you want to discover. The default object attributes are also listed. 9. When you are have finished configuring Active Directory User Discovery for this site, click
678

OK to save the configuration. To configure Active Directory Group Discovery 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and then click Discovery Methods. 3. Select the Active Directory Group Discovery method for the site where you want to configure discovery. 4. On the Home tab, in the Properties group, click Properties. 5. On the General tab, select the check box to enable discovery, or you can configure discovery now, and return to enable discovery later. 6. Click Add to configure a discovery scope, select either Groups or Location, and complete the following configurations in the Add Groups, or Add Active Directory Location dialog box: a. Specify a Name for this discovery scope. b. Specify an Active Directory Domain or Location to search: If you selected Groups, specify one or more Active Directory groups to be discovered. If you selected Location, specify an Active Directory container as a location to be discovered. You can also enable a recursive search of Active Directory child containers for this location.

c.

Specify the Active Directory Group Discovery Account that is used to search this discovery scope.

d. Click OK to save the discovery scope configuration. 7. Repeat step 6 for each additional discovery scope that you want to define. 8. On the Polling Schedule tab, configure both the full discovery polling schedule and delta discovery. 9. Optionally, on the Option tab, you can configure options to filter out, or exclude, stale computer records from discovery, and to discover the membership of distribution groups. Note By default, Active Directory Group Discovery discovers only the membership of security groups. 10. When you have finished configuring Active Directory Group Discovery for this site, click OK to save the configuration.

Configure Active Directory Forest Discovery

To complete the configuration of Active Directory Forest Discovery, you must configure settings in two locations:

679

In the Discovery Methods node, you can enable this discovery method, set a polling schedule, and select whether discovery automatically creates boundaries for the Active Directory sites and subnets that it discovers. In the Active Directory Forests node, you can add forests that you want to discover, enable discovery of Active Directory sites and subnets in that forest, configure settings that enable Configuration Manager sites to publish their site information to the forest, and assign an account to use as the Active Directory Forest Account for each forest.

Use the following procedures to enable Active Directory Forest discovery, and to configure individual forests for use with Active Directory Forest Discovery. To enable Active Directory Forest Discovery 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and then click Discovery Methods. 3. Select the Active Directory Forest Discovery method for the site where you want to configure discovery. 4. On the Home tab, in the Properties group, click Properties. 5. On the General tab, select the check box to enable discovery, or you can configure discovery now, and return to enable discovery later. 6. Specify options to create site boundaries for discovered locations. 7. Specify a schedule for when discovery runs. 8. When you complete the configuration of Active Directory Forest Discovery for this site, click OK to save the configuration. To configure a forest for Active Directory Forest Discovery 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Active Directory Forests. If Active Directory Forest Discovery has previously run, you see each discovered forest in the results pane. The local forest and any trusted forests are discovered when Active Directory Forest Discovery runs. Only untrusted forests must be manually added. To configure a previously discovered forest, select the forest in the results pane, and then on the Home tab, in the Properties group, click Properties to open the forest properties. Continue with step 3. To configure a new forest that is not listed, on the Home tab, in the Create group, click Add Forest to open the Add Forests dialog box. Continue with step 3.

3. On the General tab, complete configurations for the forest that you want to discover and specify the Active Directory Forest Account. Note Active Directory Forest Discovery requires a global account to discover and publish to untrusted forests. If you do not use the computer account of the site server, you can only select a global account.
680

4. If you plan to allow sites to publish site data to this forest, on the Publishing tab, complete configurations for publishing to this forest. Note If you enable sites to publish to a forest, you must extend the Active Directory schema of that forest for Configuration Manager, and the Active Directory Forest Account must have Full Control permissions to the System container in that forest. 5. When you complete the configuration of this forest for use with Active Directory Forest Discovery, click OK to save the configuration.

Configure Heartbeat Discovery

By default, Heartbeat Discovery is enabled when you install a Configuration Manager primary site. As a result, you only have to configure the schedule for how often clients send the Heartbeat Discovery data record (DDRs) to a management point. Although Heartbeat Discovery is enabled by default, if it is disabled, you can re-enable it like any other discovery method. For more information, see How to Enable a Discovery Method. Note If both client push installation and the site maintenance task for Clear Install Flag are enabled at the same site, set the schedule of Heartbeat Discovery to be less than the Client Rediscovery period of the Clear Install Flag site maintenance task. For more information about site maintenance tasks, see Configure Maintenance Tasks for Configuration Manager Sites. To configure the Heartbeat Discovery schedule 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and then click Discovery Methods. 3. Select Heartbeat Discovery for the site where you want to configure Heartbeat Discovery. 4. On the Home tab, in the Properties group, click Properties. 5. Configure the frequency with which clients submit a Heartbeat discovery data records (DDRs), and then click OK to save the configuration.

Configure Network Discovery

Use the information in the following sections to help you configure Network Discovery.

About Configuring Network Discovery

Before you configure Network Discovery, you must understand the following:
681

Available levels of Network Discovery Available Network Discovery options Limiting Network Discovery on the network

For more information, see the section About Network Discovery in the Planning for Discovery in Configuration Manager topic. The following sections provide information about common configurations for Network Discovery. You can configure one or more of these configurations for use during the same discovery run. If you use multiple configurations, you must plan for the interactions that can affect the discovery results. For example, you might want to discover all SNMP devices that use a specific SNMP Community name. Additionally, for the same discovery run, you might disable discovery on a specific subnet. When discovery runs, Network Discovery does not discover the SNMP devices with the specified community name on the subnet that you have disabled.

Determine your Network Topology

You can use a topology-only discovery to map your network. This kind of discovery does not discover potential clients. The topology-only Network Discovery relies on SNMP. When mapping your network topology, you must configure the Maximum hops on the SNMP tab in the Network Discovery Properties dialog box. Just a few hops can help control the network bandwidth that is used when discovery runs. As you discover more of your network, you can increase the number of hops to gain a better understanding of your network topology. After you understand your network topology, you can configure additional properties for Network Discovery to discover potential clients and their operating systems while you are using available configurations to limit the network segments that Network Discovery can search.

Limit Searches by Using Subnets

You can configure Network Discovery to search specific subnets during a discovery run. By default, Network Discovery searches the subnet of the server that runs discovery. Any additional subnets that you configure and enable apply only to Simple Network Management Protocol (SNMP) and Dynamic Host Configuration Protocol (DHCP) search options. When Network Discovery searches domains, it is not limited by configurations for subnets. If you specify one or more subnets on the Subnets tab in the Network Discovery Properties dialog box, only the subnets that are marked as Enabled are searched. When you disable a subnet, it is excluded from discovery, and the following conditions apply: SNMP-based queries do not run on the subnet DHCP servers do not reply with a list of resources located on the subnet Domain-based queries can discover resources that are located on the subnet

682

Search a Specific Domain

You can configure Network Discovery to search a specific domain or set of domains during a discovery run. By default, Network Discovery searches the local domain of the server that runs discovery. If you specify one or more domains on the Domains tab in the Network Discovery Properties dialog box, only the domains that are marked as Enabled are searched. When you disable a domain, it is excluded from discovery, and the following conditions apply: Network Discovery does not query domain controllers in that domain SNMP-based queries can still run on subnets in the domain DHCP servers can still reply with a list of resources located in the domain

Limit Searches by Using SNMP Community Names

You configure Network Discovery to search a specific SNMP community or set of communities during a discovery run. By default, the community name of public is configured for use. Network Discovery uses community names to gain access to routers that are SNMP devices. A router can supply Network Discovery with information about other routers and subnets that are linked to the first router. Note SNMP community names resemble passwords. Network Discovery can get information only from an SNMP device for which you have specified a community name. Each SNMP device can have its own community name, but often the same community name is shared among several devices. Additionally, most SNMP devices have a default community name of public. However, some organizations delete the public community name from their devices as a security precaution. If multiple SNMP communities are displayed on the SNMP tab in the Network Discovery Properties dialog box, Network Discovery searches them in the order in which they are displayed. To help minimize network traffic that is generated by attempts to contact a device by using different names, ensure that the most frequently used names are at the top of the list. Note In addition to using the SNMP Community name, you can specify the IP address or resolvable name of a specific SNMP device. You configure the IP address or resolvable name for a specific device on SNMP Devices tab in the Network Discovery Properties dialog box.

Search a Specific DHCP Server

You can configure Network Discovery to use a specific DHCP server or multiple servers to discover DHCP clients during a discovery run. Network Discovery searches each DHCP server that you specify on the DHCP tab in the Network Discovery Properties dialog box. If the server that is running discovery leases its IP
683

address from a DHCP server, you can configure discovery to search that DHCP server by selecting the Include the DHCP server that the site server is configured to use check box. Note To successfully configure a DHCP server in Network Discovery, your environment must support IPv4. You cannot configure Network Discovery to use a DHCP server in a native IPv6 environment.

How to Configure Network Discovery

Use the following procedures to first discover only your network topology, and then to configure Network Discovery to discover potential clients by using one or more of the available Network Discovery options. To determine your network topology 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and then click Discovery Methods. 3. Select Network Discovery for the site where you want to run Network Discovery. 4. On the Home tab, in the Properties group, click Properties. On the General tab, select the Enable network discovery check box, and then select Topology from the Type of discovery options. On the Subnets tab, select the Search local subnets check box.

Tip If you know the specific subnets that constitute your network, you can clear the Search local subnets check box and use the New icon to add the specific subnets that you want to search. For large networks, it is often best to search only one or two subnets at a time to minimize the use of network bandwidth. On the Domains tab, select the Search local domain check box. On the SNMP tab, use the Maximum hops drop-down list to specify how many router hops Network Discovery can take in mapping your topology. Tip When you first map your network topology, configure just a few router hops to minimize the use of network bandwidth. 5. On the Schedule tab, click the New icon Discovery. to set a schedule for running Network

Note You cannot assign a different discovery configuration to separate Network Discovery schedules. Each time Network Discovery runs, it uses the current discovery configuration.
684

6. Click OK to accept the configurations. Network Discovery runs at the scheduled time. To configure Network Discovery 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and then click Discovery Methods. 3. Select Network Discovery for the site where you want to run Network Discovery. 4. On the Home tab, in the Properties group, click Properties. 5. On the General tab, select the Enable network discovery check box, and then select the type of discovery that you want to run from the Type of discovery options. 6. To configure discovery to search subnets, click the Subnets tab, and on the Subnets tab, configure one or more of the following options: i. To run discovery on subnets that are local to the computer that runs discovery, select the Search local subnets check box. To search a specific subnet, the subnet must be listed in Subnets to search, and have a Search value of Enabled:

If the subnet is not listed, click the New icon . In the New Subnet Assignment dialog box, enter the Subnet and Mask information, and then click OK. By default, a new subnet is enabled for search. ii. To change the Search value for a listed subnet, select the subnet, and then click the Toggle icon to toggle the value between Disabled and Enabled.

7. To configure discovery to search domains, click the Domains tab, and on the Domains tab, configure one or more of the following options: i. To run discovery on the domain of the computer that runs discovery, select the Search local domain check box. To search a specific domain, the domain must be listed in Domains and have a Search value of Enabled:

If the domain is not listed, click the New icon , and in the Domain Properties dialog box, enter the Domain information, and then click OK. By default, a new domain is enabled for search. ii. To change the Search value for a listed domain, select the domain, and then click the Toggle icon to toggle the value between Disabled and Enabled.

8. To configure discovery to search specific SNMP community names for SNMP devices, click the SNMP tab, and on the SNMP tab, configure one or more of the following options: To add an SNMP community name to the list of SNMP Community names, click the New icon , and in the New SNMP Community Name dialog box, specify the Name of the SNMP community, and then click OK. To remove an SNMP community name, select the community name, and then click the Delete icon . To adjust the search order of SNMP community names, select a community name, and then click the Move Item Up icon , or the Move Item Down icon . When discovery runs,
685

community names are searched in a top-to-bottom order. Note Network Discovery uses SNMP community names to gain access to routers that are SNMP devices. A router can inform Network Discovery about other routers and subnets linked to the first router. SNMP community names resemble passwords. Network Discovery can get information only from an SNMP device for which you have specified a community name. Each SNMP device can have its own community name, but often the same community name is shared among several devices Most SNMP devices have a default community name of Public which can be used if you do not know any other community names. However, some organizations delete the Public community name from their devices as a security precaution.

9. To configure the maximum number of router hops for use by SNMP searches, click the SNMP tab, and on the SNMP tab, select the number of hops from the Maximum hops drop-down list. 10. To configure SNMP Devices, click the SNMP Devices tab, and on the SNMP tab, if the device is not listed, click the New icon . In the New SNMP Device dialog box, specify the IP address or device name of the SNMP device, and then click OK. Note If you specify a device name, Configuration Manager must be able to resolve the NetBIOS name to an IP address. 11. To configure discovery to query specific DHCP servers for DHCP clients, click the DHCP tab, and on the DHCP tab, configure one or more of the following options: To query the DHCP server on the computer that is running discovery, select the Always use the site servers DHCP server check box. Note To use this option, the server must lease its IP address from a DHCP server and cannot use a static IP address. To query a specific DHCP server, click the New icon , and in the New DHCP Server dialog box, specify the IP address or server name of the DHCP server, and then click OK. Note If you specify a server name, Configuration Manager must be able to resolve the NetBIOS name to an IP address. 12. To configure when discovery runs, click the Schedule tab, and on the Schedule tab, click the New icon to set a schedule for running Network Discovery. You can configure multiple schedules for Network Discovery that include multiple recurring schedules and multiple schedules that have no recurrence.

686

Note If multiple schedules are displayed on the Schedule tab at the same time, all schedules result in a run of Network Discovery as it is configured at the time indicated in the schedule. This is also true for recurring schedules. 13. Click OK to save your configurations.

How to Verify that Network Discovery Has Finished

The time that Network Discovery requires to complete can vary depending on a variety of factors. These factors can include one or more of the following: The size of your network The topology of your network The maximum number of hops that are configured to find routers in the network The type of discovery that is being run

Because Network Discovery does not create messages to alert you when discovery has finished, you can use the following procedure to verify when discovery has finished. To verify that Network Discovery has finished 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand System Status, and then click Status Message Queries. 3. Select All Status Messages. 4. On the Home tab, in the Status Message Queries group, click Show Messages. 5. Select the Select date and time drop-down list and select a value that includes how long ago the discovery started, and then click OK to open the Configuration Manager Status Message Viewer. Tip You can also use the Specify date and time option to select a given date and time that you ran discovery. This option is useful when you ran Network Discovery on a given date and want to retrieve messages from only that date. 6. To validate that Network Discovery has finished, search for a status message that has the following details: Message ID: 502 Component: SMS_NETWORK_DISCOVERY Description: This component stopped

If this status message is not present, Network Discovery has not finished. 7. To validate when Network Discovery started, search for a status message that has the following details: Message ID: 500
687

Component: SMS_NETWORK_DISCOVERY Description: This component started

This information verifies that Network Discovery started. If this information is not present, reschedule Network Discovery.

See Also
Configure Sites and the Hierarchy in Configuration Manager

Configuring Sites to Publish to Active Directory Domain Services

Before Configuration Manager can publish site data to Active Directory Domain Services, the Active Directory schema must be extended to create the necessary classes and attributes, the System Management container must be created, and the primary site servers computer account must be granted full control of the System Management container and all of its child objects. Each site publishes its own site-specific information to the System Management container within its domain partition in the Active Directory schema. For information about extending the Active Directory schema, see the Prepare Active Directory for Configuration Manager section in the Prepare the Windows Environment for Configuration Manager topic.

Use the following procedures to configure an Active Directory forest for publishing, and to configure a site to publish to an Active Directory forest that is enabled for publishing. To configure Active Directory forests for publishing: 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Active Directory Forests. If Active Directory Forest Discovery has previously run, you see each discovered forest in the results pane. The local forest and any trusted forests are discovered when Active Directory Forest Discovery runs. Only untrusted forests must be manually added. To configure a previously discovered forest, select the forest in the results pane, and then on the Home tab, in the Properties group, click Properties to open the forest properties. Continue with step 3. To configure a new forest that is not listed, on the Home tab, in the Create group, click Add Forest to open the Add Forests dialog box. Continue with step 3.

3. On the General tab, complete configurations for the forest that you want to discover and specify the Active Directory Forest Account. Note
688

Active Directory Forest Discovery requires a global account to discover and publish to untrusted forests. If you do not use the computer account of the site server, you can only select a global account. 4. If you plan to allow sites to publish site data to this forest, on the Publishing tab, complete configurations for publishing to this forest. Note If you enable sites to publish to a forest, you must extend the Active Directory schema of that forest for Configuration Manager, and the Active Directory Forest Account must have Full Control permissions to the System container in that forest. 5. When you complete the configuration of this forest for use with Active Directory Forest Discovery, click OK to save the configuration. To enable a Configuration Manager site to publish site information to Active Directory forest: 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration and click Sites. Select the site that you want to configure to have publish its site data, and then on the Home tab, in the Properties group, click Properties. 3. On the Publishing tab of the sites properties, select the forests to which this site will publish site data. 4. Click Ok to save the configuration.

See Also
Configure Sites and the Hierarchy in Configuration Manager

Configuring Settings for Client Management in Configuration Manager

Use the following sections in this topic to help you configure client management settings in System Center 2012 Configuration Manager. Configure Client Settings for Configuration Manager Configure Settings for Client Approval and Conflicting Client Records Configure a Fallback Site for Automatic Site Assignment Configure Client Communication Port Numbers Configure Custom Websites Configure Wake on LAN Configure Maintenance Windows
689

Configure Client Settings for Configuration Manager

Note The information in this section also appears in How to Configure Client Settings in Configuration Manager. You manage all client settings in System Center 2012 Configuration Manager from the Client Settings node in the Administration workspace of the Configuration Manager console. Modify the default settings when you want to configure settings for all users and devices in the hierarchy. If you want to apply different settings to just some users or devices, create custom settings and assign these to collections. Use one of the following procedures to configure client settings:

How to Configure the Default Client Settings

Use the following procedure to configure the default client settings for all clients in the hierarchy. To configure the default client settings 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings, and then select Default Client Settings. 3. On the Home tab, click Properties. 4. View and configure the client settings for each group of settings in the navigation pane. For more information about each setting, see About Client Settings in Configuration Manager. 5. Click OK to close the Default Client Settings dialog box.

How to Create and Deploy Custom Client Settings

Use the following procedure to configure and deploy custom settings for a selected collection of users or devices. When you deploy these custom settings, they override the default client settings. Note Before you begin this procedure, ensure that you have a collection that contains the users or devices that require these custom client settings. To configure and assign custom client settings 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. On the Home tab, in the Create group, click Create Custom Client Settings, and then
690

click one of the following options depending on whether you want to create custom client settings for devices or for users: Create Custom Client Device Settings Create Custom Client User Settings

4. In the Create Custom Client Device Settings or Create Custom Client User Settings dialog box, specify a unique name for the custom settings, and an optional description. 5. Select one or more of the available check boxes that display a group of settings. 6. Click the first group settings from the navigation pane, and then view and configure the available custom settings. Repeat this process for any remaining group settings. For information about each client setting, see About Client Settings in Configuration Manager. 7. Click OK to close the Create Custom Client Device Settings or Create Custom Client User Settings dialog box. 8. Select the custom client setting that you have just created. On the Home tab, in the Client Settings group, click Deploy. 9. In the Select Collection dialog box, select the collection that contains the devices or users to be configured with the custom settings, and then click OK. You can verify the assigned collection if you click the Assignments tab in the details pane. 10. View the order of the custom client setting that you have just created. When you have multiple custom client settings, they are applied according to their order number. If there are any conflicts, the setting that has the lowest order number overrides the other settings. To change the order number, in the Home tab, in the Client Settings group, click Move Item Up or Move Item Down.

Configure Settings for Client Approval and Conflicting Client Records

Specify settings for client approval and conflicting client records to help Configuration Manager securely identify clients. These settings apply to the hierarchy for all clients. Configure approval for when clients do not use a PKI certificate for client authentication. Configure settings for conflicting records for when Configuration Manager detects duplicate hardware IDs and cannot resolve the conflict. Configuration Manager uses the hardware ID to attempt to identify clients that might be duplicates and alert you to the conflicting records. For example, if you reinstall a computer, the hardware ID would be the same but the GUID used by Configuration Manager might be changed. When Configuration Manager can resolve a conflict by using Windows authentication of the computer account or a PKI certificate from a trusted source, the conflict is automatically resolved for you. However, when Configuration Manager cannot resolve the conflict, it uses a hierarchy setting that either automatically merges the records when it detects duplicate hardware IDs (the default setting), or allows you to decide when to merge, block, or create new client records. If you decide to manually manage duplicate records, you must manually resolve the conflicting records by using the Configuration Manager console. To configure hierarchy settings for client approval and conflicting client records
691

1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. On the Home tab, in the Sites group, click Hierarchy Settings, and then click the Client Approval and Conflicting Records tab. 4. Configure options that you require for all clients in the hierarchy, and then click OK to close the properties dialog box. To manually approve clients, see Managing Clients from the Devices Node. To resolve conflicting records, see Manage Conflicting Records for Configuration Manager Clients.

Configure a Fallback Site for Automatic Site Assignment

You can specify a hierarchy-wide fallback site for automatic site assignment. The fallback site is assigned to a new client that is configured to automatically discover its site when that client is on a network boundary that is not associated with any boundary group configured for site assignment. To configure a fallback site for automatic site assignment 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration and select Sites. 3. On the Home tab, in the Sites group, click Hierarchy Settings. 4. On the General tab, select the checkbox for Use a fallback site, and then select a site from the Fallback site drop-down list. 5. Click OK to save the configuration.

Configure Client Communication Port Numbers

The information in this section also appears in How to Configure Client Communication Port Numbers in Configuration Manager You can change the request port numbers that System Center 2012 Configuration Manager clients use to communicate with site systems that use HTTP and HTTPS for communication. For Configuration Manager SP1 only, you can also specify a client notification port if you do not want to use HTTP or HTTPS. Although HTTP or HTTPS is more likely to be already configured for firewalls, client notification that uses HTTP or HTTPS requires more CPU usage and memory on the management point computer than if you use a custom port number. For all versions of Configuration Manager, you can also specify the site port number to use if you wake up clients by using traditional wake-up packets.

692

When you specify HTTP and HTTPS request ports, you can specify both a default port number and an alternative port number. Clients automatically try the alternative port after communication fails with the default port. You can specify settings for HTTP and HTTPS data communication. The default values for client request ports are 80 for HTTP traffic and 443 for HTTPS traffic. Change them only if you do not want to use these default values. A typical scenario for using custom ports is when you use a custom website in IIS rather than the default website. If you change the default port numbers for the default website in IIS and other applications also use the default website, they are likely to fail. Important Do not change the port numbers in Configuration Manager without understanding the consequences. Examples: If you change the port numbers for the client request services as a site configuration and existing clients are not reconfigured to use the new port numbers, these clients will become unmanaged. Before you configure a nondefault port number, make sure that firewalls and all intervening network devices can support this configuration and reconfigure them as necessary. If you will manage clients on the Internet and change the default HTTPS port number of 443, routers and firewalls on the Internet might block this communication.

To make sure that clients do not become unmanaged after you change the request port numbers, clients must be configured to use the new request port numbers. When you change the request ports on a primary site, any attached secondary sites automatically inherit the same port configuration. Use the procedure in this topic to configure the request ports on the primary site. Note For Configuration Manager SP1 only: For information about how to configure the request ports for clients on computers that run Linux and UNIX, see Configure Request Ports for the Client for Linux and UNIX. When the Configuration Manager site is published to Active Directory Domain Services, new and existing clients that can access this information will automatically be configured with their site port settings and you do not need to take further action. Clients that cannot access this information published to Active Directory Domain Services include workgroup clients, clients from another Active Directory forest, clients that are configured for Internet-only, and clients that are currently on the Internet. If you change the default port numbers after these clients have been installed, reinstall them and install any new clients by using one of the following methods: Reinstall the clients by using the Client Push Installation Wizard. Client push installation automatically configures clients with the current site port configuration. For more information about how to use the Client Push Installation Wizard, see How to Install Configuration Manager Clients by Using Client Push. Reinstall the clients by using CCMSetup.exe and the client.msi installation properties of CCMHTTPPORT and CCMHTTPSPORT. For more information about these properties, see How to Install Configuration Manager Clients by Using Client Push.

693

Reinstall the clients by using a method that searches Active Directory Domain Services for Configuration Manager client installation properties. For more information, see About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager.

To reconfigure the port numbers for existing clients, you can also use the script PORTSWITCH.VBS that is provided with the installation media in the SMSSETUP\Tools\PortConfiguration folder. Important For existing and new clients that are currently on the Internet, you must configure the non-default port numbers by using the CCMSetup.exe client.msi properties of CCMHTTPPORT and CCMHTTPSPORT. After changing the request ports on the site, new clients that are installed by using the site-wide client push installation method will be automatically configured with the current port numbers for the site. To configure the client communication port numbers for a site 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and select the primary site to configure. 3. In the Home tab, click Properties, and then click the Ports tab. 4. Select any of the items and click the Properties icon to display the Port Detail dialog box. 5. In the Port Detail dialog box, specify the port number and description for the item, and then click OK. 6. Select Use custom web site if you will use the custom website name of SMSWeb for site systems that run IIS. 7. Click OK to close the properties dialog box for the site. Repeat this procedure for all primary sites in the hierarchy.

Configure Custom Websites

Before you configure Configuration Manager to use a custom website, review the planning information in Planning for Custom Websites with Configuration Manager. Most Configuration Manager site system roles automatically configure to use a custom website, however the following site system roles require you to manually configure the custom website. Application Catalog web service point Application Catalog website point Enrollment point Enrollment proxy point

For these sites system roles, you must specify the custom website during the site system role installation. If any of these site system roles are already installed when you enable custom
694

websites for the site, uninstall these site system roles, and then reinstall them. When you reinstall these site system roles, specify the custom website name of SMSWEB, and configure the port numbers. Use the following procedures to enable custom websites at a Configuration Manager site and then verify that they were successfully created. For information about configuring ports for client communication, see Configure Client Communication Port Numbers.at a Configuration Manager site and then verify that they were successfully created. For information about configuring ports for client communication, see Configure Client Communication Port Numbers.

How to Configure a Configuration Manager Site to Use a Custom Website

When you enable the site option to use a custom website, all client communications for that primary site and its secondary sites are directed to use a custom website named SMSWEB on each site system server instead of the IIS default website. Use the following procedures to enable custom websites at a Configuration Manager site and then verify that they were successfully created. For information about configuring ports for client communication, see Configure Client Communication Port Numbers. Note Before you use this procedure, make sure that you have manually created the custom website named SMSWEB in IIS. When you enable the Configuration Manager option to use custom websites, Configuration Manager does not create the website in IIS. If the custom website is not already created, this procedure will fail. For more information, see How to Create the Custom Website in Internet Information Services (IIS). To configure a Configuration Manager site to use a custom website 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and click Sites. 3. Select the site that will use custom websites. 4. On the Home tab, in the Properties group, click Properties. 5. In the Properties dialog box for the site, select the Ports tab. 6. Select the checkbox for Use custom web site and then click OK to close the custom website warning. 7. Click OK to save the configuration. To verify the custom website If the Active Directory schema has been extended for Configuration Manager and the site is publishing site information, you can review the sitecomp.log to verify that the site component manager successfully updated the site information published to Active Directory Domain Services. Review the custom website in the Internet Information Services Manager console.
695

Verify that the custom website is running and that the virtual directories for the site system roles have been created. If the site system roles were already installed, review the site system role setup logs to verify that they successfully uninstalled and reinstalled with the new settings. For example, if you are configuring a custom website for a site system server that hosts the management point role, review the mpsetup.log.

Configure Wake on LAN

Specify Wake on LAN settings when you want to bring computers out of a sleep state to install required software, such as software updates, applications, task sequences, and programs. If you have Configuration Manager SP1, you can supplement Wake on LAN by using the wake-up proxy client settings. However, to use wake-up proxy, you must first enable Wake on LAN for the site and specify Use wake-up packets only and the Unicast option for the Wake on LAN transmission method. This wake-up solution also supports ad-hoc connections, such as a remote desktop connection. Use the first procedure to configure a primary site for Wake on LAN. Then, to use wake-up proxy for Configuration Manager SP1, use the second procedure to configure the wake-up proxy client settings. This second procedure configures the default client settings for the wake-up proxy settings to apply to all computers in the hierarchy. If you want these settings to apply to only selected computers, create a custom device setting and assign it to a collection that contains the computers that you want to configure for wake-up proxy. For more information about how to create custom client settings, see How to Configure Client Settings in Configuration Manager Caution To avoid unexpected disruption to your network services, first evaluate wake-up proxy on an isolated and representative network infrastructure. Then use custom client settings to expand your test to a selected group of computers on several subnets. For more information about how wake-up proxy works, see the Planning How to Wake Up Clients section in the Planning for Communications in Configuration Manager topic. To configure Wake on LAN for a site 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then click the primary site to configure. 3. On the Home tab, in the Properties group, click Properties, and then click the Wake on LAN tab. 4. Configure options that you require for this site, and then click OK to close the properties dialog box for the site. To support wake-up proxy in Configuration Manager SP1, make sure that you select Use wake-up packets only and Unicast. Note
696

For more information about the options, see the Planning How to Wake Up Clients section in Planning for Client Communication in Configuration Manager. Repeat this procedure for all primary sites in the hierarchy. To configure wake-up proxy client settings (Configuration Manager SP1 only) 1. In the Configuration Manager console, click Administration. 2. In the Administrative workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties, 5. Select Power Management and then configure the following option: Enable wake-up proxy: Yes 6. Review and if necessary, configure the other wake-up proxy settings. For more information about these settings, see the Power Management section in the About Client Settings in Configuration Manager topic. Important Although there is a client setting to configure Windows Firewall for the wake-up proxy ports, Configuration Manager does not configure Windows Firewall to allow the inbound ICMP ping commands that are required for wake-up proxy. You must manually configure Windows Firewall or your alternative host-based firewall to allow this communication. For more information, see Windows Firewall and Port Settings for Client Computers in Configuration Manager. 7. Click OK to close the dialog box, and then click OK to close the Default Client Settings dialog box. You can use the following Wake On LAN reports to monitor the installation and configuration of wake-up proxy: Wake-Up Proxy Deployment State Summary Wake-Up Proxy Deployment State Details Tip To test whether wake-up proxy is working, test a connection to a sleeping computer. For example, connect to a shared folder on that computer, or trying connecting to the computer by using Remote Desktop. If you use DirectAccess, check that the IPv6 prefixes work by trying the same tests for a sleeping computer that is currently on the Internet.

Configure Maintenance Windows

Note The information in this section also appears in How to Manage Collections in Configuration Manager.
697

Maintenance windows in Configuration Manager provide a means by which administrative users can define a time period when members of a device collection can be updated by various Configuration Manager operations. You can use maintenance windows to help ensure that client configuration changes occur during periods which will not affect the productivity of the organization. The following Configuration Manager operations support maintenance windows. Software deployments Software update deployments Compliance settings deployment Operating system deployments Task sequence deployments

Maintenance windows are configured for a collection with a start date, a start and finish time, and a recurrence pattern. Each maintenance window must have a duration of less than 24 hours. Computer restarts caused by a deployment are by default, not allowed outside of a maintenance window, but you can override this in the settings for each deployment. Maintenance windows affect only when the deployment program runs; applications configured to download and run locally can download content outside of the maintenance window. When a client computer is a member of a device collection that has a maintenance window configured, a deployment program will only run if the maximum allowed run time does not exceed the duration configured for the maintenance window. If the program fails to run, an alert will be generated and the deployment will be rerun during the next scheduled maintenance window that has time available.

Using Multiple Maintenance Windows

When a client computer is a member of multiple device collections that have configured maintenance windows, the following rules apply: If the maintenance windows do not overlap, they are treated as two independent maintenance windows. If the maintenance windows overlap, they are treated as a single maintenance window encompassing the time period covered by both maintenance windows. For example, if two maintenance windows, each an hour in duration overlap by 30 minutes, the effective duration of the maintenance window would be 90 minutes.

When a user initiates an application installation from Software Center, the application will be installed immediately, regardless of any configured maintenance. If an application deployment with a purpose of Required reaches its installation deadline during the nonbusiness hours configured by a user in Software Center and a maintenance window is not available, the installation will wait until the next time a maintenance window is available.

698

How to Configure Maintenance Windows in Configuration Manager

Use the following procedure to configure maintenance windows. To configure maintenance windows in Configuration Manager 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Device Collections. 3. In the Device Collections list, select the collection for which you want to configure a maintenance window. 4. In the Home tab, in the Properties group, click Properties. 5. In the Maintenance Windows tab of the <collection name> Properties dialog box, click the New icon. Note You cannot create maintenance windows for the All Systems collection. 6. In the <new> Schedule dialog box, specify a name, a schedule and a recurrence pattern for the maintenance window. 7. Click OK to close the <new> Schedule dialog box and create the new maintenance window. 8. Close the <collection name> Properties dialog box.

See Also
Configure Sites and the Hierarchy in Configuration Manager

Configuring Distribution Point Groups in Configuration Manager

Note The information in this section also appears in Configuring Content Management in Configuration Manager. Distribution point groups provide a logical grouping of distribution points and collections for content distribution. A Distribution point group is not limited to distribution points from a single site, and can contain one or more distribution points from any site in the hierarchy. When you distribute content to a distribution point group, all distribution points that are members of the distribution point group receive the content. When a new distribution point is added to a distribution point group, it receives all content that has been previously distributed to it. You can also associate collections to the distribution point group. When you distribute content, you can

699

target a collection and the distribution points that are members of all distribution point groups with an association to the collection receive the content. Important After you distribute content to a collection, and then associate the collection to a new distribution point group, you must redistribute the content to the collection before the content will be distributed to the new distribution point group. Use the following procedures to help you configure distribution point groups.

To create and configure a new distribution point group 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Point Groups. 3. On the Home tab, in the Create group, click Create Group. 4. Enter the name and description for the distribution point group. 5. On the Collections tab, click Add, select the collections that you want to associate with the distribution point group, and then click OK. 6. On the Members tab, click Add, select the distribution points that you want to add as members of the distribution point group, and then click OK. 7. Click OK to create the distribution point group. To add distribution points and associate collections to an existing distribution point group 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Point Groups, and then select the distribution point group in which you want to modify members. 3. On the Home tab, in the Properties group, click Properties. 4. On the Collections tab, click Add to select the collections that you want to associate with the distribution point group, and then click OK. 5. On the Members tab, click Add to select the distribution points that you want to add as members of the distribution point group, and then click OK. 6. Click OK to save changes to the distribution point group. To add selected distribution points to a new distribution point group 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Points, and then select the distribution points in which you want to add to the new distribution point group. 3. On the Home tab, in the Distribution Point group, expand Add Selected Items, and then click Add Selected Items to New Distribution Point Group.
700

4. Enter the name and description for the distribution point group. 5. On the Collections tab, click Add to select the collections that you want to associate with the distribution point group, and then click OK. 6. On the Members tab, verify that the distribution points listed should be added as members of the distribution point group. Click Add to modify the distribution points that you want to add as members of the distribution point group, and then click OK. 7. Click OK to create the distribution point group. To add selected distribution points to existing distribution point groups 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Points, and then select the distribution points in which you want to add to the new distribution point group. 3. On the Home tab, in the Distribution Point group, expand Add Selected Items, and then click Add Selected Items to Existing Distribution Point Groups. 4. In the Available distribution point groups, select the distribution point groups in which the selected distribution points will be added as members, and then click OK.

See Also
Configure Sites and the Hierarchy in Configuration Manager

Configuring Boundaries and Boundary Groups in Configuration Manager

Boundaries represent network locations on the intranet where Configuration Manager clients are located. Boundary groups are logical groups of boundaries that provide clients access to resources. In System Center 2012 Configuration Manager, each boundary and boundary group you configure is available throughout the hierarchy. You do not configure them for individual sites. You configure a boundary for each intranet network location that you manage, and then add that boundary to one or more boundary groups. You can configure a boundary group to identify the site that new clients should join, based upon the clients network location. You can also configure the boundary group with to identify which content servers are available for use by a client, based upon the clients network location. Use the procedures in the following sections to help you configure boundaries and boundary groups Create and Configure Boundaries for Configuration Manager Create and Configure Boundary Groups for Configuration Manager

701

Create and Configure Boundaries for Configuration Manager

When you configure boundaries in System Center 2012 Configuration Manager, they automatically receive a name that is based upon the type and scope of the boundary. You cannot modify this name. Instead, when you configure the boundary specify a description to help identify the boundary in the Configuration Manager console. After you create a boundary, you can modify its properties to do the following: Add the boundary to one or more boundary groups. Change the type or scope of the boundary. View the boundaries Site Systems tab to see which content servers (distribution points and state migration points) are associated with the boundary. Tip In addition to using the Create Boundary command to create a new boundary, you can configure Active Directory Forest Discovery to create boundaries for each IP Subnet and Active Directory Site it discovers. Use the following procedures to create and modify a boundary: To create a boundary 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and click Boundaries. 3. On the Home tab, in the Create group, click Create Boundary. 4. On the General tab of the Create Boundary dialog box you can specific a Description to identify the boundary by a friendly name or reference. 5. Select a Type for this boundary: If you select IP Subnet, you must specify a Subnet ID for this boundary. Tip You can specify the Network and Subnet mask to have the Subnet ID automatically specified. When you save the boundary, only the Subnet ID value is saved. If you select Active Directory site, you must specify or Browse to an Active Directory site in the local forest of the site server. Important When you specify an Active Directory site for a boundary, the boundary includes each IP Subnet that is a member of that Active Directory site. If the configuration of the Active Directory site changes in Active Directory, the network locations included in this boundary also change. If you select IPv6 prefix, you must specify a Prefix in the IPv6 prefix format.
702

If you select IP address range, you must specify a Starting IP address and Ending IP address that includes part of an IP Subnet or includes multiple IP Subnets.

6. Click OK to save the new boundary. To configure a boundary 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and click Boundaries. 3. Select the boundary you want to modify. 4. On the Home tab, in the Properties group, click Properties. 5. In the Properties dialog box for the boundary, select the General tab to edit the Description or Type for the boundary. You can also change the scope of a boundary by editing the network locations for the boundary. For example, for an Active Directory site boundary you can specify a new Active Directory site name. 6. Select the Site Systems tab to view the site systems that are associated with this boundary. You cannot change this configuration from the properties of a boundary. Tip For a site system server to be listed as a site system for a boundary, the site system server must be specified as a content location for at least one boundary group that includes this boundary. Content location is configured on the References tab of a boundary group. 7. Select the Boundary Groups tab to modify the boundary group membership for this boundary: To add this boundary to one or more boundary groups, click Add, select the check box for one or more boundary groups, and then click OK. To remove this boundary from a boundary group, select the boundary group and click Remove.

8. Click OK to close the boundary properties and save the configuration.

Create and Configure Boundary Groups for Configuration Manager

When you configure boundary groups, you add one or more boundaries to the boundary group, and then configure optional settings for use by clients located on those boundaries. The configurations are for site assignment and content location for clients when they are on the intranet. Note Clients that are on the Internet or configured as Internet-only clients do not use boundaries and boundary groups. These clients cannot use automatic site assignment

703

when they are on the Internet and will download content from any distribution point in their assigned site that allows client connections from the Internet.
Configuration Details

Site assignment

Site assignment is used by clients that use automatic site assignment to find an appropriate site to join, based on the clients current network location. After a client assigns to a site, the client will not change that site assignment. For example, if the client roams to a new network location that is represented by a boundary in a boundary group with a different site assignment, the clients assigned site will remain unchanged. When Active Directory System Discovery discovers a new resource, network information for the discovered resource is evaluated against the boundaries in boundary groups. This process associates the new resource with an assigned site for use by the client push installation method.

Content location

Content location is used by clients to identify available distribution points or state migration points, based upon the clients current network location

When you configure boundary groups for site assignment, ensure that each boundary in a boundary group is not a member of another boundary group with a different site assignment. Boundaries that are associated with more than one assigned site are called overlapping boundaries. Overlapping boundaries are not supported for site assignment. However, overlapping boundaries are supported for content location. Overlapping boundaries for site assignment can prevent clients from joining the site you expect. Overlapping boundaries for content location can provide clients access to content from multiple content sources. Note To help avoid overlapping boundaries for site assignment, consider using of one set of boundary groups for site assignment, and a second set of boundary groups for content location. To create a boundary group
704

1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and click Boundary Groups. 3. On the Home tab, in the Create group, click Create Boundary Group. 4. In the Create Boundary Group dialog box, select the General tab and specify a Name for this boundary group. 5. Click OK to save the new boundary group. To configure a boundary group 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and click Boundary Groups. 3. Select the boundary group you want to modify. 4. On the Home tab, in the Properties group, click Properties. 5. In the Properties dialog box for the boundary group, select the General tab to modify the boundaries that are members of this boundary group: To add boundaries, click Add, select the check box for one or more boundaries, and click OK. To remove boundaries, select the boundary and click Remove.

6. Select the References tab to modify the site assignment and content location configuration: To enable this boundary group for use by clients for site assignment, select the check box for Use this boundary group for site assignment , and then select a site from the Assigned site dropdown box. To configure content location settings for this boundary group:

a. Click Add, and then select the check box for one or more servers. The servers are added as content location servers for this boundary group. Only servers that have a distribution point or state migration point installed on them are available. Note You can select any combination of distribution points and state migration points from any site in the hierarchy. Selected site systems are listed on the Site Systems tab in the properties of each boundary that is a member of this boundary group. b. To remove a server as a content location from this boundary group, select the server and then click Remove. Note To stop use of this boundary group for content location you must remove all servers listed as site system servers for content location. c. To change the network connection speed for a content location site system server for this boundary group, select the server and then click Change Connection.
705

Note By default, the connection speed for each site system is Fast, but can be changed to Slow. The network connection speed and the configuration of a deployment determine whether a client can download content from the server. 7. Click OK to close the boundary group properties and save the configuration. To associate a content deployment server with a boundary group 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Hierarchy, and click Boundary Groups. 3. Select the boundary group you want to modify. 4. On the Home tab, in the Properties group, click Properties. 5. In the Properties dialog box for the boundary group, select the References tab. 6. Under Content location click Add, select the check box for the site system servers you want to associate with this boundary group, and then click OK. Note Only site system servers that have installed a distribution point or state migration point are available. 7. Click OK to close the dialog box and save the boundary group configuration. To configure a fallback site for automatic site assignment 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration and select Sites. 3. On the Home tab, in the Sites group, click Hierarchy Settings. 4. On the General tab, select the checkbox for Use a fallback site, and then select a site from the Fallback site drop-down list. 5. Click OK to save the configuration.

See Also
Configure Sites and the Hierarchy in Configuration Manager

Configuring Alerts in Configuration Manager

Alerts in System Center 2012 Configuration Manager are generated by some operations when a specific condition occurs. Typically, alerts are generated when an error occurs that you must resolve. Additionally, an alert might be generated to warn you that a condition exists so that you can continue to monitor the situation. You can configure alerts for some Configuration Manager
706

operations, such as Endpoint Protection and client status, whereas some alerts are configured automatically. Additionally, you can configure subscriptions to alerts for client status and Endpoint Protection that will be emailed to you. Note In Configuration Manager with no service pack, you could only configure email subscriptions for Endpoint Protection alerts. Beginning with System Center 2012 Configuration Manager SP1, you can configure email subscriptions to all alerts generated by Configuration Manager. Use the following table to find information about how to configure alerts and alert subscriptions in Configuration Manager:
Action More Information

Configure Endpoint Protection alerts for a collection Configure client status alerts for a collection

See the topic How to Configure Alerts for Endpoint Protection in Configuration Manager. See the section To Configure Alerts for Client Status in the topic How to Configure Client Status in Configuration Manager. See the section Management Tasks for Alerts in this topic. See the section How to Configure Email Subscriptions for Alerts in this topic.

Manage Configuration Manager alerts

Configure email subscriptions to alerts

For information about how you can monitor the alerts that are generated by Configuration Manager, see the Monitor Alerts in Configuration Manager section in the Monitor Configuration Manager Sites and Hierarchy topic.

Management Tasks for Alerts

Use the information in this section to help you manage alerts in Configuration Manager. To manage alerts 1. In the Monitoring workspace, click Alerts and then select a management task. Use the following table for more information about the management tasks that might require some information before you select them.
Management task Details

Configure

Opens the <alert name> Properties dialog box where you can modify the name, severity, and thresholds for the selected
707

alert. If you change the severity of the alert, this configuration affects how the alerts are displayed in the Configuration Manager console. Edit Comment Enter a comment for the selected alerts. These comments display with the alert in the Configuration Manager console. Suspends the monitoring of the alert until the specified date is reached. At that time, the state of the alert is updated. You can only postpone an alert when it is enabled. Create subscription Opens the New Subscription dialog box where you can create an email subscription to the selected alert. Note Prior to Configuration Manager SP1, you can create email subscriptions only for Endpoint Protection and client status alerts.

Postpone

How to Configure Email Subscriptions for Alerts

Use the procedures in this section to help you configure email subscriptions to alerts in Configuration Manager. Important In Configuration Manager with no service pack, you can only configure email subscriptions for Endpoint Protection alerts. To configure email notification settings in Configuration Manager with no service pack 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. On the Home tab, in the Settings group, click Configure Site Components and then click Email Notification. 4. In the Email Notification Component Properties dialog box, specify the following information: Enable email notification for Endpoint Protection alerts : Select this check box to enable Configuration Manager to use an SMTP server to send email alerts.
708

FQDN or IP Address of the SMTP server to send email alerts: Enter the fully qualified domain name (FQDN) or IP address and the SMTP port for the email server that you want to use for these alerts. Endpoint Protection SMTP Server Connection Account : Specify the authentication method for Configuration Manager to use to connect the email server. Sender address for email alerts: Specify the email address from which alert emails are sent. Test SMTP Server: Sends a test email to the email address specified in Sender address for email alerts.

5. Click OK to save the settings and to close the Email Settings Component Properties dialog box. To configure email notification settings in Configuration Manager SP1 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Alerts, and then click Subscriptions. 3. On the Home tab, in the Create group, click Configure Email Notification. 4. In the Email Notification Component Properties dialog box, specify the following information: Enable email notification for alerts: Select this check box to enable Configuration Manager to use an SMTP server to send email alerts. FQDN or IP Address of the SMTP server to send email alerts: Enter the fully qualified domain name (FQDN) or IP address and the SMTP port for the email server that you want to use for these alerts. SMTP Server Connection Account: Specify the authentication method for Configuration Manager to use to connect the email server. Sender address for email alerts: Specify the email address from which alert emails are sent. Test SMTP Server: Sends a test email to the email address specified in Sender address for email alerts.

5. Click OK to save the settings and to close the Email Settings Component Properties dialog box. To subscribe to alerts 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Alerts. 3. In the Alerts list, select an alert and then, on the Home tab, in the Subscription group, click Create subscription. 4. In the New Subscription dialog box, specify the following information: Name: Enter a name to identify the email subscription. You can use up to 255 characters. Email address: Enter the email addresses that you want the alert sent to. You can
709

separate multiple email addresses with a semicolon. Email language: In the list, specify the language for the email. 5. Click OK to close the New Subscription dialog box and to create the email subscription. Note You can delete and edit subscriptions in the Monitoring workspace when you expand the Alerts node, and then click the Subscriptions node.

See Also
Configure Sites and the Hierarchy in Configuration Manager

Configuring Site Components in Configuration Manager

You configure site components to control the behavior of site system roles at a site, and to control the sites status reporting behavior. Configurations for site system roles apply to each instance of a site system role at a particular site. These configurations must be made at each site individually, and do not apply to multiple sites.

Configure Site Components for Configuration Manager

You configure site components to control the behavior of site system roles at a site, and to control the sites status reporting behavior. Configurations for site system roles apply to each instance of a site system role at a particular site. These configurations must be made at each site individually, and do not apply to multiple sites. Use the following procedure to select the site component you will configure at a specific site. To edit the site components at a site 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and click Sites. 3. Select the site that has the site components you will configure. 4. On the Home tab, in the Settings group, click Configure Site Components and then select the site component you want to configure.

710

Configuration Options for Site Components

Many of the configuration options for the site components are self-explanatory or display additional information in the dialog boxes. Use the following sections for more information about the settings that might require some information before you configure them:

System Health Validator Point Component Properties

Configure these configuration options only if you will install System Health Valdiator points in the site to use Network Access Protection for software updates.
Configuration Option Description

Query interval (minutes)

Specifies in minutes how often System Health Validator points retrieve and cache Configuration Manager health state references from Active Directory Domain Services. The information is retrieved with a Lightweight Directory Access Protocol (LDAP) call to a global catalog server. The lower the value, the more quickly the System Health Validator will detect changes to the Configuration Manager NAP policies; however clients are more likely to be found non-compliant even though they have all the required software updates specified in the Configuration Manager NAP policies. In this scenario, if policies on the Network Policy Server are configured to give noncompliant clients limited network access, in this scenario, clients will not have full network access until they have download their Configuration Manager NAP policies, re-evaluated their compliance, and then send a new statement of health to the System Health Validator point. This process can take a few minutes. The higher the value, the less likely clients will be found noncompliant when they have all the required software updates specified in the Configuration Manager NAP policies. In this scenario, clients will not risk having limited network access to download their Configuration Manager NAP policies and re-evaluate compliance. However, a higher value might
711

Configuration Option

Description

mean that clients are deemed compliant when they haven't evaluated compliance with the latest Configuration Manager NAP policies. A setting to reduce the likelihood of clients that have the selected software updates having limited network access, but to ensure that compliance results are based on the latest Configuration Manager NAP policies, is to configure this option to be twice the value specified for the client setting Client policy polling interval (by default, the client policy polling interval is once an hour). This setting can be between 1 and 10080 minutes, and the default value is 120 minutes. Validity period (hours) Specifies the length of time in hours for which a cached client statement of health will be accepted as compliant by System Health Validator points. If the client statement of health is older than the validity period, the System Health Validator point returns a health state of noncompliant to the Network Policy Server. In this scenario, if policies on the Network Policy Server enforce compliance, the client is forced to re-evaluate its compliance status and present a new statement of health. Therefore, a longer validity period results in quicker processing (and connecting times), but the compliance information might not be up to date. This setting can be between 1 and 168 hours, and the default value is 26 hours. Important If you change the default validity period, ensure that you configure a value that is higher than the configured NAP re-evaluation schedule client setting. If the compliance evaluation on the client occurs less frequently than the validity period, clients will be found noncompliant by the System Health
712

Configuration Option

Description

Validator point. In this scenario, remediation will instruct clients to re-evaluate their compliance and produce a current statement of health. This process might take a few minutes to complete, so if policies on the Network Policy Server are configured to limit network access for non-compliant computers, computers will not be able to access network resources on the full network during this re-evaluation time. Date created must be after (UTC) Specifies whether you want to ensure a client statement of health is created after a specified date and time (in Coordinated Universal Time). After selecting this option, select the date and time. The date and time cannot be set to a future value but must be the current or a previous date and time. Setting this option is appropriate if you have just configured a new Configuration Manager Network Access Protection (NAP) policy and it is imperative that the software update selected in the policy is included in the evaluation, regardless of the validity period. This option is not enabled by default. Designate an Active Directory forest Specifies that the site server and System Health Validator points for this site are not in the same Active Directory forest. To configure the System Health Validator Point Component for this environment, you must identify which forests the System Health Validator points reside in, identify whether trust relationships exist between them, and decide which forest will publish the Configuration Manager health state references The Active Directory forest that publishes the health state references must be extended with the Configuration Manager schema extensions, the site servers must be publishing to Active
713

Configuration Option

Description

Directory, and permissions must be set appropriately on the System Management container in Active Directory. These Active Directory dependencies might affect your decision on which forest will be used to publish the Configuration Manager health state references. The following scenarios identify four basic configurations when Network Access Protection in Configuration Manager spans multiple Active Directory forests. Use these scenarios to help you decide which Active Directory forest will publish the health state references. Site servers reside in one Active Directory forest, and all System Health Validator points reside in another Active Directory forest. Configuration Manager health state references are published to the forest that contains the site servers. Choose this option if you can extend Active Directory Domain Services for Configuration Manager, and if the System Health Validator points reside in a perimeter network Site servers reside in one Active Directory forest, and all System Health Validator points reside in another Active Directory forest. Configuration Manager health state references are published to the forest that contains the System Health Validator points. Choose this option if you cannot extend Active Directory Domain Services for Configuration Manager, but you can extend the schema of the second forest. Site servers reside in one Active Directory forest, and all System Health Validator points reside in another Active Directory forest. Configuration Manager health state references are published to a third Active Directory forest that has trust relationships with the other two forests (either a forest trust or external domain trusts). Choose this option if you cannot extend Active
714

Configuration Option

Description

Directory Domain Services for either forest, but you can extend the schema of a new or existing forest. Site servers reside in one Active Directory forest, and all System Health Validator points reside in another Active Directory forest. Configuration Manager health state references are published to a third Active Directory forest that has no trust relationships with the other two forests (neither a forest trust nor external domain trusts). Choose this option if you cannot extend Active Directory Domain Services for either forest, but you can extend the schema of a new or existing forest that cannot have any trust relationships with the other two forests.

Health state reference publishing account

Specifies a Microsoft Windows user account in the designated Active Directory forest if any of the following apply: The designated forest is not the same forest as the site server. There is no trust relationship between the site server's domain and the Domain suffix. There is a trust relationship between the site server's domain and the Domain suffix, but Full Control permission has not be granted to the System Management Active Directory container for the site server's computer account.

Health state reference querying account

Specifies a Windows user account in the designated Active Directory forest if any of the following apply: The designated forest is not the same forest as the System Health Validator points. There is no trust relationship between the System Health Validator points and the Domain suffix.

715

Software Distribution Component Properties

Configuration Option Description

Network Access Account

Specify a Windows user account for the Network Access Account when client computers from workgroups or non-trusted domains require access to network resources. Important The Network Access account is never used as the security context to run applications and programs, install software updates, or run task sequences. It is used only for accessing resources on the network. Although Configuration Manager client computers use the Local System account to perform most Configuration Manager client operations on the computer, the Local System account cannot access network resources. For example, the Local System account cannot authenticate a computer to distribution points, so that the computer can make a connection and download software. In these scenarios, clients from trusted domains use the <computername>$ account to access network resources. Computers that cannot use the <computername>$ for computer authentication can use a specified Windows user account for the Network Access Account. You might also have to specify a Windows user account for the Network Access Account when you deploy an operating system. This is because the computer that receives the operating system does not have a security context it can use to access content on the network. Note When you specify a Windows user account, configure it to have the minimum appropriate permissions on
716

Configuration Option

Description

the content that it must access to download the software. The account must have Access this computer from the network user right on the distribution point or other server that holds the package content. Do not grant this account the interactive logon user right or the user right to join computers to the domain. If you must join computers to the domain during a task sequence, use the Task Sequence Editor Domain Joining Account.

Software Update Point Component Properties

For more information about the configuration options for the software update point component, see Configuring Software Updates in Configuration Manager.

Management Point Component Properties

Configuration Option Description

Management points

Specifies the management points in the Configuration Manager site to publish to Active Directory Domain Services. Configuration Manager clients use management points for service location: to find site information such as boundary group membership and PKI certificate selection options; and to find other management points in the site and distribution points from which to download software. Clients also use management points to complete site assignment and download client policy and upload their client information. Because the most secure method for clients to find management points is to publish them in Active Directory Domain Services, you will typically always select all functioning
717

Configuration Option

Description

management points to publish to Active Directory Domain Services. However, this service location method requires that the schema is extended for Configuration Manager, there is a System Management container with appropriate security permissions for the site server to publish to this container, that the Configuration Manager site is configured to publish to Active Directory Domain Services, and that clients belong to the same Active Directory forest as the site servers forest. When clients on the intranet cannot use Active Directory Domain Services to find management points, use DNS publishing. Publish selected intranet management points in DNS Specify this option when clients on the intranet cannot find management points from Active Directory Domain Services, but they can use a DNS service location resource record (SRV RR) to find a management point in their assigned site. For Configuration Manager to publish intranet management points to DNS, all the following conditions must be met: Your DNS servers have a version of BIND that is 8.1.2 or later. Your DNS servers are configured for automatic updates and support service location resource records. The specified FQDNs for the management points in Configuration Manager have host entries (A or AAA records) in DNS. Warning For clients to find management points that are published in DNS, you must assign the clients to a specific site (rather than use automatic-site assignment) and configure these clients to use the site code with the domain suffix of their management point. For more information, see How to
718

Configuration Option

Description

Configure Client Computers to Find Management Points by using DNS Publishing in Configuration Manager. If Configuration Manager clients cannot use Active Directory Domain Services or DNS to find management points on the intranet, they fall back to using WINS. The first management point that is installed for the site is automatically published to WINS when it is configured to accept HTTP client connections on the intranet.

Out of Band Management Point Component Properties

Important You cannot save configuration options for the out of band management component unless the site has at least one enrollment point installed. For more information about the configuration options for the out of band management point component, see Configuring the Out of Band Management Component.

Collection Membership Evaluation

Note For Configuration Manager SP1 only: Use this task to change how often collection membership is incrementally evaluated. Incremental evaluation updates a collection membership with only new or changed resources. In Configuration Manager with no service pack, you configure collection membership evaluation as a site maintenance task. For information, see the section Planning for Maintenance Tasks for Configuration Manager section in the Planning for Site Operations in Configuration Manager topic.

See Also
Configure Sites and the Hierarchy in Configuration Manager

719

Install and Configure Site System Roles for Configuration Manager

You can install one or more optional site system roles at each System Center 2012 Configuration Manager site to extend the management functionality of the site. You can specify a new server as a site system server and add the site system roles, or install the site system roles to an existing site system server in the site. Tip When a site system server is a computer other than the site server, it is referred to as a remote site system because it is remote from the site server in the site. Similarly, any site system role on that server is referred to as remote. For example, a remote distribution point is a site system server on a computer other than the site server, and which has installed on it the distribution point role. Note When you install a site system role on a remote computer (including an instance of the SMS Provider), the computer account of the remote computer is added to a local group on the site server. When the site is installed on a domain controller, the group on the site server is a domain group instead of a local group, and the remote site system role is not operational until either the site system role computer restarts, or the Kerberos ticket for the remote computers account is refreshed. Use one of the following wizards to install new site system roles: Add Site System Roles Wizard: Use this wizard to add site system roles to an existing site system server in the site. Create Site System Server Wizard: Use this wizard to specify a new server as a site system server, and then install one or more site system roles on the server. This wizard is the same as the Add Site System Roles Wizard, except that on the first page, you must specify the name of the server to use and the site in which you want to install it. Note Configuration Manager does not support site system roles for multiple sites on a single site system server. By default, when Configuration Manager installs a site system role, the installation files are installed on the first available NTFS formatted disk drive that has the most available free disk space. To prevent Configuration Manager from installing on specific drives, create an empty file named no_sms_on_drive.sms and copy it to the root folder of the drive before you install the site system server. Use the following sections to help you install and configure site system roles for System Center 2012 Configuration Manager: Install Site System Roles To install site system roles on an existing site system server
720

To install site system roles on a new site system server Configure Windows Azure and Install Cloud-Based Distribution Points Configure Name Resolution for Cloud-Based Distribution Points Configure Proxy Settings for Primary Sites that Manage Cloud Services Application Catalog Website Point Application Catalog Web Service Point Distribution Point Enrollment Point Enrollment Proxy Point Fallback Status Point Out of Band Service Point

Install Cloud-Based Distribution Points in Windows Azure

Configuration Options for Site System Roles

Configure the Proxy Server for Site System Servers Note For planning information, such as where to install site system roles in the hierarchy, see Planning for Site Systems in Configuration Manager.

Install Site System Roles

How you install a site system role depends on whether you add the site system role to an existing site system server or install a new site system server for the site system role. Use one of the following procedures. Note Configuration Manager lists the site system roles that are available for you to install. This list depends on your hierarchy configuration and whether you have already installed an instance of the site system role. For more information about the available placement of site system roles, see the Planning Where to Install Sites System Roles in the Hierarchy section in the Planning for Site Systems in Configuration Manager topic. To install site system roles on an existing site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Servers and Site System Roles, and then select the server that you want to use for the new site system roles. 3. On the Home tab, in the Server group, click Add Site System Roles. 4. On the General page, review the settings, and then click Next. Tip To access the site system role from the Internet, ensure that you specify an
721

Internet FQDN. 5. For Configuration Manager SP1 only: On the Proxy page, specify settings for a proxy server if site system roles that run on this site system server require a proxy server to connect to locations on the Internet, and then click Next. 6. On the System Role Selection page, select the site system roles that you want to add, and then click Next. 7. Complete the wizard. Tip The Windows PowerShell cmdlet, New-CMSiteSystemServer, performs the same function as this procedure. For more information, see New-CMSiteSystemServer in the System Center 2012 Configuration Manager SP1 Cmdlet Reference documentation. To install site system roles on a new site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and click Servers and Site System Roles. 3. On the Home tab, in the Create group, click Create Site System Server. 4. On the General page, specify the general settings for the site system, and then click Next. Tip To access the new site system role from the Internet, ensure that you specify an Internet FQDN. 5. For Configuration Manager SP1 only: On the Proxy page, specify settings for a proxy server if site system roles that run on this site system server require a proxy server to connect to locations on the Internet, and then click Next. 6. On the System Role Selection page, select the site system roles that you want to add, and then click Next. 7. Complete the wizard. Tip The Windows PowerShell cmdlet, New-CMSiteSystemServer, performs the same function as this procedure. For more information, see New-CMSiteSystemServer in the System Center 2012 Configuration Manager SP1 Cmdlet Reference documentation.

722

Install Cloud-Based Distribution Points in Windows Azure

Note For Configuration Manager SP1 only: Before you install a cloud-based distribution point, make sure that you have the required certificate files: A Windows Azure management certificate that is exported to a .cer file and to a .pfx file. A Configuration Manager cloud-based distribution point service certificate that is exported to a .pfx file.

For more information about these certificates, see the section for cloud-based distribution points in the PKI Certificate Requirements for Configuration Manager topic. For an example deployment of the cloud-based distribution point service certificate, see the Deploying the Custom Web Server Certificate for Cloud-Based Distribution Points in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. After you install the cloud-based distribution point, Windows Azure automatically generates a GUID for the service and appends this to the DNS suffix of cloudapp.net. Using this GUID, you must configure DNS with a DNS alias (CNAME record) to map the service name that you define in the Configuration Manager cloud-based distribution point service certificate to the automatically generated GUID. If you use a proxy web server, you might have to configure proxy settings to enable communication with the cloud service that hosts the distribution point. Use the following sections and procedures to help you install a cloud-based distribution point.

Configure Windows Azure and Install Cloud-Based Distribution Points

Use the following procedures to configure Windows Azure to support distribution points, and then install the cloud-based distribution point in Configuration Manager. To configure a cloud service in Windows Azure for a distribution point 1. Open a web browser to the Windows Azure Management Portal, at https://windows.azure.com, and access your Windows Azure account. 2. Click Hosted Services, Storage Accounts & CDN, and then select Management Certificates. 3. Right-click your subscription, and then select Add Certificate. 4. For Certificate file, specify the .cer file that contains the exported Windows Azure management certificate to use for this cloud service, and then click OK. The management certificate is loaded in Windows Azure, and you can now install a cloud723

based distribution point. To install a cloud-based distribution point for Configuration Manager 1. Complete the steps in the preceding procedure to configure a cloud service in Windows Azure with a management certificate. 2. In the Administration workspace of the Configuration Manager console, expand Hierarchy Configurations, expand Cloud, and then click Create Cloud Distribution Point. 3. On the General page of the Create Cloud Distribution Point Wizard, configure the following: Specify the Subscription ID for your Windows Azure account. Tip You can find your Windows Azure subscription ID in the Windows Azure Management Portal. Click Browse to specify the .pfx file that contains the exported Windows Azure management certificate, and then enter the password for the certificate.

4. Click Next, and Configuration Manager connects to Windows Azure to validate the management certificate. 5. On the Settings page, complete the following configurations, and then click Next: For Region, select the Windows Azure region where you want to create the cloud service that hosts this distribution point. For Certificate file, specify the .pfx file that contains the exported Configuration Manager cloud-based distribution point service certificate, and then enter the password. Note The Service FQDN box is automatically populated from the certificate Subject Name and in most cases, you do not have to edit it. The exception is if you are using a wildcard certificate in a testing environment, where the host name is not specified so that multiple computers that have the same DNS suffix can use the certificate. In this scenario, the certificate Subject contains a value similar to CN=*.contoso.com and Configuration Manager displays a message that you must specify the correct FQDN. Click OK to close the message, and then enter a specific name before the DNS suffix to provide a complete FQDN. For example, you might add clouddp1 to specify the complete service FQDN of clouddp1.contoso.com. Wildcard certificates are supported for testing environments only. 6. On the Alerts page, configure storage quotas, transfer quotas, and at what percentage of these quotas you want Configuration Manager to generate alerts, and then click Next. 7. Complete the wizard. The wizard creates a new hosted service for the cloud-based distribution point. After you
724

close the wizard, you can monitor the installation progress of the cloud-based distribution point in the Configuration Manager console, or by monitoring the CloudMgr.log file on the primary site server. You can also monitor the provisioning of the cloud service in the Windows Azure Management Portal. Note It can take up to 30 minutes to provision a new distribution point in Windows Azure. The following message is repeated in the CloudMgr.log file until the storage account is provisioned: Waiting for check if container exists. Will check again in 10 seconds. Then, the service is created and configured. You can identify that the cloud-based distribution point installation is completed by using the following methods: In the Windows Azure Management Portal, the Deployment for the cloud-based distribution point displays a status of Ready. In the Administration workspace, Hierarchy Configuration, Cloud node of the Configuration Manager console, the cloud-based distribution point displays a status of Ready. Configuration Manager displays a status message ID 9409 for the SMS_CLOUD_SERVICES_MANAGER component.

Configure Name Resolution for Cloud-Based Distribution Points

Before clients can access the cloud-based distribution point, they must be able to resolve the name of the cloud-based distribution point to an IP address that Windows Azure manages. Clients do this in two stages: 1. They map the service name that you provided with the Configuration Manager cloud-based distribution point service certificate to your Windows Azure service FQDN. This FQDN contains a GUID and the DNS suffix of cloudapp.net. The GUID is automatically generated after you install the cloud-based distribution point. You can see the full FQDN in the Windows Azure Management Portal, by referencing the SITE URL in the quick glance section of the dashboard. An example site URL is http://d1594d4527614a09b934d470.cloudapp.net . 2. They resolve the Windows Azure service FQDN to the IP address that Windows Azure allocates. This IP address can also be identified in the same section of the Windows Azure portal, in the PUBLIC VIRTUAL IP ADDRESS (VIP) section. To map the service name that you provided with the Configuration Manager cloud-based distribution point service certificate (for example, clouddp1.contoso.com) to your Windows Azure service FQDN (for example, d1594d4527614a09b934d470.cloudapp.net), DNS servers on the Internet must have a DNS alias (CNAME record). Clients can then resolve the Windows Azure service FQDN to the IP address by using DNS servers on the Internet.

725

Configure Proxy Settings for Primary Sites that Manage Cloud Services
When you use cloud services with Configuration Manager, the primary site that manages the cloud-based distribution point must be able to connect to the Windows Azure Management Portal by using the System account of the primary site computer. This connection is made by using the default web browser on the primary site server computer. On the primary site server that manages the cloud-based distribution point, you might have to configure the proxy settings to enable the primary site to access the Internet and Windows Azure. Use the following procedure to configure the proxy settings for the primary site server in the Configuration Manager console. Tip You can also configure the proxy server when you install new site system roles on the primary site server by using the Add Site System Roles Wizard. To configure proxy settings for the primary site server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Servers and Site System Roles, and then select the primary site server that manages the cloud-based distribution point. 3. In the details pane, right-click Site system, and then click Properties. 4. In Site system Properties, select the Proxy tab, and then configure the proxy settings for this primary site server. 5. Click OK to save the new proxy server configuration.

Configuration Options for Site System Roles

Many of the configuration options for the site system roles are self-explanatory or display additional information in the wizard or dialog boxes. Use the following tables for the settings that might require some information before you configure them.

Application Catalog Website Point

For information about how to configure the Application Catalog website point for the Application Catalog, see Configuring the Application Catalog and Software Center in Configuration Manager.
Configuration option Description

Client connections

Select HTTPS to connect by using the more secure setting and to determine whether clients connect from the Internet. This option requires a PKI certificate on the
726

Configuration option

Description

server for server authentication to clients and for encryption of data over Secure Socket Layer (SSL). For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example deployment of the server certificate and information about how to configure it in Internet Information Services (IIS), see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. Add Application Catalog website to trusted sites zone This message displays the value in the default client settings whether the client setting Add Application Catalog website to Internet Explorer trusted sites zone is currently set to True or False. If you have configured this setting by using custom client settings, you must check this value yourself. If this site system is configured for a FQDN, and the website is not in the trusted sites zone in Internet Explorer, users are prompted for credentials when they connect to the Application Catalog. Organization name Type the name that users see in the Application Catalog. This branding information helps users to identify this website as a trusted source.

Application Catalog Web Service Point

For information about how to configure the Application Catalog web service point for the Application Catalog, see Configuring the Application Catalog and Software Center in Configuration Manager.
Configuration option Description

HTTPS

Select HTTPS to authenticate the Application Catalog website points to this Application
727

Configuration option

Description

Catalog web service point. This option requires a PKI certificate on the servers running the Application Catalog website point for server authentication and for encryption of data over SSL. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example deployment of the server certificate and information about how to configure it in IIS, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Distribution Point
For information about how to configure the distribution point for content deployment, see Configuring Content Management in Configuration Manager. For information about how to configure the distribution point for PXE deployments, see How to Deploy Operating Systems by Using PXE in Configuration Manager. For information about how to configure the distribution point for multicast deployments, see How to Manage Multicast in Configuration Manager.
Configuration Description

Install and configure IIS if required by Configuration Manager

Select this option to let Configuration Manager install and configure IIS on the site system if it is not already installed. IIS must be installed on all distribution points, and you must select this setting to continue in the wizard. This certificate has two purposes: It authenticates the distribution point to a management point before the distribution point sends status messages. When Enable PXE support for clients is selected, the certificate is sent to computers that perform a PXE boot so that
728

Create a self-signed certificate or import a PKI client certificate

Configuration

Description

they can connect to a management point during the deployment of the operating system. When all your management points in the site are configured for HTTP, create a self-signed certificate. When your management points are configured for HTTPS, import a PKI client certificate. To import the certificate, browse to a PublicKey Cryptography Standards #12 (PKCS #12) file that contains a PKI certificate with the following requirements for Configuration Manager: Intended use must include client authentication. The private key must be configured to be exported. Note There are no specific requirements for the certificate Subject name or Subject Alternative Name (SAN), and you can use the same certificate for multiple distribution points. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example deployment of this certificate, see the Deploying the Client Certificate for Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. Enable this distribution point for prestaged content Select this check box to enable the distribution point for prestaged content. When this check box is selected, you can configure distribution behavior when you distribute content. You can choose whether you always prestage the content on the distribution point, prestage the initial content for the package, but use the normal content distribution process when there
729

Configuration

Description

are updates to the content, or always use the normal content distribution process for the content in the package. Boundary groups You can associate boundary groups to a distribution point. During content deployment, clients must be in a boundary group that is associated with the distribution point to use it as a source location for content. You can select the Allow fallback source location for content check box to allow clients outside these boundary groups to fall back and use the distribution point as a source location for content when no other distribution points are available.

Enrollment Point
Enrollment points are used to install Mac computers (Configuration Manager SP1 only), enroll mobile devices, and provision AMT-based computers. For more information, see the following: How to Install Clients on Mac Computers in Configuration Manager How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager How to Provision and Configure AMT-Based Computers in Configuration Manager
Description

Configuration option

Allowed connections

The HTTPS setting is automatically selected and requires a PKI certificate on the server for server authentication to the enrollment proxy point and the out of band service point, and for encryption of data over SSL. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example deployment of the server certificate and information about how to configure it in IIS, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008
730

Configuration option

Description

Certification Authority topic.

Enrollment Proxy Point

For information about how to configure an enrollment proxy point for mobile devices, see How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager.
Configuration Option Description

Client connections

The HTTPS setting is automatically selected and requires a PKI certificate on the server for server authentication to mobile devices and Mac computers (Configuration Manager SP1) enrolled by Configuration Manager, and for encryption of data over Secure Sockets Layer (SSL). For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example deployment of the server certificate and information about how to configure it in IIS, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Fallback Status Point

Configuration option Description

Number of state messages and Throttle interval (in seconds)

Although the default settings for these options (10,000 state messages and 3,600 seconds for the throttle interval) are sufficient for most circumstances, you might have to change them when both of the following conditions are true: The fallback status point accepts connections only from the intranet. You use the fallback status point during a client deployment rollout for many
731

Configuration option

Description

computers. In this scenario, a continuous stream of state messages might create a backlog of state messages that causes high central processing unit (CPU) usage on the site server for a sustained period of time. In addition, you might not see up-to-date information about the client deployment in the Configuration Manager console and in the client deployment reports. Note These fallback status point settings are designed to be configured for state messages that are generated during client deployment. The settings are not designed to be configured for client communication issues, such as when clients on the Internet cannot connect to their Internet-based management point. Because the fallback status point cannot apply these settings just to the state messages that are generated during client deployment, do not configure these settings when the fallback status point accepts connections from the Internet. Each computer that successfully installs the System Center 2012 Configuration Manager client sends the following four state messages to the fallback status point: Client deployment started Client deployment succeeded Client assignment started Client assignment succeeded

Computers that cannot be installed or assign the Configuration Manager client send additional state messages. For example, if you deploy the Configuration Manager client to 20,000 computers, the deployment might create 80,000 state messages sent to the fallback status point.
732

Configuration option

Description

Because the default throttling configuration allows for 10,000 state messages to be sent to the fallback status point each 3600 seconds (1 hour), state messages might become backlogged on the fallback status point because of the throttling configuration. You must also consider the available network bandwidth between the fallback status point and the site server, and the processing power of the site server to process many state messages. To help prevent these issues, consider increasing the number of state messages and decreasing the throttle interval. Reset the throttle values for the fallback status point if either of the following conditions is true: You calculate that the current throttle values are higher than required to process state messages from the fallback status point. You find that the current throttle settings create high CPU usage on the site server. Warning Do not change the settings for the fallback status point throttle settings unless you understand the consequences. For example, when you increase the throttle settings to high, the CPU usage on the site server can increase to high, which slows down all site operations.

Out of Band Service Point

The default settings for the out of band service point are sufficient for most circumstances. Change them only if you have to control the CPU usage for the out of band service point and the network bandwidth when Intel AMT-based computers are configured for scheduled wake-up activities and for power-on commands. For information about how to configure an out of band service point for AMT-based computers, see How to Provision and Configure AMT-Based Computers in Configuration Manager.
733

Configuration option

Description

Retries

Specify the number of times a power-on command is sent to a destination computer. After a power-on command is sent to all destination computers, the transmission is paused for the Delay period. If this retry value is greater than 1, a second power-on command is sent to the same computers, and the process is repeated until the retry value is reached. The second and subsequent power-on commands are sent only if the destination computer did not respond. Unlike wake-up packets, power-on commands create an established session with the destination computer. Therefore, retries are less likely to be necessary. However, retries might be necessary if the site transmits many packets (for example, also sending wake-up packets), and the power-on commands cannot reach a destination computer because of the high network bandwidth consumption. The default setting is 3 retries. Values can range from 05.

Delay (minutes)

The time in minutes that power-on commands pause between retries. The default setting is 2 minutes. Values can range from 130 minutes.

Transmission threads

The number of threads that the out of band service point uses when it sends power-on commands. When you increase the number of threads, you are more likely to make full use of the available network bandwidth, especially when the out of band service point site system server computer has multiple cores or processors. However, when you increase the number of threads, the increased thread count might also produce a significant increase in CPU usage. The default setting is 60 transmission threads.
734

Configuration option

Description

Values can range from 1120 threads. Transmission offset The time in minutes that a power-on command is sent before a scheduled activity that is enabled for wake-up packets. Set a value that gives sufficient time before the scheduled activity so that computers have completed startup, but not so much time that the computer returns to a sleep state before the scheduled activity. The default setting is 10 minutes. Values can range from 1480 minutes.

Configure the Proxy Server for Site System Servers

You can configure a site system server to use a proxy server for connections to the Internet that site system roles that run on that computer make. For information about the site system roles that can use the proxy server configuration, see the Planning for Proxy Servers Configurations for Site System Roles section in the Planning for Site Systems in Configuration Manager topic. Use the following procedure to edit the proxy server configuration of a site system server. To configure the proxy server for a site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles. 3. Select the site system server that you want to edit, and then in the details pane, rightclick Site system, and then click Properties. Tip You cannot configure the proxy server on a cloud-based distribution point in Windows Azure. Instead, you configure the proxy server on the primary site that manages the cloud-based distribution point. 4. In Site system Properties, select the Proxy tab, and then configure the proxy settings for this primary site server. 5. Click OK to save the new proxy server configuration.

735

See Also
Configuring Sites and Hierarchies in Configuration Manager

Configure Database Replicas for Management Points

You can configure System Center 2012 Configuration Manager management points in a primary site to use a replica of the site database. Management points at secondary sites do not support database replicas. At each primary site, you can configure one or more computers that run SQL Server to host a database replica, and more than one management point at that site can use the same database replica. When a management point uses a database replica, that management point requests data from the SQL Server computer that hosts the database replica. Because requests are made to the database replica server and replace direct requests to the site database server, this configuration can help reduce the CPU processing requirements on the site database server when there are large numbers of clients that make frequent requests for client policy. When you use a database replica, regularly monitor the site database server and each database replica server to ensure that replication occurs between them, and that the performance of the database replica server is sufficient for the site and client performance that you require. Use the following sections to help you configure and manage database replicas: Configurations for Using a Database Replica Operations for Using Database Replicas Uninstalling a Database Replica Uninstalling the Site Server Moving the Site Server Database

Configurations for Using a Database Replica

To use a database replica, all the following configurations are required: SQL Server on the site database server and on the database replica server must have the SQL Server replication installed. The site database must publish the database replica. Each remote SQL Server computer that will host a database replica must subscribe to the published database replica. You must configure each management point that will use the database replica to communicate with the database replica server and database replica. Each SQL Server computer that will host a database replica must have a self-signed certificate for management points to use on remote computers to communicate with the database replica server.
736

You must configure the SQL Server in use for the site database and each database replica to support a Max Text Repl Size of 2 gb. For an example of how to configure this for SQL Server 2012, see Configure the max text repl size Server Configuration Option. Configuring the Site Database Server to Publish the Database Replica Configuring the Database Replica Server Configure Management Points to Use the Database Replica Configure a Self-Signed Certificate for the Database Replica Server Configure the SQL Server Service Broker for the Database Replica Server

To configure a database replica, you must complete the procedures in the following sections:

With Configuration Manager SP1, you must also complete the procedure in the following section:

Configuring the Site Database Server to Publish the Database Replica

Use the following procedure as an example of how to configure the site database server on a Windows Server 2008 R2 computer to publish the database replica. If you have a different operating system version, refer to your operating system documentation and adjust the steps in this procedure as necessary. To configure the site database server 1. On the site database server, set the SQL Server Agent to automatically start. 2. On the site database server, create a local user group with the name ConfigMgr_MPReplicaAccess. You must add the computer account for each database replica server that you use at this site to this group to enable those database replica servers to synchronize with the published database replica. 3. On the site database server, configure a file share with the name ConfigMgr_MPReplica. 4. Add the following permissions to the ConfigMgr_MPReplica share: Note If the SQL Server Agent uses an account other than the local system account, replace SYSTEM with that account name in the following list. Share Permissions: SYSTEM: Write ConfigMgr_MPReplicaAccess: Read SYSTEM: Full Control ConfigMgr_MPReplicaAccess: Read, Read & execute, List folder contents

NTFS Permissions:

5. Use SQL Server Management Studio to connect to the site database and run the following stored procedure as a query: spCreateMPReplicaPublication
737

When the stored procedure completes, the site database server is configured to publish the database replica.

Configuring the Database Replica Server

The database replica server is a computer that runs SQL Server and that hosts a replica of the site database for management points to use. On a fixed schedule, the database replica server synchronizes its copy of the database with the database replica that is published by the site database server. The database replica server must meet the same requirements as the site database server. However, the database replica server can run a different edition or version of SQL Server than the site database server uses. For information about the supported versions of SQL Server, see the Configurations for the SQL Server Site Database section in the Supported Configurations for Configuration Manager topic. Important The SQL Server Service on the computer that hosts the replica database must run as the System account. Use the following procedure as an example of how to configure a database replica server on a Windows Server 2008 R2 computer. If you have a different operating system version, refer to your operating system documentation and adjust the steps in this procedure as necessary. To configure the database replica server 1. On the database replica server, set the SQL Server Agent to automatic startup. 2. On the database replica server, use SQL Server Management Studio to connect to the local server, browse to the Replication folder, click Local Subscriptions, and select New Subscriptions to start the New Subscription Wizard: a. On the Publication page, in the Publisher list box, select Find SQL Server Publisher, enter the name of the sites database server, and then click Connect. b. Select ConfigMgr_MPReplica, and then click Next. c. On the Distribution Agent Location page, select Run each agent at its Subscriber (pull subscriptions), and click Next. Select an existing database from the database replica server to use for the database replica, and then click OK. Select New database to create a new database for the database replica. On the New Database page, specify a database name, and then click OK.

d. On the Subscribers page do one of the following:

e. Click Next to continue. f. On the Distribution Agent Security page, click the properties button (.) in the Subscriber Connection row of the dialog box, and then configure the security settings for the connection.

738

Tip The properties button, (.), is in the fourth column of the display box. Security settings: Configure the account that runs the Distribution Agent process (the process account): If the SQL Server Agent runs as local system, select Run under the SQL Server Agent service account (This is not a recommended security best practice.) If the SQL Server Agent runs by using a different account, select Run under the following Windows account, and then configure that account. You can specify a Windows account or a SQL Server account. Important You must grant the account that runs the Distribution Agent permissions to the publisher as a pull subscription. For information about configuring these permissions, see Distribution Agent Security in the SQL Server TechNet.Library. For Connect to the Distributor, select By impersonating the process account. For Connect to the Subscriber, select By impersonating the process account.

After you configure the connection security settings, click OK to save them, and then click Next. g. On the Synchronization Schedule page, in the Agent Schedule list box, select Define schedule, and then configure the New Job Schedule. Set the frequency to occur Daily, recur every 5 minute(s), and the duration to have No end date. Click Next to save the schedule, and then click Next again. h. On the Wizard Actions page, select the check box for Create the subscriptions(s), and then click Next. i. On the Complete the Wizard page, click Finish, and then click Close to complete the Wizard. On the subscriber computer: In SQL Server Management Studio, connect to the database replica server and expand Replication. Expand Local Subscriptions, right-click the subscription to the site database publication, and then select View Synchronization Status. In SQL Server Management Studio, connect to the site database computer, right-click the Replication folder, and then select Launch Replication Monitor.

3. Review the synchronization status to validate that the subscription is successful:

On the publisher computer:

4. To enable common language runtime (CLR) integration for the database replica, use
739

SQL Server Management Studio to connect to the database replica on the database replica server, and run the following stored procedure as a query: exec sp_configure 'clr enabled', 1; RECONFIGURE WITH OVERRIDE 5. For each management point that uses a database replica server, add that management points computer account to the local Administrators group on that database replica server. Tip This step is not necessary for a management point that runs on the database replica server. The database replica is now ready for a management point to use.

Configure Management Points to Use the Database Replica

You can configure a management point at a primary site to use a database replica when you install the management point role, or you can reconfigure an existing management point to use a database replica. Use the following information to configure a management point to use a database replica: To configure a new management point: On the Management Point Database page of the wizard that you use to install the management point, select Use a database replica, and specify the FQDN of the computer that hosts the database replica. Next, for ConfigMgr site database name, specify the database name of the database replica on that computer. To configure a previously installed management point: Open the properties page of the management point, select the Management Point Database tab, select Use a database replica, and then specify the FQDN of the computer that hosts the database replica. Next, for ConfigMgr site database name, specify the database name of the database replica on that computer.

In addition to configuring the management point to use the database replica server, you must enable Windows Authentication in IIS on the management point: 1. Open Internet Information Services (IIS) Manager. 2. Select the website used by the management point, and open Authentication. 3. Set Windows Authentication to Enabled, and then close Internet Information Services (IIS) Manager.

Configure a Self-Signed Certificate for the Database Replica Server

You must create a self-signed certificate on the database replica server and make this certificate available to each management point that will use that database replica server. The certificate is automatically available to a management point that is installed on the database replica server. However, to make this certificate available to remote management points, you must export the certificate and then add it to the Trusted People certificate store on the remote management point.
740

Use the following procedures as an example of how to configure the self-signed certificate on the database replica server for a Windows Server 2008 R2 computer. If you have a different operating system version, refer to your operating system documentation and adjust the steps in these procedures as necessary. To configure a self-signed certificate for the database replica server 1. On the database replica server, open a PowerShell command prompt with administrative privileges, and then run the following command: set-executionpolicy UnRestricted 2. Copy the following PowerShell script and save it as a file with the name CreateMPReplicaCert.ps1. Place a copy of this file in the root folder of the system partition of the database replica server. # Script for creating a self-signed certificate for the local machine and configuring SQL Server to use it.

Param($SQLInstance)

$ConfigMgrCertFriendlyName = "ConfigMgr SQL Server Identification Certificate"

# Get local computer name $computerName = "$env:computername"

# Get the sql server name #$key="HKLM:\SOFTWARE\Microsoft\SMS\MP" #$value="SQL Server Name" #$sqlServerName= (Get-ItemProperty $key).$value #$dbValue="Database Name" #$sqlInstance_DB_Name= (Get-ItemProperty $key).$dbValue

$sqlServerName = [System.Net.Dns]::GetHostByName("localhost").HostName $sqlInstanceName = "MSSQLSERVER" $SQLServiceName = "MSSQLSERVER"

if ($SQLInstance -ne $Null) {

741

$sqlInstanceName = $SQLInstance $SQLServiceName = "MSSQL$" + $SQLInstance }

# Delete existing cert if one exists function Get-Certificate($storename, $storelocation) { $store=new-object System.Security.Cryptography.X509Certificates.X509Store($stor ename,$storelocation) $store.Open([Security.Cryptography.X509Certificates.OpenFlags ]::ReadWrite) $store.Certificates }

$cert = Get-Certificate "My" "LocalMachine" | ?{$_.FriendlyName -eq $ConfigMgrCertFriendlyName} if($cert -is [Object]) { $store = new-object System.Security.Cryptography.X509Certificates.X509Store("My", "LocalMachine") $store.Open([Security.Cryptography.X509Certificates.OpenFlags ]::ReadWrite) $store.Remove($cert) $store.Close()

# Remove this cert from Trusted People too... $store = new-object System.Security.Cryptography.X509Certificates.X509Store("Trus tedPeople","LocalMachine") $store.Open([Security.Cryptography.X509Certificates.OpenFlags ]::ReadWrite)
742

$store.Remove($cert) $store.Close() }

# Create the new cert $name = new-object -com "X509Enrollment.CX500DistinguishedName.1" $name.Encode("CN=" + $sqlServerName, 0)

$key = new-object -com "X509Enrollment.CX509PrivateKey.1" $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider" $key.KeySpec = 1 $key.Length = 1024 $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089; ;;NS)" $key.MachineContext = 1 $key.Create()

$serverauthoid = new-object -com "X509Enrollment.CObjectId.1" $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1") $ekuoids = new-object -com "X509Enrollment.CObjectIds.1" $ekuoids.add($serverauthoid) $ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" $ekuext.InitializeEncode($ekuoids)

$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1" $cert.InitializeFromPrivateKey(2, $key, "") $cert.Subject = $name $cert.Issuer = $cert.Subject $cert.NotBefore = get-date $cert.NotAfter = $cert.NotBefore.AddDays(3650)
743

$cert.X509Extensions.Add($ekuext) $cert.Encode()

$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1" $enrollment.InitializeFromRequest($cert) $enrollment.CertificateFriendlyName = "ConfigMgr SQL Server Identification Certificate" $certdata = $enrollment.CreateRequest(0x1) $enrollment.InstallResponse(0x2, $certdata, 0x1, "")

# Add this cert to the trusted peoples store [Byte[]]$bytes = [System.Convert]::FromBase64String($certdata)

$trustedPeople = new-object System.Security.Cryptography.X509certificates.X509Store "TrustedPeople", "LocalMachine" $trustedPeople.Open([Security.Cryptography.X509Certificates.O penFlags]::ReadWrite) $trustedPeople.Add([Security.Cryptography.X509Certificates.X5 09Certificate2]$bytes) $trustedPeople.Close()

# Get thumbprint from cert $sha = new-object System.Security.Cryptography.SHA1CryptoServiceProvider $certHash = $sha.ComputeHash($bytes) $certHashCharArray = ""; $certThumbprint = "";

# Format the bytes into hex string foreach($byte in $certHash) { $temp = ($byte | % {"{0:x}" -f $_}) -join ""
744

$temp = ($temp | % {"{0,2}" -f $_}) $certHashCharArray = $certHashCharArray+ $temp; } $certHashCharArray = $certHashCharArray.Replace(' ', '0');

# SQL needs the thumbprint in lower case foreach($char in $certHashCharArray) { [System.String]$myString = $char; $certThumbprint = $certThumbprint + $myString.ToLower(); }

# Configure SQL to use this cert $path = "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL" $subKey = (Get-ItemProperty $path).$sqlInstanceName $realPath = "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\" + $subKey + "\MSSQLServer\SuperSocketNetLib" $certKeyName = "Certificate" Set-ItemProperty -path $realPath -name $certKeyName -Type string -Value $certThumbprint

# restart sql service Restart-Service $SQLServiceName -Force 3. On the database replica server, run the following command that applies to the configuration of your SQL Server: For a default instance of SQL Server: Right-click the file CreateMPReplicaCert.ps1 and select Run with PowerShell. When the script runs, it creates the self-signed certificate and configures SQL Server to use the certificate. For a named instance of SQL Server: Use PowerShell to run the command %path%\CreateMPReplicaCert.ps1 xxxxxx where xxxxxx is the name of the SQL Server instance. After the script completes, verify that the SQL Server Agent is running. If not, restart the SQL Server Agent.

To configure remote management points to use the self-signed certificate of the database replica server
745

1. Perform the following steps on the database replica server to export the servers self signed certificate: a. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in. b. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. c. In the Certificate snap-in dialog box, select Computer account, and then click Next.

d. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. e. In the Add or Remove Snap-ins dialog box, click OK. f. In the console, expand Certificates (Local Computer), expand Personal, and select Certificates.

g. Right-click the certificate with the friendly name of ConfigMgr SQL Server Identification Certificate, click All Tasks, and then select Export. h. Complete the Certificate Export Wizard by using the default options and save the certificate with the .cer file name extension. 2. Perform the following steps on the management point computer to add the self-signed certificate for the database replica server to the Trusted People certificate store on the management point: a. Repeat the preceding steps 1.a through 1.e to configure the Certificate snap-in MMC on the management point computer. b. In the console, expand Certificates (Local Computer), expand Trusted People, right-click Certificates, select All Tasks, and then select Import to start the Certificate Import Wizard. c. On the File to Import page, select the certificate saved in step 1.h, and then click Next.

d. On the Certificate Store page, select Place all certificates in the following store, with the Certificate store set to Trusted People, and then click Next. e. Click Finish to close the wizard and complete the certificate configuration on the management point.

Configure the SQL Server Service Broker for the Database Replica Server
For Configuration Manager SP1 only: To support client notification with a database replica for a management point, you must configure communication between the site database server and the database replica server for the SQL Server Service Broker. This requires you to configure each database with information about the other database, and to exchange certificates between the two databases for secure communication.

746

Note Before you can use the following procedure, the database replica server must successfully complete the initial synchronization with the site database server. The following procedure does not modify the Service Broker port that is configured in SQL Server for the site database server or the database replica server. Instead, this procedure configures each database to communicate with the other database by using the correct Service Broker port. Use the following procedure to configure the Service Broker for the site database server and the database replica server. To configure the service broker for a database replica 1. Use SQL Server Management Studio to connect to database replica server database, and then run the following query to enable the Service Broker on the database replica server: ALTER DATABASE <Replica Database Name> SET ENABLE_BROKER, HONOR_BROKER_PRIORITY ON WITH ROLLBACK IMMEDIATE 2. Next, on the database replica server, configure the Service Broker for client notification and export the Service Broker certificate. To do this, run a SQL Server stored procedure that configures the Service Broker and exports the certificate as a single action. When you run the stored procedure, you must specify the FQDN of the database replica server, the name of the database replicas database, and specify a location for the export of the certificate file. Run the following query to configure the required details on the database replica server, and to export the certificate for the database replica server: EXEC sp_BgbConfigSSBForReplicaDB '<Replica SQL Server FQDN>', '<Replica Database Name>', '<Certificate Backup File Path>' Note When the database replica server is not on the default instance of SQL Server, for this step you must specify the instance name in addition to the replica database name. To do so, replace <Replica Database Name> with <Instance name\Replica Database Name>. After you export the certificate from the database replica server, place a copy of the certificate on the primary sites database server. 3. Use SQL Server Management Studio to connect to the primary site database. After you connect to the primary sites database, run a query to import the certificate and specify the Service Broker port that is in use on the database replica server, the FQDN of the database replica server, and name of the database replicas database. This configures the primary sites database to use the Service Broker to communicate to the database of the database replica server. Run the following query to import the certificate from the database replica server and specify the required details: EXEC sp_BgbConfigSSBForRemoteService 'REPLICA', '<SQL Service Broker Port>', '<Certificate File Path>', '<Replica SQL Server FQDN>', '<Replica Database Name>'
747

Note When the database replica server is not on the default instance of SQL Server, for this step you must specify the instance name in addition to the replica database name. To do so, replace <Replica Database Name> with <Instance name\Replica Database Name>. 4. Next, on the site database server, run the following command to export the certificate for the site database server: EXEC sp_BgbCreateAndBackupSQLCert '<Certificate Backup File Path>' After you export the certificate from the site database server, place a copy of the certificate on the database replica server. 5. Use SQL Server Management Studio to connect to the database replica server database. After you connect to the database replica server database, run a query to import the certificate and specify the site code of the primary site and the Service Broker port that is in use on the site database server. This configures the database replica server to use the Service Broker to communicate to the database of the primary site. Run the following query to import the certificate from the site database server: EXEC sp_BgbConfigSSBForRemoteService '<Site Code>', '<SQL Service Broker Port>', '<Certificate File Path>' A few minutes after you complete the configuration of the site database and the database replica database, the notification manager at the primary site sets up the Service Broker conversation for client notification from the primary site database to the database replica.

Operations for Using Database Replicas

When you use a database replica at a site, use the information in the following sections to supplement the process of uninstalling a database replica, uninstalling a site that uses a database replica, or moving the site database to a new installation of SQL Server. When you use information in the following sections to delete publications, use the guidance for deleting transactional replication for the version of SQL Server that you use for the database replica. For example, if you use SQL Server 2008 R2, see How to: Delete a Publication (Replication Transact-SQL Programming). Note After you restore a site database that was configured for database replicas, before you can use the database replicas you must reconfigure each database replica, recreating both the publications and subscriptions.

Uninstalling a Database Replica

When you use a database replica for a management point, you might need to uninstall the database replica for a period of time, and then reconfigure it for use. For example, you must remove database replicas before you upgrade a Configuration Manager site to a new service pack. After the site upgrade completes, you can restore the database replica for use.
748

Use the following steps to uninstall a database replica. 1. In the Administration workspace of the Configuration Manager console, expand Site Configuration, then select Servers and Site System Roles, and then in the details pane select the site system server that hosts the management point that uses the database replica you will uninstall. 2. In the Site System Roles pane, right click Management point and select Properties. 3. On the Management Point Database tab, select Use the site database to configure the management point to use the site database instead of the database replica. Then, click OK to save the configuration. 4. Next, Use SQL Server Management Studio to perform the following tasks: Delete the publication for the database replica from the site server database. Delete the subscription for the database replica from the database replica server. Delete the replica database from the database replica server. Disable publishing and distribution on the site database server. To disable publishing and distribution, right-click the Replication folder and then click Disable Publishing and Distribution.

5. After you delete the publication, subscription, the replica database, and disable publishing on the site database server, the database replica is uninstalled.

Uninstalling the Site Server

Before you uninstall a site that publishes a database replica, use the following steps to clean up the publication and any subscriptions. 1. Use SQL Server Management Studio to delete the database replica publication from the site server database. 2. Use SQL Server Management Studio to delete the database replica subscription from each remote SQL Server that hosts a database replica for this site. 3. Uninstall the site.

Moving the Site Server Database

When you move the site database to a new computer, use the following steps: 1. Use SQL Server Management Studio to delete the publication for the database replica from the site server database. 2. Use SQL Server Management Studio to delete the subscription for the database replica from each database replica server for this site. 3. Move the database to the new SQL Server computer. For more information, see the Modify the Site Database Configuration section in the Manage Site and Hierarchy Configurations topic. 4. Recreate the publication for the database replica on the site database server. For more information, see Configuring the Site Database Server to Publish the Database Replica. 5. Recreate the subscriptions for the database replica on each database replica server. For more information, see Configuring the Database Replica Server.
749

See Also
Configuring Sites and Hierarchies in Configuration Manager

Migrate Data from Configuration Manager 2007 to Configuration Manager

After you have installed and configured your sites and hierarchies for Microsoft System Center 2012 Configuration Manager, you can migrate data from one or more Configuration Manager hierarchies. For more information about how to plan and configure migration, see Migrating Hierarchies in System Center 2012 Configuration Manager.

See Also
Configuring Sites and Hierarchies in Configuration Manager

Operations and Maintenance for Site Administration in Configuration Manager

After you install and configure your sites and hierarchy for System Center 2012 Configuration Manager, there are several operations that you will typically use to manage and monitor your infrastructure.

Operations and Maintenance Topics

Use the following topics to help you maintain your Configuration Manager environment. Manage Site and Hierarchy Configurations Configure the Status System for Configuration Manager Configure Maintenance Tasks for Configuration Manager Sites Monitor Configuration Manager Sites and Hierarchy Manage Cloud Services for Configuration Manager Backup and Recovery in Configuration Manager Update System Center 2012 Configuration Manager

750

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Site Administration for System Center 2012 Configuration Manager

Manage Site and Hierarchy Configurations

Use the information in the following sections to help you manage site and hierarchy configurations in Microsoft System Center 2012 Configuration Manager. Manage the SMS Provider Configuration for a Site Configure DCOM Permissions for Remote Configuration Manager Console Connections Configure the Site Database to Use a SQL Server Cluster Configure Custom Locations for the Site Database Files Modify the Site Database Configuration How to Manage the SPN for SQL Server Site Database Servers Manage Site Components with the Configuration Manager Service Manager Perform a Site Reset Manage Language Packs at Configuration Manager Sites

Manage the SMS Provider Configuration for a Site

The SMS Provider is a dynamic-link library file (smsprov.dll) that you install or uninstall by running System Center 2012 Configuration Manager Setup. At each Configuration Manager site, you can re-run Setup to change the SMS Provider configuration. To remove the last SMS Provider for a site, you must uninstall the site. You can monitor the installation or removal of the SMS Provider by viewing the ConfigMgrSetup.log in the root folder of the site server on which you run Setup. Use the following procedure to manage SMS Providers for a site. To manage the SMS Provider configuration for a site 1. Run Configuration Manager Setup from <Configuration Manager site installation folder>\BIN\X64\setup.exe. 2. On the Getting Started page, select Perform site maintenance or reset this site, and then click Next 3. On the Site Maintenance page, select Modify SMS Provider configuration, and then click Next. 4. On the Manage SMS Providers page, select one of the following options and complete the wizard by using one of the following options: To add an additional SMS Provider at this site: Select Add a new SMS Provider, specify the FQDN for a computer that will host the
751

SMS Provider and does not currently host a SMS Provider, and then click Next. To remove an SMS Provider from a server: Select Uninstall the specified SMS Provider, select the name of the computer from which you want to remove the SMS Provider, click Next, and then confirm the action. Tip To move the SMS Provider between two computers, you must install the SMS Provider to the new computer, and remove the SMS Provider from the original location. There is no dedicated option to move the SMS Provider between computers in a single process. After the Setup Wizard finishes, the SMS Provider configuration is completed. On the General tab in the site Properties dialog box, you can verify the computers that have an SMS Provider installed for a site.

Configure DCOM Permissions for Remote Configuration Manager Console Connections

The user account that runs the Configuration Manager console requires permission to access the site database by using the SMS Provider. However, an administrative user who uses a remote Configuration Manager console also requires Remote Activation DCOM permissions on the site server computer and on the SMS Provider computer. The SMS Admins group grants access to the SMS Provider and can also be used to grant the required DCOM permissions. Important The Configuration Manager console uses Windows Management Instrumentation (WMI) to connect to the SMS Provider, and WMI internally uses DCOM. Therefore, Configuration Manager requires permissions to activate a DCOM server on the SMS Provider computer if the Configuration Manager console is running on a computer other than the SMS Provider computer. By default, Remote Activation is granted only to the members of the built-in Administrators group. If you allow the SMS Admins group to have Remote Activation permission, a member of this group could attempt DCOM attacks against the SMS Provider computer. This configuration also increases the attack surface of the computer. To mitigate this threat, carefully monitor the membership of the SMS Admins group. For more information about the security risks associated with allowing remote activation, see DCOM Security Enhancements in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Use the following procedure to configure each central administration site, primary site server, and each computer where the SMS Provider is installed to grant remote Configuration Manager console access for administrative users. Note
752

The following procedure applies to Windows Server 2008 R2. If you have a different operating system version, refer to the documentation for your version about how to configure DCOM permissions if you cannot use the steps in this procedure. To configure DCOM permissions for remote Configuration Manager console connections (Windows Server 2008 R2) 1. On the Start menu, click Run and type Dcomcnfg.exe. 2. In Component Services, click Console root, expand Component Services, expand Computers, and then click My Computer. On the Action menu, click Properties. 3. In the My Computer Properties dialog box, on the COM Security tab, in the Launch and Activation Permissions section, click Edit Limits. 4. In the Launch and Activation Permissions dialog box, click Add. 5. In the Select User, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type SMS Admins, and then click OK. Note You might have to change the setting for From this Location to locate the SMS Admins group. This group is local to the computer when the SMS Provider runs on a member server, and is a domain local group when the SMS Provider runs on a domain controller. 6. In the Permissions for SMS Admins section, to allow remote activation, select the Remote Activation check box. 7. Click OK and click OK again, and then close Computer Management. Your computer is now configured to allow remote Configuration Manager console access to members of the SMS Admins group. Repeat this procedure on each SMS Provider computer that might support remote Configuration Manager consoles.

Configure the Site Database to Use a SQL Server Cluster

System Center 2012 Configuration Manager supports the use of a virtual Microsoft SQL Server cluster instance to host the Configuration Manager site database. Only SQL Server cluster configurations that have a single active node at a time are supported for hosting the site database. Configuring the SQL Server cluster with multiple active nodes or in a Network Load Balancing (NLB) cluster configuration is not supported. Additionally, SQL Server database mirroring technology and peer-to-peer replication are not supported. Configuration Manager Setup does not create or configure the SQL Server cluster. The clustered SQL Server environment must be configured before it can be used to host the site database. When you use a SQL Server cluster, Configuration Manager automatically checks each hour for changes to the SQL Server cluster node. Changes in the configuration of the SQL Server node that affect Configuration Manager component installation, such as a node failover or the
753

introduction of a new node to the SQL Server cluster, are automatically managed by Configuration Manager. Note When you use a clustered SQL Server instance to host the site database, the TCP/IP network communication protocol must be enabled for each SQL Server cluster node network connection. This is required to support Kerberos authentication. The named pipes communication protocol is not required, but can be used to troubleshoot Kerberos authentication issues. The network protocol settings are configured in SQL Server Configuration Manager under SQL Server Network Configuration. For a list of supported SQL Server versions, see the Configurations for the SQL Server Site Database section in the Supported Configurations for Configuration Manager topic.

Performance Considerations
Clustered SQL Server environments allow for failover support for the virtual SQL Server, and provide greater reliability for the site database. However, a site database on a clustered SQL Server configured for failover support does not provide additional processing or load balancing benefits and in fact, degradation in performance can occur. This is because the site server must find the active node of the SQL Server cluster before it connects to the site database.

SMS Provider Considerations

When you use a clustered SQL Server database to host the site database, install the SMS Provider on the site server or on a separate computer that does not host a SQL Server cluster node. It is not supported to install an instance of the SMS Provider on a SQL Server cluster or a computer that runs as a clustered SQL Server node.

How to Install Configuration Manager Using a Clustered SQL Server Instance

Use the following procedures to install the Configuration Manager site database for a central administration site or primary site, using a clustered virtual SQL Server instance during setup. Note During Configuration Manager Setup, the Volume Shadow Copy Service (VSS) writer will install on each physical computer node of the Microsoft Windows Server cluster to support the Backup Site Server maintenance task. How to Install Configuration Manager Using a Clustered SQL Server Instance 1. Create the virtual SQL Server cluster to host the site database on an existing Windows Server cluster environment. For specific steps to install and configure a SQL Server cluster, see the documentation specific to your version of SQL Server. For example, if you are using SQL Server 2008 R2, see Installing a SQL Server 2008 R2 Failover
754

Cluster. 2. On each computer in the SQL Server cluster you can place a file with the name NO_SMS_ON_DRIVE.SMS in the root folder of each drive where you do not want Configuration Manager to install site components. By default, Configuration Manager installs some components on each physical node to support operations such as backup. 3. Add the computer account of the site server to the Local Administrators group of each Windows Server cluster node computer. 4. In the virtual SQL Server instance, assign the sysadmin SQL Server role to the user account that runs Configuration Manager Setup. 5. Use Configuration Manager Setup to install the site using one of the procedures from the topic Install Sites and Create a Hierarchy for Configuration Manager, with the following alteration: a. On the Database Information page, specify the name of the clustered virtual SQL Server instance that will host the site database, in place of the name of the computer that runs SQL Server. Important During setup, you must enter the name of the virtual SQL Server cluster instance, and not the virtual Windows Server name created by the Windows Server cluster. Installing the site database using the Windows Server cluster virtual instance name will result in the site database being installed on the local hard drive of the active Windows Server cluster node, and it will prevent successful failover if that node fails. 6. Complete the remainder of the Setup Wizard normally, to install Configuration Manager using a clustered SQL Server instance. To configure Configuration Manager to use a site database on a clustered SQL Server instance 1. Create the virtual SQL Server cluster to host the site database on an existing Windows Server cluster environment. For specific steps to install and configure a SQL Server cluster, see the documentation specific to your version of SQL Server. For example, if you are using SQL Server 2008 R2, see Installing a SQL Server 2008 R2 Failover Cluster. 2. On each computer in the SQL Server cluster you can place a file with the name NO_SMS_ON_DRIVE.SMS in the root folder of each drive where you do not want Configuration Manager to install site components. By default, Configuration Manager installs some components on each physical node to support operations such as backup. 3. Add the computer account of the site server to the Local Administrators group of each Windows Server cluster node computer. 4. In the virtual SQL Server instance, assign the sysadmin SQL Server role to the user account that runs Configuration Manager Setup. 5. On the site server, start the local copy of Configuration Manager Setup and on the Getting Started page, select Perform site maintenance or reset this Site, and then
755

click Next. 6. On the Site Maintenance page, select Modify SQL Server configuration, and then click Next. 7. On the Database Information page, specify the name of the clustered virtual SQL Server instance to host the site database, and then click Next. 8. Complete the Wizard to complete the move of the database to the virtual SQL Server cluster. To verify that the site database was installed successfully 1. Verify that Configuration Manager Setup completed successfully by reviewing the ConfigMgrSetup.log file located at the root of the system drive on site server computer. 2. In SQL Server Management Studio, verify that the site database was created successfully. 3. In the SQL Server Management Studio, verify that the following Database Roles were created for the site database: smsdbrole_MP smsdbrole_siteprovider smsdbrole_siteserver Note Depending on your site configuration, additional roles might be listed. 4. Verify that the following SQL Server Database Roles for the site database have been assigned with the appropriate computer accounts: smsdbrole_MP: The computer account for each management point at the site. smsdbrole_siteprovider: The computer account for the site server and each computer that runs an instance of the SMS Provider for the site. smsdbrole_siteserver: The computer account for the site server computer. Note Depending on your site configuration, additional roles might be listed.

Configure Custom Locations for the Site Database Files

Configuration Manager supports custom locations for SQL Server database files. To use custom locations for files, you can pre-create a SQL Server database that uses non-default file locations. Next, when you install a site, direct the site to use this pre-created database. You cannot specify custom file locations during the install of a site when you specify Configuration Manager to create the site database. Also, you can change the location of the site database files after a site installs. To change the location of files after the site installs, you must stop the Configuration Manager site and then edit
756

the file location in SQL Server. Use the following procedure to change the file location of an installed site. To change the file location for a site database: 1. On the Configuration Manager site server, stop the SMS_Executive service. 2. Use the information about moving user databases for the version of SQL Server that you use. For example, if you use SQL Server 2008 R2, see Moving User Databases in the online documentation library for SQL Server 2008 R2. 3. After you complete the database file move, restart the SMS_Executive service on the Configuration Manager site server.

Modify the Site Database Configuration

After you install a site, you can modify the configuration of the site database and site database server by running Setup on a central administration site server or primary site server. It is not supported to modify the database configuration for a secondary site. Note When you modify the database configuration for a site, Configuration Manager restarts or reinstalls Configuration Manager services on the site server and remote site system servers that communicate with the database. To modify the database configuration, you must run Setup on the site server and select the option Perform site maintenance or reset this site. Next, select the Modify SQL Server configuration option. You can change the following site database configurations: The Windows-based server that hosts the database. The instance of SQL Server in use on a server that hosts the SQL Server database. The database name. Important Although the Setup wizard allows you to change the port configuration of the SQL Server Service Broker, Configuration Manager does not support changing the port for SQL Server after the site is installed. You can only configure the TCP port for SQL Server when you install a site. You can move the site database to a new instance of SQL Server on the same computer, or to a different computer that runs a supported version of SQL Server. If you move the site database, you must configure the following: When you move the site database to a new computer, add the computer account of the site server to the Local Administrators group on the computer that runs SQL Server. If you use a SQL Server cluster for the site database, you must add the computer account to the Local Administrators group of each Windows Server cluster node computer. When you move the database to a new instance on SQL Server, or to a new SQL Server computer, you must enable common language runtime (CLR) integration. To enable CLR,
757

use SQL Server Management Studio to connect to the instance of SQL Server that hosts the site database and run the following stored procedure as a query: sp_configure clr enabled,1; reconfigure. Important Before you move a database that has one or more database replicas for management points, you must first remove the database replicas. After you complete the database move, you can reconfigure database replicas. For more information see the Operations for Using Database Replicas section in the Configure Database Replicas for Management Points topic. After you have installed the Configuration Manager site, use the information in the following sections to help you manage a site database configuration. For information about planning site database configurations, see Planning for Database Servers in Configuration Manager.

How to Manage the SPN for SQL Server Site Database Servers
When you configure SQL Server to use the local system account to run SQL Server services, a Service Principal Name (SPN) for the account is automatically created in Active Directory Domain Services. When the local system account is not in use, you must manually register the SPN for the SQL Server service account. You can register an SPN for the SQL Server service account of the site database server by using the Setspn tool. You must run the Setspn tool on a computer that resides in the domain of SQL Server, and it must use Domain Administrator credentials to run. Use the following procedures as examples of how to manage the SPN for the SQL Server service account that uses the Setspn tool on Windows Server 2008 R2. For specific guidance about Setspn, see Setspn Overview, or similar documentation specific to your operating system. Note The following procedures reference the Setspn command-line tool. The Setspn command-line tool is included when you install Windows Server 2003 Support Tools from the product CD or from the Microsoft Download Center. For more information about how to install Windows Support Tools from the product CD, see Install Windows Support Tools. To manually create a domain user Service Principal Name (SPN) for the SQL Server service account 1. On the Start menu, click Run, and then enter cmd in the Run dialog box. 2. At the command line, navigate to the Windows Server support tools installation directory. By default, these tools are located in the C:\Program Files\Support Tools directory. 3. Enter a valid command to create the SPN. To create the SPN, you can use the NetBIOS name or the fully qualified domain name (FQDN) of the computer running SQL Server. However, you must create an SPN for both the NetBIOS name and the FQDN.
758

Important When you create an SPN for a clustered SQL Server, you must specify the virtual name of the SQL Server Cluster as the SQL Server computer name. To create an SPN for the NetBIOS name of the SQL Server computer, type the following command: setspn A MSSQLSvc/<SQL Server computer name>:1433 <Domain\Account> To create an SPN for the FQDN of the SQL Server computer, type the following command: setspn -A MSSQLSvc/<SQL Server FQDN>:1433 <Domain\Account> Note The command to register an SPN for a SQL Server named instance is the same as that you use when you register an SPN for a default instance except that the port number must match the port that is used by the named instance. To verify the domain user SPN is registered correctly by using the Setspn command 1. On the Start menu, click Run, and then enter cmd in the Run dialog box. 2. At the command prompt, enter the following command: setspn L <domain\SQL Service Account>. 3. Review the registered ServicePrincipalName to ensure that a valid SPN has been created for the SQL Server. To verify the domain user SPN is registered correctly when using the ADSIEdit MMC console 1. On the Start menu, click Run, and then enter adsiedit.msc to start the ADSIEdit MMC console. 2. If necessary, connect to the domain of the site server. 3. In the console pane, expand the site server's domain, expand DC=<server distinguished name>, expand CN=Users, right-click CN=<Service Account User>, and then click Properties. 4. In the CN=<Service Account User> Properties dialog box, review the servicePrincipalName value to ensure that a valid SPN has been created and associated with the correct SQL Server computer. To change the SQL Server service account from local system to a domain user account 1. Create or select a domain or local system user account that you want to use as the SQL Server service account. 2. Open SQL Server Configuration Manager. 3. Click SQL Server Services, and then double-click SQL Server<INSTANCE NAME>. 4. On the Log on tab, select This account, and then enter the user name and password for the domain user account created in step 1, or click Browse to find the user account in Active Directory Domain Services, and then click Apply.
759

5. Click Yes in the Confirm Account Change dialog box to confirm the service account change and restart the SQL Server Service. 6. Click OK after the service account has been successfully changed.

Manage Site Components with the Configuration Manager Service Manager

Use the Configuration Manager Service Manager to control System Center 2012 Configuration Manager services and to view the status of any Configuration Manager services or threads (referred to collectively as Configuration Manager components). Configuration Manager components can run on any site system. Components are managed the same way that you manage services in Windows; you can start, stop, pause, resume, or query Configuration Manager components. A Configuration Manager service runs when there is something for it to do (typically, when a configuration file is written to a component's inbox). If you have to identify the component involved in an operation, you can use the Configuration Manager Service Manager to manipulate various Configuration Manager services and threads and then view the resulting change in the behavior of Configuration Manager. For example, you can stop Configuration Manager services one at a time until a particular response is eliminated. Doing so enables you to determine which service causes the behavior. Tip The following procedure can be used to manipulate Configuration Manager component operation. If you want to modify the logging options of a component, see the Configure Logging Options by Using the Configuration Manager Service Manager section in the Technical Reference for Log Files in Configuration Manager topic. To use the Configuration Manager Service Manager 1. In the Configuration Manager console, click Monitoring, expand System Status, and then click Component Status. 2. On the Home tab, in the Component group, click Start, and then select Configuration Manager Service Manager. 3. When the Configuration Manager Service Manager opens, connect to the site that you want to manage. If you do not see the site that you want to manage, click Site, click Connect, and then enter the name of the site server of the correct site. 4. Expand the site and navigate to Components or Servers depending on where the components that you want to manage are located. 5. In the right pane, select one or more components and then on the Component menu, click Query to update the status of your selection. 6. After the status of the component is updated, use one of the four action-based options on the Component menu to modify the components operation. After you request an action,
760

you must query the component to display the new status of the component. 7. Close the Configuration Manager Service Manager when you are finished modifying the operational status of components.

Perform a Site Reset

Configuration Manager uses a site reset to reapply the default file and registry permissions on a primary or central administration site server and to reinstall site components at a site. Secondary sites do not support a site reset. You can perform a manual site reset to restore these settings, and Configuration Manager runs a site reset automatically after you make a configuration change that requires this action. For example, if there has been a change to the accounts used by Configuration Manager components, a manual site reset ensures the account details used by the components are correct and resets the access control lists (ACLs) used by remote site systems to access the site server. Or, if you modify the client or server languages that a site supports, Configuration Manager automatically runs a site reset because the reset is required before a site can use this change. Note A site reset does not reset access permissions to non-Configuration Manager objects. Important A site reset reinstalls all site system roles at a site. During a site reset, Setup stops and restarts the SMS_SITE_COMPONENT_MANAGER service and the thread components of the SMS_EXECUTIVE service. Additionally, Setup removes, and then re-creates, the site system share folder and the SMS Executive component on the local computer and on remote site system computers. After Setup reinstalls the SMS_SITE_COMPONENT_MANAGER service, this service installs the SMS_EXECUTIVE and the SMS_SQL_MONITOR services. In addition, a site reset restores the following objects: The SMS or NAL registry keys, and any default subkeys under these keys. The Configuration Manager file directory tree, and any default files or subdirectories in this file directory tree.

Permissions to Perform a Site Reset

The account that you use to perform a site reset must have the following permissions: Central administration site: The account that you use to run a site reset at this site must be a local administrator on the central administration site server and must have privileges that are equivalent to the Full Administrator role-based administration security role. Primary site: The account that you use to run a site reset at this site must be a local administrator on the primary site server and must have privileges that are equivalent to the Full Administrator role-based administration security role. If the primary site is in a hierarchy with a central administration site, this account must also be a local administrator on the central administration site server.
761

How To Perform a Site Reset

You can perform a site reset of a Configuration Manager primary site or central administration site, by starting Configuration Manager Setup on the Start menu of the site server computer or on the Configuration Manager source media. To perform a site reset 1. Run Configuration Manager Setup from <Configuration Manager site installation folder>\BIN\X64\setup.exe. 2. On the Getting Started page, select Perform site maintenance or reset this site, and then click Next. 3. On the Site Maintenance page, select Reset site with no configuration changes, and then click Next. 4. Click Yes to begin the site reset. When the site reset is finished, click Close to complete this procedure.

Manage Language Packs at Configuration Manager Sites

Use the information in the following sections to help you manage server and client language packs for your Configuration Manager sites.

Add Language Packs to a Site

To add support for a server language pack or client language pack to a site, run Configuration Manager Setup and select the languages to use. When you add server language packs to a site they are made available for Configuration Manager console installations and applicable site system roles. When you add client language packs to a site, Configuration Manager adds them to the client installation source files so that new client installations, or upgrades, can add support for the current list of client languages. How to add language packs during site installation: To add support for language packs to a new central administration site, or a primary site, use the appropriate procedure in the Install a Site Server section of the Install Sites and Create a Hierarchy for Configuration Manager topic. The procedures in that topic include the selection of language packs when you install a site. How to modify the languages packs at a site: To add or remove support for language packs at a previously installed site, run Setup from the Configuration Manager installation folder on the site server. Use the following procedure to modify the language packs that a site supports after the site is installed. To modify the language packs that are supported at a site
762

1. On the site server, run Configuration Manager Setup from <Configuration Manager site installation folder>\BIN\X64\setup.exe. 2. On the Getting Started page, select Perform site maintenance or reset this Site, and then click Next. 3. On the Site Maintenance page, select Modify language configuration, and then click Next. 4. On the Prerequisites Downloads page, select Download required files to acquire updates to language packs, or select Use previously downloaded files to use previously downloaded files that include the language packs you want to add to the site. Click Next to validate the files and continue. 5. On the Server Language Selection page, select the check box for server languages this site supports, and then click Next. 6. On the Client Language Selection page, select the check box for client languages that this site supports, and then click Next. 7. Click Next, to modify language support at the site. Note Configuration Manager initiates a site reset which also reinstalls all site system roles at the site. 8. Click Close to complete this procedure.

Update Servers and Clients with New Language Packs

Use the information in the following sections and to add support for language packs.

How to Update Language Packs on Clients

After you update the client language packs at a site, you must install each client that will use the language packs by using source files that include the client language packs. For information about how to install clients with support for language packs, see the Planning for Client Language Packs section in the Planning for Sites and Hierarchies in Configuration Manager topic.

How to Update Language Packs on Site Servers and Site Systems

After you update the server language packs at a site, there are no additional actions required. Configuration Manager automatically updates applicable components.

How to Update Language Packs on Configuration Manager Consoles

After you update the server language packs at a site, you can add support for the language packs to Configuration Manager consoles. To add support for a server language pack to a Configuration Manager console, you must install the Configuration Manager console from the ConsoleSetup folder on a site server that includes
763

the language pack that you want to use. If the Configuration Manager console is already installed, you must first uninstall it to enable the new installation to identify the current list of supported language packs. For more information about how to install Configuration Manager consoles with support for additional languages, see the Manage Configuration Manager Console Languages section in the Install Sites and Create a Hierarchy for Configuration Manager topic.

Configure the Status System for Configuration Manager

Use the following procedures to configure the status system for Configuration Manager. All major System Center 2012 Configuration Manager components generate status messages. The Configuration Manager status system operates without configuration by using default settings that are suitable for most environments. However, you can configure the following: Status Summarizers: Configure the frequency of status messages that generate a status indicator change for the components that are tracked. There are four summarizers: Application Deployment Summarizer Application Statistics Summarizer Component Status Summarizer Site System Status Summarizer

Status Filter Rules: You can create custom status filter rules and modify the default rules. Note Status filter rules do not support the use of environment variables to run external commands.

Status Reporting: Configure the status reporting for server and client components.

The status system maintains separate configurations for each site so you must edit the status system for each site. Use the following sections to configure the Configuration Manager status system: Configure Status Summarizers Configure Status Filter Rules Configure Status Reporting

Configure Status Summarizers

Use the following procedures to edit the status summarizers at each site. To configure status summarizers 1. In the Configuration Manager console, click Administration.
764

2. In the Administration workspace, expand Site Configuration, click Sites, and then select the site for which you want to configure the status system. 3. On the Home tab, in the Settings group, click Status Summarizers. 4. In the Status Summarizers dialog box, select the status summarizer that you want to configure, and then click Edit to open the properties for that summarizer. If you are editing the Application Deployment or Application Statistics summarizer, proceed with step 5. If you are editing the Component Status skip to step 6. If you are editing the Site System Status summarizer, skip to step 7. 5. Use the following steps after you open the property page for either the Application Deployment Summarizer or the Application Statistics Summarizer: a. On the General tab of the summarizers properties page configure the summarization intervals and then click OK to close the properties page. b. Click OK to close the Status Summarizers dialog box and complete this procedure. 6. Use the following steps after you open property pages for the Component Status Summarizer: a. On the General tab of the summarizers properties page configure the replication and threshold period values. b. On the Thresholds tab, select the Message type you want to configure, and then click the name of a component in the Thresholds list. c. In the Status Threshold Properties dialog box, edit the warning and critical threshold values, and then click OK.

d. Repeat steps 6.b and 6.c as needed and when you are finished, click OK to close the summarizer properties. e. Click OK to close the Status Summarizers dialog box and complete this procedure. 7. Use the following steps after you open the property pages for the Site System Status Summarizer: a. On the General tab of the summarizers properties page configure the replication and schedule values. b. On the Thresholds tab, specify values for the Default thresholds to configure default thresholds for critical and warning status displays. c. To edit the values for specific Storage objects, select the object from the Specific thresholds list, and then click the Properties button to access and edit the storage objects warning and critical thresholds. Click OK to close the storage objects properties.

d. To create a new storage object, click the Create Object button and specify the storage objects values. Click OK to close the objects properties. e. To delete a storage object, select the object and then click the Delete button. f. Repeat steps 7.b through 7.e as needed. When you are finished, click OK to close the summarizer properties.

g. Click OK to close the Status Summarizers dialog box and complete this procedure.

765

Configure Status Filter Rules

Use the following procedures to create new status filter rules, modify the priority of rules, disable or enable rules, and delete unused rules at each site. To create a status filter rule 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then select the site where you want to configure the status system. 3. On the Home tab, in the Settings group, click Status Filter Rules. The Status Filter Rules dialog box opens. 4. Click Create. 5. In the Create Status Filter Rule Wizard, on the General page, specify a name for the new status filter rule and message-matching criteria for the rule, and then click Next. 6. On the Actions page, specify the actions to be taken when a status message matches the filter rule, and then click Next. 7. On the Summary page review the details for the new rule, and then complete the wizard. Note Configuration Manager only requires that the new status filter rule has a name. If the rule is created but you do not specify any criteria to process status messages, the status filter rule will have no effect. This behavior allows you to create and organize rules before you configure the status filter criteria for each rule. To modify or delete a status filter rule 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then select the site where you want to configure the status system. 3. On the Home tab, in the Settings group, click Status Filter Rules. 4. In the Status Filter Rules dialog box, select the rule that you want to modify and then take one of the following actions: Click Increase Priority or Decrease Priority to change the processing order of the status filter rule. Then select another action or go to step 8 of this procedure to complete this task. Click Disable or Enable to change the status of the rule. After you change the status of the rule, select another action or go to step 8 of this procedure to complete this task. Click Delete if you want do delete the status filter rule from this site, and then click Yes to confirm the action. After you delete a rule, select another action or go to step 8 of this procedure to complete this task. Click Edit if you want to change the criteria for the status message rule, and continue
766

to step 5 of this procedure. 5. On the General tab of the status filter rule properties dialog box, modify the rule and message-matching criteria. 6. On the Actions tab, modify the actions to be taken when a status message matches the filter rule. 7. Click OK to save the changes. 8. Click OK to close the Status Filter Rules dialog box.

Configure Status Reporting

You can use the following procedure to modify how status messages are reported to the Configuration Manager status system. You can configure both server and client component reporting, and specify where status messages are sent. Warning Because the default reporting settings are appropriate for most environments, change them with caution. When you increase the level of status reporting by choosing to report all status details you can increase the amount of status messages to be processed which increases the processing load on the Configuration Manager site. If you decrease the level of status reporting you might limit the usefulness of the status summarizers. To configure status reporting 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then select where you want to configure the status system. 3. On the Home tab, in the Settings group, click Configure Site Components, and select Status Reporting. 4. In the Status Reporting Component Properties dialog box, specify the server and client component status messages that you want to report or log: a. Configure Report to send status messages to the Configuration Manager status message system. b. Configure Log to write the type and severity of status messages to the Windows event log. 5. Click OK.

See Also
Operations and Maintenance for Site Administration in Configuration Manager

767

Configure Maintenance Tasks for Configuration Manager Sites

System Center 2012 Configuration Manager sites and hierarchies require regular maintenance and monitoring to provide services effectively and continuously. Regular maintenance ensures that the hardware, software, and the Configuration Manager database continue to function correctly and efficiently. Each Configuration Manager site supports maintenance tasks that help maintain the operational efficiency of the Configuration Manager database. By default, several maintenance tasks are enabled in each site, and all tasks support independent schedules. Maintenance tasks are configured individually for each site and apply to the database at that site; however, some tasks, such as Delete Aged Discovery Data, affect the information available in all sites in a hierarchy. For more information about planning for site maintenance, see the Planning for Maintenance Tasks for Configuration Manager section in the Planning for Site Operations in Configuration Manager topic.

Use the following procedure to help you configure the common settings of maintenance tasks. To configure maintenance tasks for Configuration Manager 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and click Sites. 3. Select the site that contains the maintenance task that you want to configure. 4. On the Home tab, in the Settings group, click Site Maintenance, and then select the maintenance task you want to configure. Tip Only the tasks available at the selected site are displayed. 5. To configure the task, click Edit, ensure the Enable this task check box is selected, and configure a schedule for when the task runs. If the task also deletes aged data, configure the age of data that will be deleted from the database when the task runs. Click OK to close the task Properties. Note For Delete Aged Status Messages, you configure the age of data to delete when you configure status filter rules. 6. To enable or disable the task without editing the task properties, click the Enable or Disable button. The button label changes depending on the current configuration of the task. 7. When you are finished configuring the maintenance tasks, click OK to complete the
768

procedure.

See Also
Operations and Maintenance for Site Administration in Configuration Manager

Monitor Configuration Manager Sites and Hierarchy

Use the information in the following sections to help you monitor the infrastructure and common operations for System Center 2012 Configuration Manager. To monitor infrastructure and operations in Configuration Manager, use the Monitoring workspace in the Configuration Manager console. Note The exception to this location is Migration, which is monitored directly in the Migration node in the Administration workspace. For more information, see Monitor Migration Activity in the Migration Workspace. In addition to using the Configuration Manager console for monitoring, you can use the Configuration Manager reports, or view Configuration Manager log files for Configuration Manager components. For information about reports, see Reporting in Configuration Manager. For information about log files, see About Configuration Manager Log Files. When you monitor sites, look for signs that indicate problems that require you to take action. For example: A backlog of files on site servers and site systems. Status messages that indicate an error or a problem. Failing intrasite communication. Error and warning messages in the system event log on servers. Error and warning messages in the Microsoft SQL Server error log. Sites or clients that have not reported in a long time. Sluggish response from the SQL Server database. Signs of hardware failure.

To minimize the risk of a site failure, if monitoring tasks reveal any signs of problems, investigate the source of the problem and repair it as soon as possible. Use the information in the following sections to help you monitor the infrastructure and common operations for Configuration Manager. Monitor Infrastructure for Configuration Manager About the Site Hierarchy Node How to Monitor Database Replication Links and Replication Status
769

About the Replication Link Analyzer Procedures for Monitoring Database Replication

Monitor System Status for Configuration Manager Monitor Management Tasks for Configuration Manager Monitor Alerts in Configuration Manager

Monitor Infrastructure for Configuration Manager

Configuration Manager provides several methods to monitor the status and operations of your hierarchy. You can check system status of sites throughout the hierarchy, monitor intersite replication from a site hierarchy or geographical view, monitor replication links between sites for database replication, and use the Replication Link Analyzer tool to remediate replication issues.

About the Site Hierarchy Node

The Site Hierarchy node of the Monitoring workspace provides you with an overview of your Configuration Manager hierarchy and intersite links. You can use two views: Hierarchy Diagram: This view displays your hierarchy as a topology map that has been simplified to show only vital information. Geographical View: This view displays your sites on a geographical map showing site locations that you configure.

Use the Site Hierarchy node to monitor the health of each site and the intersite replication links and their relationship to external factors, such as a geographical location. Because site status and intersite link status replicate as site data and not global data, when you connect your Configuration Manager console to a child primary site, you cannot view the site or link status for other primary sites or their child secondary sites. For example, in a multi-primary site hierarchy, when your Configuration Manager console connects to a primary site, you can view the status of child secondary sites, the primary site, and the central administration site, but you cannot see the status for other nodes of the hierarchy below the central administration site. Use the Configure Settings command to control how the site hierarchy display renders. Configurations to the Site Hierarchy node that you make when your Configuration Manager console is connected to one site are replicated to all other sites.

Hierarchy Diagram
The hierarchy diagram displays your sites in a topology map. In this view, you can select a site and view a status message summary from that site, drill through to view status messages, and access the Properties dialog box of the sites. Additionally, you can pause the mouse pointer on a site or replication link between sites to view high-level status for that object. Because replication link status does not replicate globally, in a hierarchy with multiple primary sites, you must connect your Configuration Manager console to the central administration site to view the replication link details between all sites.
770

The following options modify the hierarchy diagram: Groups: You can configure the number of primary sites and secondary sites that trigger a change in the hierarchy diagram display that combines the sites into a single object. When sites are combined into a single object, you see the total number of sites and a high-level rollup of status messages and site status. Group configurations do not affect the geographical view. Favorite sites: You can specify individual sites to be a favorite site. A star icon identifies a favorite site in the hierarchy diagram. Favorite sites are not combined with others sites when you used groups and always are displayed individually.

Geographical View
The geographical view displays the location of each site on a geographical map. Only sites that you configure with a location are displayed. When you select a site in this view, replication links to parent or child sites are shown. Unlike the hierarchy diagram view, you cannot display site status message or replication link details in this view. Note To use the geographical view, the computer to which your Configuration Manager console connects must have Internet Explorer installed and be able to access Bing Maps by using the HTTP protocol. The following option modifies the geographical view. Site Location: You can specify a geographical location for each site. You can specify the location as a street address, a place name such as the name of a city, or by latitude and longitude coordinates. For example, to use the latitude and longitude of Redmond Washington, you would specify N 47 40 26.3572 W 122 7 17.4432 as the location of the site. You do not need to specify the symbols for the degree, minutes or seconds of longitude or latitude. Configuration Manager uses Bing Maps to display the location on the geographical view. This provides you the option to view your hierarchy in relation to a geographical location, which can provide insight into regional issues that might affect specific sites or intersite replication. When you specify a location, you can use the Location box to search for a specific site in your hierarchy. With the site selected, enter the location as a city name or street address in the Location column. Configuration Manager uses Bing Maps to resolve the location.

How to Monitor Database Replication Links and Replication Status

In addition to high level details that are accessible from the Site Hierarchy node in the Monitoring workspace, with Configuration Manager SP1 you can monitor details for database replication when you use the Database Replication node in the Monitoring workspace. From the Database Replication you can monitor the status of replication links between sites, and the initialization details and replication details for replication groups at the site to which your Configuration Manager console is connected.
771

Tip Although a Database Replication node also appears under the Hierarchy Configuration node in the Administration workspace, you cannot view the replication status for database replication links from that location.

Replication Link Status

Database replication between sites involves the replication of several sets of information, called replication groups. Each replication group replicates with different replication priorities. By default, the data contained in a replication group and the frequency of replication cannot be modified. When a replication link is active, and does not have a status of failed or degraded, all replication groups replicate in a timely manner. When one or more replication groups fail to complete replication in the expected period of time, the link displays as degraded. Degraded links can still function, but you should monitor them to ensure that they return to active status, or investigate them to ensure that additional degradation or replication failures do not occur. With Configuration Manager SP1, for each replication link you can specify the number of times that an unsuccessfully replicated replication group retries to replicate before the status of the link is set to degraded or failed. Even if all but one replication group replicate successfully, the status of the link is set to degraded or failed because the one replication group fails to complete replication in the specified number of attempts. For information about replication thresholds, see the Plan for Database Replication Thresholds section in the Planning for Communications in Configuration Manager topic. Use the information in following table to understand the status of replication links that might require further investigation.
Link description More information

Link is active

No problems have been detected, and communication across the link is current. Replication is functional, but at least one replication object or group is delayed. Monitor links that are in this state and review information from both sites on the link for indications that the link might fail. A link can also display a status of degraded when the site that receives replicated data is unable to quickly commit the data to the database. This can happen when large volumes of data replicate. For example, if you deploy a software update to a large number of computers, the volume of data that replicates might take some time to be processed by the
772

Link is degraded

Link description

More information

parent site on the link. A processing lag at the parent site can result in the link status being set to degraded until the parent site can successfully process the backlog of data. Link has failed Replication is not functional. It is possible that a replication link might recover without further action. You can use the Replication Link Analyzer to investigate and help remediate replication on this link. This status can also indicate a problem with the physical network between the parent and child site on the replication link. While a parent site is in the process of upgrading to a new service pack and you view the link status from the child site, the link status displays as active. After the upgrade, until the child site is also at the same service pack as the parent site, the link status displays as active when viewed from the parent site, and as being configured when viewed from the child site.

Replication Status
You can use the Database Replication node in the Monitoring workspace to view the status of replication for a replication link, and view details about the site database at each site on the replication link. With Configuration Manager SP1, you can also view details about replication groups. To view details, select a replication link, and then select the appropriate tab for the replication status you want to view. The following table provides details about the different tabs for replication status.
Tab Details

Summary

View high level information about the replication of site data and global data between the two sites on a link. You can also click View reports for historical traffic data to view a report that shows details about the network bandwidth used by replication across the replication link.

Parent Site

For the parent site on a replication link, view details about the database, which include: Firewall ports for the SQL Server Free disk space
773

Tab

Details

Child Site

Database file locations Certificates

For the child site on a replication link, view details about the database, which include: Firewall ports for the SQL Server Free disk space Database file locations Certificates

Initialization Detail

For Configuration Manager SP1 only: View the initialization status for replication groups that replicate across the replication link. This information can help you identify when initialization of replication data is in progress or has failed. Additionally, You can use this information to identify when a site might be in interoperability mode. Interoperability mode occurs when the child site does not run the same version of Configuration Manager as the parent site.

Replication Detail

For Configuration Manager SP1 only: View the replication status for each replication group that replicates across the link. Use this information to help identify problems or delays for the replication of specific data, and to help determine the appropriate database replication thresholds for this link. For information about database replication thresholds, see the Plan for Database Replication Thresholds section in the Planning for Communications in Configuration Manager topic. Tip Replication groups for site data are sent only from the child site to the parent site. Replication groups for global data replicate in both directions.

774

About the Replication Link Analyzer

Configuration Manager includes Replication Link Analyzer which you use to analyze and repair replication issues. You can use Replication Link Analyzer to remediate replication link failures when replication has failed and when replication stops working but has not yet been reported as failed. Replication Link Analyzer can be used to remediate replication issues between the following computers in the Configuration Manager hierarchy (the direction of the replication failure does not matter): Between a site server and the site database server. Between a sites site database server and another sites site database computer (intersite replication).

You can run Replication Link Analyzer in either the Configuration Manager console or at a command prompt: To run in the Configuration Manager console: In the Monitoring workspace, click the Database Replication node, select the replication link that you want to analyze, and then in the Database Replication group on the Home tab, select Replication Link Analyzer. To run at a command prompt, type the following command: %path%\Microsoft Configuration Manager\AdminConsole\bin\Microsoft.ConfigurationManager.ReplicationLinkAnalyzer. Wizard.exe <source site server FQDN> <destination site server FQDN>

When you run Replication Link Analyzer, it detects problems by using a series of diagnostic rules and checks. When the tool runs, you can view the problems that the tool identifies. When instructions to resolve an issue are known, they are displayed. If Replication Link Analyzer can automatically remediate a problem, you are presented with that option. When Replication Link Analyzer finishes, it saves the results in the following XML-based report and a log file on the desktop of the user who runs the tool: ReplicationAnalysis.xml ReplicationLinkAnalysis.log

When Replication Link Analyzer runs, it stops the following services while it remediates some problems, and restarts these services when remediation is complete: SMS_SITE_COMPONENT_MANAGER SMS_EXECUTIVE

If Replication Link Analyzer fails to complete remediation, review the site server and restart these services if they are stopped. Successful and unsuccessful investigation and remediation actions are logged to provide additional details that are not presented in the tool interface.

Prerequisites to use the Replication Link Analyzer

The following items are prerequisites to use the Replication Link Analyzer:

775

The account that you use to run the Replication Link Analyzer must have local administrator rights on each computer that is involved in the replication link. The account does not require a specific role-based administration security role. Therefore, an administrative user with access to the Database Replication node can run the tool in the Configuration Manager console, or a system administrator with sufficient rights to each computer can run the tool at a command prompt. The account that you use to run the Replication Link Analyzer must have sysadmin rights on each SQL Server database that is involved in the replication link.

Procedures for Monitoring Database Replication

Use the following procedures to monitor database replication in Configuration Manager. To monitor high-level site-to-site database replication status 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Site Hierarchy to open the Hierarchy Diagram view. 3. Briefly pause the mouse pointer on the line between the two sites to view the status of global and site data replication for these sites. To monitor the replication status for a replication link 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Database Replication, and then select the replication link for the link that you want to monitor. Then, in the workspace, select the appropriate tab to view different details about the replication status for that link.

Monitor System Status for Configuration Manager

System status in Configuration Manager provides an overview of the general operations of sites and site server operations of your hierarchy. It can reveal operational problems for site system servers or components, and you can use the system status to review specific details for different Configuration Manager operations. You monitor system status from the System Status node of the Monitoring workspace in the Configuration Manager console. Most Configuration Manager site system roles and components generate status messages. Status messages details are logged in each components operational log, but are also submitted to the site database where they are summarized and presented in a general rollup of each component or site systems health. These status message rollups provide information details for regular operations and warnings and error details. You can configure the thresholds at which warnings or errors are triggered and fine-tune the system to ensure rollup information ignores known issues that are not relevant to you while calling attention to actual problems on servers or for component operations that you might want to investigate. System status is replicated to other sites in a hierarchy as site data, not global data. This means you can only see the status for the site to which your Configuration Manager console connects,
776

and any child sites below that site. Therefore, consider connecting your Configuration Manager console to the top-level site of your hierarchy when you view system status. Use the following table to identify the different system status views and when to use each one.
Node More information

Site Status

Use this node to view a rollup of the status of each site system to review the health of each site system server. Site system health is determined by thresholds that you configure for each site in the Site System Status Summarizer. You can view status messages for each site system, set thresholds for status messages, and manage the operation of the components on site systems by using the Configuration Manager Service Manager.

Component Status

Use this node to view a rollup of the status of each Configuration Manager component to review the components operational health. Component health is determined by thresholds that you configure for each site in the Component Status Summarizer. You can view status messages for each component, set thresholds for status messages, and manage the operation of components by using the Configuration Manager Service Manager.

Conflicting Records

Use this node to view status messages about clients that might have conflicting records. Configuration Manager uses the hardware ID to attempt to identify clients that might be duplicates and alert you to the conflicting records. For example, if you have to reinstall a computer, the hardware ID would be the same, but the GUID that Configuration Manager uses might be changed.

Status Message Queries

Use this node to query status messages for specific events and related details. You can use status message queries to find the status messages related to specific events.
777

Node

More information

You can often use status message queries to identify when a specific component, operation, or Configuration Manager object was modified, and the account that was used to make the modification. For example, you can run the built-in query for Collections Created, Modified, or Deleted to identify when a specific collection was created, and the user account used to create the collection.

Manage Site Status and Component Status

Use the following information to manage the site status and component status: To configure thresholds for the status system, see Configure the Status System for Configuration Manager. To manage individual components in Configuration Manager, use the Configuration Manager Service Manager.

View Status Messages

You can view the status messages for individual site system servers and components. To view status messages in the Configuration Manager console, select a specific site system server or component, and then click Show Messages. When you view messages, you can select to view specific message types or messages from a specified period of time, and you can filter the results based on the status messages details.

Monitor Management Tasks for Configuration Manager

Configuration Manager provides built-in monitoring from within the Configuration Manager console. You can monitor many tasks including those related to software updates, power management, and the deployment of content throughout your hierarchy. Use the information in the following table to help you monitor common Configuration Manager tasks.
Monitoring task More information

Alerts Compliance Settings

See Monitor Alerts in Configuration Manager. See How to Monitor for Compliance Settings in Configuration Manager.
778

Monitoring task

More information

Content Deployment

For general information about monitoring content, see the Monitor Content section in the Operations and Maintenance for Content Management in Configuration Manager topic. For information about monitoring specific types of content deployment: To monitor Applications, see How to Monitor Applications in Configuration Manager. To monitor Packages and Programs, see How to Monitor Packages and Programs in Configuration Manager.

Endpoint Protection

See How to Monitor Endpoint Protection in Configuration Manager. See How to Monitor Out of Band Management in Configuration Manager. See How to Monitor and Plan for Power Management in Configuration Manager. See How to Monitor Software Metering in Configuration Manager. See the Monitor Software Updates section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

Out of Band Management

Monitor Power Management

Monitor Software Metering

Monitor Software Updates

Monitor Alerts in Configuration Manager

Alerts are generated by Configuration Manager when a specific condition occurs. Typically, alerts are generated when an error occurs that you must resolve. However, alerts are also generated to warn you that a condition exists so that you can continue to monitor the situation. You can view alerts in the Alerts node of the Monitoring workspace. Alerts have one of the following alert states: Never triggered: The condition of the alert has not been met. Active: The condition of the alert is met. Canceled: The condition of an active alert is no longer met. This state indicates that the condition that caused the alert is now resolved. Postponed: An administrative user has configured Configuration Manager to evaluate the state of the alert at a later time.
779

Disabled: The alert has been disabled by an administrative user. When an alert is in this state, Configuration Manager does not update the alert even if the state of the alert changes. Resolve the condition that caused the alert, for example, you resolve a network issue or a configuration issue that generated the alert. After Configuration Manager detects that the issue no longer exists, the alert state changes to Cancel. If the alert is a known issue, you can postpone the alert for a specific length of time. At that time, Configuration Manager updates the alert to its current state. You can postpone an alert only when it is active. You can edit the Comment of an alert so that other administrative users can see that you are aware of the alert. For example, in the comment you can identify how to resolve the condition, provide information about the current status of the condition, or explain why you postponed the alert.

You can take one of the following actions when Configuration Manager generates an alert:

For more information about how to manage alerts, see Configuring Alerts in Configuration Manager.

See Also
Operations and Maintenance for Site Administration in Configuration Manager

Manage Cloud Services for Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. Use the information in the following sections to help you manage cloud services that you use with System Center 2012 Configuration Manager: Monitor Cloud-Based Distribution Points Controlling the Cost of Cloud-Based Distribution Points Backup and Recovery of Cloud-Based Distribution Points Uninstalling Cloud-Based Distribution Points

For information about the Windows Intune connector, see How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager.

Monitor Cloud-Based Distribution Points

When you use cloud-based distribution points, you can monitor the content that you deploy to each distribution point, and you can monitor the cloud service that hosts the distribution point.
780

You monitor content that you deploy to a cloud-based distribution point the same way as you would deploy content to on-premises distribution points. For general information about how to monitor content, see the Monitor Content section in the Operations and Maintenance for Content Management in Configuration Manager topic. For information about how to monitor specific types of content deployment: To monitor application deployments, see How to Monitor Applications in Configuration Manager. To monitor package and program deployments, see How to Monitor Packages and Programs in Configuration Manager.

To monitor the cloud-based distribution point, Configuration Manager periodically checks the Windows Azure service and raises an alert if the service is not active, or if there are subscription or certificate issues. You can also view details about the distribution point in the Cloud node under Hierarchy Configurations in the Administration workspace of the Configuration Manager console. From this location, you view high-level information about the distribution point, or select a distribution point, and then edit its Properties. When you edit the properties of a cloud-based distribution point, you can adjust the data thresholds for storage and alerts. You can also manage content as you would for an on-premises distribution point. Finally, for each cloud-based distribution point, you can view, but not edit, the subscription ID, service name, and other related details that are specified when the cloud-based distribution is installed. For more information about how to control the cost of using a cloud-based distribution point, including how to set thresholds and alerts, see Controlling the Cost of Cloud-Based Distribution Points.

Controlling the Cost of Cloud-Based Distribution Points

In Configuration Manager you can specify thresholds for the amount of content that you want to store on the distribution point, and the amount of content that you want clients to transfer from the distribution point. Based on these thresholds, Configuration Manager can raise alerts that warn you when the combined amount of content that you have stored on the distribution point is near the specified storage amount, or when data that clients transfer are close to the thresholds that you defined. The following table provides information about these thresholds.
Option Description

Client Settings for Cloud

You control access to all cloud-based distribution points in a hierarchy by using Client Settings. In Client Settings, the category Cloud Settings supports the setting Allow access to cloud distribution points. By default, this setting is set to No. You can enable this setting
781

Option

Description

for both Users and Devices. Thresholds for data transfers You can configure thresholds for the amount of data that you want to store on the distribution point, and for the amount of data that clients download from the distribution point. Thresholds for cloud-based distribution points include the following: Storage alert threshold: A storage alert threshold sets an upper limit on the amount of data or content that you want store on the cloud-based distribution point. You can specify Configuration Manager to generate a warning alert when the remaining free space of your storage alert threshold reaches the level that you specify. Transfer alert threshold: A transfer alert threshold helps you to monitor the amount of content that transfers from the distribution point to clients for a 30-day period. The transfer alert threshold monitors the transfer of data for the last 30 days, and can raise a warning alert and a critical alert when transfers reach values that you define. Important Configuration Manager monitors the transfer of data, but does not stop the transfer of data beyond the specified transfer alert threshold. You can specify thresholds for each cloudbased distribution point during the installation of the distribution point, or you can edit the properties of each cloud-based distribution point after it is installed. Alerts You can configure Configuration Manager to raise alerts about data transfers to and from each cloud-based distribution point, based on the data transfer thresholds that you specify. These alerts help you monitor data transfers, and can help you decide when to stop the cloud
782

Option

Description

service to prevent its use, adjust the content that you store on the distribution point, or modify which clients can use cloud-based distribution points. In an hourly cycle, the primary site that monitors the cloud-based distribution point downloads transaction data from Windows Azure and stores it in the CloudDP<ServiceName>.log on the site server. Configuration Manager then evaluates this information against the storage and transfer quotas for each cloud-based distribution point. When the transfer of data reaches or exceeds the specified volume for either warning or critical alerts, Configuration Manager generates the appropriate alert. Warning Because information about data transfers is downloaded from Windows Azure hourly, that data usage might exceed a warning or critical threshold before Configuration Manager can access the data and raise an alert. Note Alerts for a cloud-based distribution point depend on usage statistics from Windows Azure, and can take up to 24 hours to become available. For information about Storage Analytics for Windows Azure, including how frequently Windows Azure updates use statistics, see Storage Analytics in the MSDN Library. Stop or start the cloud service on demand You can use the option to stop a cloud service at any time to prevent clients from using the service continuously. When you stop the cloud service, you immediately prevent clients from downloading additional content from the service. Additionally, you can restart the cloud
783

Option

Description

service to restore access for clients. For example, you might want to stop a cloud service when data thresholds are reached. When you stop a cloud service, the cloud service does not delete the content from the distribution point and does not prevent the site server from transferring additional content to the cloud-based distribution point. To stop a cloud service, in the Configuration Manager console, select the distribution point in the Cloud node, under Hierarchy Configuration, in the Administration workspace. Next, click Stop service to stop the cloud service that runs in Windows Azure. In addition to the use of data thresholds, client settings, and directly managing the cloud service, peer caching can help reduce the number of data transfers from cloud-based distribution points. By default, Configuration Manager clients that are configured for Windows BranchCache can transfer content by using cloud-based distribution points. For more information, see the following: The section Planning for BranchCache Support in the Planning for Content Management in Configuration Manager topic. The section BranchCache Feature Support in the Supported Configurations for Configuration Manager topic.

Backup and Recovery of Cloud-Based Distribution Points

When you use a cloud-based distribution point in your hierarchy, use the following information to help you plan for backup or recovery of the distribution point: When you use the predefined Backup Site Server maintenance task, Configuration Manager automatically includes the configurations for the cloud-based distribution point. It is best practice to back up and save a copy of both the management certificate and service certificate in use with a cloud-based distribution point. In the event that you restore the Configuration Manager primary site that manages the cloud-base distribution point to a different computer, you must re-import the certificates before you can continue to use them.

Uninstalling Cloud-Based Distribution Points

To uninstall a cloud-based distribution point, select the distribution point in the Configuration Manager console, and then select Delete.
784

When you delete a cloud-based distribution point from a hierarchy, Configuration Manager removes the content from the cloud service in Windows Azure.

See Also
Operations and Maintenance for Site Administration in Configuration Manager

Backup and Recovery in Configuration Manager

Enterprise solutions such as System Center 2012 Configuration Manager must prepare for both backup and recovery operations to avoid loss of critical data. For Configuration Manager sites, this preparation ensures that sites and hierarchies are recovered with the least data loss and in the quickest possible time. Use the sections in this topic to help you back up your Configuration Manager sites and recover a site in the event of site failure or data loss. SMS Writer Service Back up a Configuration Manager Site Backup Maintenance Task Using Data Protection Manager to Back up Your Site Database Archiving the Backup Snapshot Using the AfterBackup.bat File Supplemental Backup Tasks Determine Your Recovery Options Site Server Recovery Options Site Database Recovery Options

Recover a Configuration Manager Site

Unattended Site Recovery Script File Keys Post-Recovery Tasks Recover a Secondary Site

SMS Writer Service

The SMS Writer is a service that interacts with the Volume Shadow Copy Service (VSS) during the backup process. The SMS Writer service must be running for the Configuration Manager site back up to successfully complete.

Purpose
SMS Writer registers with the VSS service and binds to its interfaces and events. When VSS broadcasts events, or if it sends specific notifications to the SMS Writer, the SMS Writer responds
785

to the notification and takes the appropriate action. The SMS Writer reads the backup control file (smsbkup.ctl), located in the <ConfigMgr Installation Path>\inboxes\smsbkup.box, and determines the files and data that is to be backed up. The SMS Writer builds metadata, which consists of various components, based on this information as well as specific data from the SMS registry key and subkeys. It sends the metadata to VSS when it is requested. VSS then sends the metadata to the requesting application; Configuration Manager Backup Manager. Backup Manager selects the data that gets backed up and sends this data to the SMS Writer via VSS. The SMS Writer takes the appropriate steps to prepare for the backup. Later, when VSS is ready to take the snapshot, it sends an event, the SMS Writer stops all Configuration Manager services and ensures that the Configuration Manager activities are frozen while the snapshot is created. After the snapshot is complete, the SMS Writer restarts services and activities. The SMS Writer service is installed automatically. It must be running when the VSS application requests a backup or restore.

Writer ID
The writer ID for the SMS Writer is: 03ba67dd-dc6d-4729-a038-251f7018463b.

Permissions
The SMS Writer service must run under the Local System account.

Volume Shadow Copy Service

The VSS is a set of COM APIs that implements a framework to allow volume backups to be performed while applications on a system continue to write to the volumes. The VSS provides a consistent interface that allows coordination between user applications that update data on disk (the SMS Writer service) and those that back up applications (the Backup Manager service). For more information about VSS, see the Volume Shadow Copy Service topic in the Windows Server TechCenter.

Back up a Configuration Manager Site

System Center 2012 Configuration Manager provides a backup maintenance task that runs on a schedule and backs up the site database, specific registry keys, and specific folders and files. You can create the AfterBackup.bat file to perform post-backup actions automatically after the backup maintenance task runs successfully. The AfterBackup.bat file is most frequently used to archive the backup snapshot to a secure location. However, you can also use the AfterBackup.bat file to copy files to your backup folder and start other supplemental backup tasks. Use the following sections to help you create your Configuration Manager backup strategy. Note Configuration Manager can recover the site database from the Configuration Manager backup maintenance task or from a site database backup that you perform by using
786

another process. For example, you can restore the site database from a backup that is performed as part of a Microsoft SQL Server maintenance plan. Starting in Configuration Manager SP1, you can restore the site database from a backup that is performed by using System Center 2012 Data Protection Manager (DPM). For more information, see Using Data Protection Manager to Back up Your Site Database.

Backup Maintenance Task

You can automate backup for Configuration Manager sites by scheduling the predefined Backup Site Server maintenance task. You can back up a central administration site and primary site, but there is no backup support for secondary sites or site system servers. When the Configuration Manager backup service runs, it follows the instructions defined in the backup control file (<ConfigMgrInstallationFolder>\Inboxes\Smsbkup.box\Smsbkup.ctl). You can modify the backup control file to change the behavior of the backup service. Site backup status information is written to the Smsbkup.log file. This file is created in the destination folder that you specify in the Backup Site Server maintenance task properties. Use the following procedure to enable the site backup maintenance task for a site. To enable the site backup maintenance task 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. Select the site in which you want to enable the site backup maintenance task. 4. On the Home tab, in the Settings group, click Site Maintenance Tasks. 5. Click Backup Site Server and then click Edit. 6. Select Enable this task, and then click Set Paths to specify the backup destination. You have the following options: Security To help prevent tampering of the backup files, store the files in a secure location. The most secure backup path is to a local drive so you can set NTFS file system permissions on the folder. Regardless of which option you select, Configuration Manager does not encrypt the backup data that is stored in the backup path. Local drive on site server for site data and database: Specifies that the backup files for the site and site database are stored in the specified path on the local disk drive of the site server. You must create the local folder before the backup task runs. Security The Local System account on the site server must have Write NTFS file system permissions to the local folder for the site server backup. The Local System account on the computer that is running SQL Server must have Write NTFS permissions to the folder for the site database backup. Network path (UNC name) for site data and database: Specifies that the backup files for the site and site database are stored in the specified UNC path. You must
787

create the share before the backup task runs. Security The computer account of the site server and the computer account of the SQL Server, if SQL Server is installed on another computer, must have Write NTFS and share permissions to the shared network folder. Local drives on site server and SQL Server: Specifies that the backup files for the site are stored in the specified path on the local drive of the site server, and the backup files for the site database are stored in the specified path on the local drive of the site database server. You must create the local folders before the backup task runs. Security The computer account of the site server must have Write NTFS permissions to the folder that you create on the site server. The computer account of the SQL Server must have Write NTFS permissions to the folder that you create on the site database server. This option is available only when the site database is not installed on the site server. Note The option to browse to the backup destination is only available when you specify the UNC path of the backup destination. Important The folder name or share name that is used for the backup destination does not support the use of Unicode characters. 7. Configure an appropriate schedule for the site backup task. As a best practice, consider a backup schedule that is outside active working hours. If you have a hierarchy, consider a schedule that runs at least two times a week to ensure maximum data retention in the event of site failure. Note When you run the Configuration Manager console on the same site server that you are configuring for backup, the Backup Site Server maintenance task uses local time for the schedule. When the Configuration Manager console is run from a computer remote from the site that you are configuring for backup, the Backup Site Server maintenance task uses UTC for the schedule. 8. Select whether to create an alert if the site backup task fails, click OK, and then click OK. When selected, Configuration Manager creates a critical alert for the backup failure that you can review in the Alerts node in the Monitoring workspace.

Verify that the Backup Site Server maintenance task is running successfully after you schedule it, to ensure that you are prepared to recover the site if it fails, and also to help plan for data

788

recovery. Use the following procedure to verify that the site backup maintenance task is completed successfully. To verify that the Backup Site Server maintenance task is completed successfully Verify that the Site Backup maintenance task is completed successfully by reviewing any of the following: Review the timestamp on the files in the backup destination folder that the Backup Site Server maintenance task created. Verify that the timestamp has been updated with a time that coincides with the time when the Backup Site Server maintenance task was last scheduled to run. In the Component Status node in the Monitoring workspace, review the status messages for SMS_SITE_BACKUP. When site backup is completed successfully, you see message ID 5035, which indicates that the site backup was completed without any errors. When the Backup Site Server maintenance task is configured to create an alert if backup fails, you can check the Alerts node in the Monitoring workspace for backup failures. In <ConfigMgrInstallationFolder >\Logs, review Smsbkup.log for warnings and errors. When site backup is completed successfully, you see Backup completed with a timestamp and message ID STATMSG: ID=5035. Tip When the backup maintenance task fails, you can restart the backup task by stopping and restarting the SMS_SITE_BACKUP service.

Using Data Protection Manager to Back up Your Site Database

For Configuration Manager SP1 only: Starting in Configuration Manager SP1, you can use System Center 2012 Data Protection Manager (DPM) to back up your site database. You must create a new protection group in DPM for the site database computer. On the Select Group Members page of the Create New Protection Group Wizard, you select the SMS Writer service from the data source list, and then select the site database as an appropriate member. For more information about using DPM to back up your site database, see the Data Protection Manager Documentation Library on TechNet. Important Configuration Manager does not support DPM backup for a SQL Server cluster that uses a named instance, but does support DPM backup on a SQL Server cluster that uses the default instance of SQL Server. After you restore the site database, follow the steps in Setup to recover the site. Select the Use a site database that has been manually recovered recovery option to use the site database that you recovered by using Data Protection Manager.
789

Archiving the Backup Snapshot

The first time the Backup Site Server maintenance task runs, it creates a backup snapshot, which you can use to recover your site server in case of a failure. When the backup task runs again during subsequent cycles, it creates a new backup snapshot that overwrites the previous snapshot. As a result, the site has only a single backup snapshot, and you have no way of retrieving an earlier backup snapshot. As a best practice, keep multiple archives of the backup snapshot for the following reasons: It is common for backup media to fail, get misplaced, or have only a partial backup stored on it. Recovering a failed stand-alone primary site from an older backup is better than recovering without any backup. For a site server in a hierarchy, the backup must be in the SQL Server change tracking retention period, or the backup is not required. A corruption in the site can go undetected for several backup cycles. You might have to go back several cycles and use the backup snapshot from before the site became corrupted. This applies to a stand-alone primary site and sites in a hierarchy where the backup is in the SQL Server change tracking retention period. The site might have no backup snapshot at all if, for example, the Backup Site Server maintenance task fails. Because the backup task removes the previous backup snapshot before it starts to back up the current data, there will not be a valid backup snapshot.

Using the AfterBackup.bat File

After successfully backing up the site, the Backup Site Server task automatically attempts to run a file that is named AfterBackup.bat. You must manually create the AfterBackup.bat file in <ConfigMgrInstallationFolder>\Inboxes\Smsbkup. If an AfterBackup.bat file exists, and is stored in the correct folder, the file automatically runs after the backup task is completed. The AfterBackup.bat file lets you archive the backup snapshot at the end of every backup operation, and automatically perform other post-backup tasks that are not part of the Backup Site Server maintenance task. The AfterBackup.bat file integrates the archive and the backup operations, thereby ensuring that every new backup snapshot is archived. When the AfterBackup.bat file is not present, the backup task skips it without effect on the backup operation. To verify that the site backup task successfully ran the AfterBackup.bat file, see the Component Status node in the Monitoring workspace and review the status messages for SMS_SITE_BACKUP. When the task successfully started the AfterBackup.bat command file, you see message ID 5040. Tip To create the AfterBackup.bat file to archive your site server backup files, you must use a copy command tool in the batch file such as Robocopy. For example, you could create the AfterBackup.bat file, and on the first line, you could add something similar to: Robocopy E:\ConfigMgr_Backup \\ServerName\ShareName\ConfigMgr_Backup /MIR. For more information about Robocopy, see the Robocopy command-line reference webpage. Although the intended use of the AfterBackup.bat is to archive backup snapshots, you can create an AfterBackup.bat file to perform additional tasks at the end of every backup operation.

790

Supplemental Backup Tasks

The Backup Site Server maintenance task provides a backup snapshot for the site server files and site database, but there are other items not backed up that you must consider when you create your backup strategy. Use the following sections to help you complete your Configuration Manager backup strategy.

Back Up Custom Reporting Services Reports

When you have modified predefined or created custom Reporting Services reports, creating a backup for the report server database files is an important part of your backup strategy. The report server backup must include a backup of the source files for reports and models, encryption keys, custom assemblies or extensions, configuration files, custom SQL Server views used in custom reports, custom stored procedures, and so on. Important When System Center 2012 Configuration Manager is upgraded to a newer version, the predefined reports are overwritten by new reports. If you modify a predefined report, you must back up the report before you install the new version, and then restore the report in Reporting Services. For more information about backing up your custom reports in Reporting Services, see Backup and Restore Operations for a Reporting Services Installation in the SQL Server 2008 Books Online.

Backup Content Files

The content library in Configuration Manager is the location where all content files are stored for software updates, applications, operating system deployment, and so on. The content library is located on the site server and each distribution point. The Backup Site Server maintenance task does not include a backup for the content library or the package source files. When a site server fails, the information about the content library files is restored to the site database, but you must restore the content library and package source files on the site server. Content library: The content library must be restored before you can redistribute content to distribution points. When you start content redistribution, Configuration Manager copies the files from the content library on the site server to the distribution points. The content library for the site server is in the SCCMContentLib folder, which is typically located on the drive with the most free disk space at the time that the site installed. For more information about the content library, see Introduction to Content Management in Configuration Manager. Package source files: The package source files must be restored before you can update content on distribution points. When you start a content update, Configuration Manager copies new or modified files from the package source to the content library, which in turn copies the files to associated distribution points. You can run the following query in SQL Server to find the package source location for all packages and applications: SELECT * FROM v_Package. You can identify the package source site by looking at the first three characters of the package ID. For example, if the package ID is CEN00001, the site code for the source site is CEN. When you restore the package source files, they must be restored to the same
791

location in which they were before the failure. For more information about updating content, see the Update Content on Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager topic. Verify that you include both the content library and package source locations in your file system backup for the site server.

Back Up Custom Software Updates

System Center Updates Publisher 2011 is a stand-alone tool that lets you publish custom software updates to Windows Server Update Services (WSUS), synchronize the software updates to Configuration Manager, assess software updates compliance, and deploy the custom software updates to clients. Updates Publisher 2011 uses a local database for its software update repository. When you use Updates Publisher 2011 to manage custom software updates, determine whether you have to include the Updates Publisher 2011 database in your backup plan. For more information about Updates Publisher, see System Center Updates Publisher 2011 in the System Center TechCenter Library. Use the following procedure to back up the Updates Publisher 2011 database. To back up the Updates Publisher 2011 database 1. On the computer that runs Updates Publisher, browse the Updates Publisher 2011 database file (Scupdb.sdf) in %USERPROFILE%\AppData\Local\Microsoft\System Center Updates Publisher 2011\5.00.1727.0000\. There is a different database file for each user that runs Updates Publisher 2011. 2. Copy the database file to your backup destination. For example, if your backup destination is E:\ConfigMgr_Backup, you could copy the Updates Publisher 2011 database file to E:\ConfigMgr_Backup\SCUP2011. Tip When there is more than one database file on a computer, consider storing the file in a subfolder that indicates the user profile in which the database file is associated. For example, you could have one database file in E:\ConfigMgr_Backup\SCUP2011\User1 and another database file in E:\ConfigMgr_Backup\SCUP2011\User2.

User State Migration Data

You can use Configuration Manager task sequences to capture and restore the user state data in operating system deployment scenarios where you want to retain the user state of the current operating system. The folders that store the user state data are listed in the properties for the state migration point. This user state migration data is not backed up as part of the Site Server Backup maintenance task. As part of your backup plan, you must manually back up the folders that you specify to store the user state migration data. Use the following procedure to determine the folders used to store user state migration data.
792

To determine the folders used to store user state migration data 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles. 3. Select the site system that hosts the state migration role, and then select State migration point in Site System Roles. 4. On the Site Role tab, in the Properties group, click Properties. 5. The folders that store the user state migration data are listed in the Folder details section on the General tab.

Recover a Configuration Manager Site

A Configuration Manager site recovery is required whenever a Configuration Manager site fails or data loss occurs in the site database. Repairing and resynchronizing data are the core tasks of a site recovery and are required to prevent interruption of operations. Site recovery is started by running the Configuration Manager Setup Wizard from installation media or by configuring the unattended installation script and then using the Setup command /script option. Your recovery options vary depending on whether you have a backup of the Configuration Manager site database. Important If you run Configuration Manager Setup from the Start menu on the site server, the Recover a site option is not available. You must run Setup from installation media. Note After you restore a site database that was configured for database replicas, before you can use the database replicas you must reconfigure each database replica, recreating both the publications and subscriptions.

Determine Your Recovery Options

There are two main areas that you have to consider for Configuration Manager primary site server and central administration site recovery; the site server and the site database. Use the following sections to help you determine the options that you have to select for your recovery scenario. Important For information about secondary site recovery in Configuration Manager SP1, see the Recover a Secondary Site section. Note When a previous site recovery failed or when you are trying to recover a site that it is not completely uninstalled, you must select Uninstall a Configuration Manager site from
793

Setup before you have the option to recover the site. If the failed site has child sites, and you have to uninstall the site, you must manually delete the site database from the failed site before you select the Uninstall a Configuration Manager site option or the uninstall process fails.

Site Server Recovery Options

You must start Setup from the System Center 2012 Configuration Manager installation media, or a network shared folder that contains the source files, for the Recover a site option to be available. When you run Setup, you have the following recovery options for the failed site server: Recover the site server using an existing backup: Use this option when you have a backup of the Configuration Manager site server that was created on the site server as part of the Backup Site Server maintenance task before the site failure. The site is reinstalled, and the site settings are configured, based on the site that was backed up. Reinstall the site server: Use this option when you do not have a backup of the site server. The site server is reinstalled, and you must specify the site settings, just as you would during an initial installation. You must use the same site code and site database name that you used when the failed site was first installed to successfully recover the site. Note When Setup detects an existing Configuration Manager site on the server, you can start a site recovery, but the recovery options for the site server are limited. For example, if you run Setup on an existing site server, when you choose recovery, you can recover the site database server, but the option to recover the site server is disabled.

Site Database Recovery Options

When you run Setup, you have the following recovery options for the site database: Recover the site database using a backup set: Use this option when you have a backup of the Configuration Manager site database that was created as part of the Backup Site Server maintenance task run on the site before the site database failure. When you have a hierarchy, the changes that were made to the site database after the last site database backup are retrieved from the central administration site for a primary site, or from a reference primary site for a central administration site. When you recover the site database for a stand-alone primary site, you lose site changes after the last backup. When you recover the site database for a site in a hierarchy, the recovery behavior is different for a central administration site and primary site, and when the last backup is inside or outside of the SQL Server change tracking retention period. For more information, see the Site Database Recovery Scenarios section in this topic. Note The recovery fails if you select to restore the site database by using a backup set, but the site database already exists. Create a new database for this site: Use this option when you do not have a backup of the Configuration Manager site database. When you have a hierarchy, a new site database is
794

created, and the data is recovered by using replicated data from the central administration site for a primary site, or a reference primary site for a central administration site. This option is not available when you are recovering a stand-alone primary site or a central administration site that does not have primary sites. Use a site database that has been manually recovered: Use this option when you have already recovered the Configuration Manager site database but have to complete the recovery process. Configuration Manager can recover the site database from the Configuration Manager backup maintenance task or from a site database backup that you perform by using DPM or another process. After you restore the site database by using a method outside Configuration Manager, you must run Setup and select this option to complete the site database recovery. When you have a hierarchy, the changes that were made to the site database after the last site database backup are retrieved from the central administration site for a primary site, or from a reference primary site for a central administration site. When you recover the site database for a stand-alone primary site, you lose site changes after the last backup. Note When you use DPM to back up your site database, use the DPM procedures to restore the site database to a specified location before you continue the restore process in Configuration Manager. For more information about DPM, see the Data Protection Manager Documentation Library on TechNet. Skip database recovery: Use this option when no data loss has occurred on the Configuration Manager site database server. This option is only valid when the site database is on a different computer than the site server that you are recovering.

SQL Server Change Tracking Retention Period

Change tracking is enabled for the site database in SQL Server. Change tracking lets Configuration Manager query for information about the changes that have been made to database tables after a previous point in time. The retention period specifies how long change tracking information is retained. By default, the site database is configured to have a retention period of 5 days. When you recover a site database, the recovery process proceeds differently if your backup is inside or outsidethe retention period. For example, if your site database server fails, and your last backup is 7 days old, it is outside the retention period.

Process to Reinitialize Site or Global Data

The process to reinitialize site or global data replaces existing data in the site database with data from another site database. For example, when site ABC reinitializes data from site XYZ, the following steps occur: The data is copied from site XYZ to site ABC. The existing data for site XYZ is removed from the site database on site ABC. The copied data from site XYZ is inserted into the site database for site ABC.

795

Example Scenario 1 The primary site reinitializes the global data from the central administration site : The recovery process removes the existing global data for the primary site in the primary site database and replaces the data with the global data copied from the central administration site. Example Scenario 2 The central administration site reinitializes the site data from a primary site: The recovery process removes the existing site data for that primary site in the central administration site database and replaces the data with the site data copied from the primary site. The site data for other primary sites is not affected.

Site Database Recovery Scenarios

After a site database is restored from a backup, the Configuration Manager attempts to restore the changes in site and global data after the last database backup. The following table provides the actions that Configuration Manager starts after a site database is restored from backup.
Database backup within change tracking retention period Database backup older than change tracking retention period

Recovered site Primary site

Global data The changes in global data after the backup are replicated from the central administration site.

Site data The central administration site reinitializes the site data from the primary site. Changes after the backup are lost, but most data is regenerated by clients that send information to the primary site. The changes in site data after the backup are replicated from all primary sites.

Global data The primary site reinitializes the global data from the central administration site.

Site data The central administration site reinitializes the site data from the primary site. Changes after the backup are lost, but most data is regenerated by clients that send information to the primary site. The central administration site reinitializes the site data from each primary site.

Central administration site

The changes in global data after the backup are replicated from all primary sites.

The central administration site reinitializes the global data from the reference primary site, if you specify it. Then all other primary sites reinitialize the

796

Database backup within change tracking retention period

Database backup older than change tracking retention period

global data from the central administration site. If no reference site is specified, all primary sites reinitialize the global data from the central administration site (the data that was restored from backup).

Site Recovery Procedures

Use one of the following procedures to help you recover your site server and site database. To start a site recovery in the Setup Wizard 1. Run the Configuration Manager Setup Wizard from installation media or a shared network folder. For example, you can start the Setup wizard by using the Install option when you insert the Configuration Manager DVD. Or, you can open Setup.exe from a shared network folder to start the Setup wizard. 2. On the Getting Started page, select Recover a site, and then click Next. 3. Complete the wizard by using the options that are appropriate for your site recovery. Important During the recovery, Setup identifies the SQL Server Service Broker (SSB) port used by the SQL Server. Do not change this port setting during recovery or data replication will not work properly after the recovery completes. To start an unattended site recovery 1. Prepare the unattended installation script for the options that you require for the site recovery. 2. Run Configuration Manager Setup by using the command /script option. For example, if you named your setup initialization file ConfigMgrUnattend.ini and saved it in the C:\Temp directory of the computer on which you are running Setup, the command would be as follows: Setup /script C:\temp\ConfigMgrUnattend.ini.
797

Unattended Site Recovery Script File Keys

To perform an unattended recovery of a Configuration Manager central administration site or primary site, you can create an unattended installation script and use Setup with the /script command option. The script provides the same type of information that the Setup Wizard prompts for, except that there are no default settings. All values must be specified for the setup keys that apply to the type of recovery you are using. You can run Configuration Manager Setup unattended by using an initialization file with the /script Setup command-line option. Unattended setup is supported for recovery of a Configuration Manager central administration site and primary site. To use the /script setup command-line option, you must create an initialization file and specify the initialization file name after the /script setup command-line option. The name of the file is unimportant as long as it has the .ini file name extension. When you reference the setup initialization file from the command line, you must provide the full path to the file. For example, if your setup initialization file is named setup.ini, and it is stored in the C:\setup folder, your command line would be: setup /script c:\setup\setup.ini. Security You must have Administrator rights to run Setup. When you run Setup with the unattended script, start the Command Prompt in an Administrator context by using Run as administrator. The script contains section names, key names, and values. Required section key names vary depending on the recovery type that you are scripting. The order of the keys within sections, and the order of sections within the file, is not important. The keys are not case sensitive. When you provide values for keys, the name of the key must be followed by an equals sign (=) and the value for the key. Use the following sections to help you to create your script for unattended site recovery. The tables list the available setup script keys, their corresponding values, whether they are required, which type of installation they are used for, and a short description for the key.

Recover a Central Administration Site Unattended

Use the following section to recover a central administration site by using an unattended Setup script file.
Section Key Name Requi red Values Description

Identification

Action

Yes

RecoverCCAR

Recovers a central administration site Specifies whether Setup will recover the site server, SQL Server, or both. The
798

RecoveryOpt ServerRecoveryO ions ptions

Yes

1, 2, or 4 1 = Recovery site server and SQL Server.

Section

Key Name

Requi red

Values

Description

2 = Recover site server only. 4 = Recover SQL Server only.

associated keys are required when you set the following value for the ServerRecoveryOption s setting: Value = 1: You have the option to specify a value for the SiteServerBacku pLocation key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a backup set. The BackupLocation key is required when you configure a value of 10 for the DatabaseRecover yOptions key, which is to restore the site database from backup. Value = 2: You have the option to specify a value for the SiteServerBacku pLocation key to recover the site by using a site backup. If you do not specify a value, the site is
799

Section

Key Name

Requi red

Values

Description

reinstalled without restoring it from a backup set. Value = 4: The BackupLocation key is required when you configure a value of 10 for the DatabaseRecover yOptions key, which is to restore the site database from backup.

DatabaseRecover yOptions

Mayb e

10, 20, 40, 80 10 = Restore the site database from backup. 20 = Use a site database that has been manually recovered by using another method. 40 = Create a new database for the site. Use this option when there is no site database backup available. Global and site data is recovered through replication from other sites. 80 = skip database recovery.

Specifies how Setup will recover the site database in SQL Server. This key is required when the ServerRecoveryOptio ns setting has a value of 1 or 4.

ReferenceSite

Mayb e

<ReferenceSiteFQDN>

Specifies the reference primary site that the central administration site uses to recover global data if the database backup is older than the change tracking retention period or when you recover the site
800

Section

Key Name

Requi red

Values

Description

without a backup. When you do not specify a reference site and the backup is older than the change tracking retention period, all primary sites are reinitialized with the restored data from the central administration site. When you do not specify a reference site and the backup is within the change tracking retention period, only changes since the backup are replicated from primary sites. When there are conflicting changes from different primary sites, the central administration site uses the first one that it receives. This key is required when the DatabaseRecoveryO ptions setting has a value of 40. SiteServerBackup Location No <PathToSiteServerBackupS Specifies the path to et> the site server backup set. This key is optional when the ServerRecoveryOptio ns setting has a value of 1 or 2. Specify a value for the
801

Section

Key Name

Requi red

Values

Description

SiteServerBackupLo cation key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a backup set. BackupLocation Mayb e <PathToSiteDatabaseBack upSet> Specifies the path to the site database backup set. The BackupLocation key is required when you configure a value of 1 or 4 for the ServerRecoveryOptio ns key, and configure a value of 10 for the DatabaseRecoveryO ptions key. The Configuration Manager installation product key, including the dashes. Enter Eval can install the evaluation version of Configuration Manager. Three alpha-numeric characters that uniquely identifies the site in your hierarchy. You must specify the site code that was used by the site before the failure. For more information about site code restrictions, see the Configuration
802

Options

ProductID

Yes

xxxxx-xxxxx-xxxxx-xxxxxxxxxx Eval

SiteCode

Yes

<SiteCode>

Section

Key Name

Requi red

Values

Description

Manager Site Naming section in the Install Sites and Create a Hierarchy for Configuration Manager topic. SiteName Yes <SiteName> Description for this site. Specifies the installation folder for the Configuration Manager program files. Specifies the FQDN for the server that will host the SMS Provider. You must specify the server that hosted the SMS Provider before the failure. You can configure additional SMS Providers for the site after the initial installation. For more information about the SMS Provider, see the Site System Roles in Configuration Manager section in the Planning for Site Systems in Configuration Manager topic. PrerequisiteComp Yes 0 or 1 0 = download 1 = already downloaded Specifies whether Setup prerequisite files have already been downloaded. For
803

SMSInstallDir

Yes

<ConfigMgrInstallationPath >

SDKServer

Yes

<FQDN of SMS Provider>

Section

Key Name

Requi red

Values

Description

example, if you use a value of 0, Setup will download the files. PrerequisitePath Yes <PathToSetupPrerequisiteF Specifies the path to iles> the Setup prerequisite files. Depending on the PrerequisiteComp value, Setup uses this path to store downloaded files or to locate previously downloaded files. 0 or 1 0 = do not install 1 = install Specifies whether to install the Configuration Manager console. This key is required except when the ServerRecoveryOptio ns setting has a value of 4. Specifies whether to join the Customer Experience Improvement Program. The name of the server, or clustered instance name, running SQL Server that will host the site database. You must specify the same server that hosted the site database before the failure. The name of the SQL Server database to create or use to install
804

AdminConsole

Mayb e

JoinCEIP

Yes

0 or 1 0 = do not join 1 = join

SQLConfigO ptions

SQLServerName

Yes

<SQLServerName>

DatabaseName

Yes

<SiteDatabaseName> or <InstanceName>\<SiteData

Section

Key Name

Requi red

Values

Description

baseName>

the central administration site database. You must specify the same database name that was used before the failure. Important You must specify the instance name and site database name if you do not use the default instance.

SQLSSBPort

No

<SSBPortNumber>

Specify the SQL Server Service Broker (SSB) port used by SQL Server. Typically, SSB is configured to use TCP port 4022, but other ports are supported. You must specify the same SSB port that was used before the failure.

Recover a Primary Site Unattended

Use the following section to recover a primary site by using an unattended Setup script file.
Section Key Name Requi red Values Description

Identification

Action

Yes

RecoverPrimarySite

Recovers a primary site Specifies whether

805

RecoveryOptions

ServerRecovery

Yes

1, 2, or 4

Section

Key Name

Requi red

Values

Description

Options

1 = Recovery site server and SQL Server. 2 = Recover site server only. 4 = Recover SQL Server only.

Setup will recover the site server, SQL Server, or both. The associated keys are required when you set the following value for the ServerRecoveryOptio ns setting: Value = 1: You have the option to specify a value for the SiteServerBack upLocation key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a backup set. The BackupLocatio n key is required when you configure a value of 10 for the DatabaseRecov eryOptions key, which is to restore the site database from backup. Value = 2: You have the option to specify a value for the
806

Section

Key Name

Requi red

Values

Description

SiteServerBack upLocation key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a backup set. Value = 4: The BackupLocatio n key is required when you configure a value of 10 for the DatabaseRecov eryOptions key, which is to restore the site database from backup.

DatabaseRecove ryOptions

Mayb e

10, 20, 40, 80 10 = Restore the site database from backup. 20 = Use a site database that has been manually recovered by using another method. 40 = Create a new database for the site. Use this option when there is no site database backup available. 80 = skip database recovery.

Specifies how Setup will recover the site database in SQL Server. This key is required when the ServerRecoveryOpt ions setting has a value of 1 or 4.

SiteServerBacku pLocation

No

<PathToSiteServerBackup Specifies the path to Set> the site server

807

Section

Key Name

Requi red

Values

Description

backup set. This key is optional when the ServerRecoveryOpt ions setting has a value of 1 or 2. Specify a value for the SiteServerBackupL ocation key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a backup set. BackupLocation Mayb e <PathToSiteDatabaseBac kupSet> Specifies the path to the site database backup set. The BackupLocation key is required when you configure a value of 1 or 4 for the ServerRecoveryOpt ions key, and configure a value of 10 for the DatabaseRecovery Options key. The Configuration Manager installation product key, including the dashes. Enter Eval can install the evaluation version of Configuration Manager. Three alpha-numeric
808

Options

ProductID

Yes

xxxxx-xxxxx-xxxxx-xxxxxxxxxx Eval

SiteCode

Yes

<SiteCode>

Section

Key Name

Requi red

Values

Description

characters that uniquely identifies the site in your hierarchy. You must specify the site code that was used by the site before the failure. For more information about site code restrictions, see the Configuration Manager Site Naming section in the Install Sites and Create a Hierarchy for Configuration Manager topic. SiteName Yes <SiteName> Description for this site. Specifies the installation folder for the Configuration Manager program files. Specifies the FQDN for the server that will host the SMS Provider. You must specify the server that hosted the SMS Provider before the failure. You can configure additional SMS Providers for the site after the initial installation. For more information about the SMS Provider, see
809

SMSInstallDir

Yes

<ConfigMgrInstallationPat h>

SDKServer

Yes

<FQDN of SMS Provider>

Section

Key Name

Requi red

Values

Description

the Site System Roles in Configuration Manager section in the Planning for Site Systems in Configuration Manager topic. PrerequisiteCom p Yes 0 or 1 0 = download 1 = already downloaded Specifies whether Setup prerequisite files have already been downloaded. For example, if you use a value of 0, Setup will download the files. Specifies the path to the Setup prerequisite files. Depending on the PrerequisiteComp value, Setup uses this path to store downloaded files or to locate previously downloaded files. Specifies whether to install the Configuration Manager console. This key is required except when the ServerRecoveryOpt ions setting has a value of 4. Specifies whether to join the Customer Experience Improvement
810

PrerequisitePath

Yes

<PathToSetupPrerequisite Files>

AdminConsole

Mayb e

0 or 1 0 = do not install 1 = install

JoinCEIP

Yes

0 or 1 0 = do not join 1 = join

Section

Key Name

Requi red

Values

Description

Program. SQLConfigOption SQLServerName s Yes <SQLServerName> The name of the server, or clustered instance name, running SQL Server that will host the site database. You must specify the same server that hosted the site database before the failure. The name of the SQL Server database to create or use to install the central administration site database. You must specify the same database name that was used before the failure. Important You must specify the instance name and site database name if you do not use the default instance. SQLSSBPort No <SSBPortNumber> Specify the SQL Server Service Broker (SSB) port used by SQL Server. Typically, SSB is configured to use TCP port 4022, but
811

DatabaseName

Yes

<SiteDatabaseName> or <InstanceName>\<SiteDat abaseName>

Section

Key Name

Requi red

Values

Description

other ports are supported. You must specify the same SSB port that was used before the failure. HierarchyExpansi CCARSiteServer onOption Mayb e <SiteCodeForCentralAdmi nistrationSite> Specifies the central administration site that a primary site will attach to when it joins the Configuration Manager hierarchy. This setting is required if the primary site was attached to a central administration site before the failure. You must specify the site code that was used for the central administration site before the failure. Specifies the retry interval (in minutes) to attempt a connection to the central administration site after the connection fails. For example, if the connection to the central administration site fails, the primary site waits the number of minutes that you specify for CASRetryInterval, and then re-attempts
812

CASRetryInterval

No

<Interval>

Section

Key Name

Requi red

Values

Description

the connection. WaitForCASTime No out <Timeout> Specifies the maximum timeout value (in minutes) for a primary site to connect to the central administration site. For example, if a primary site fails to connect to a central administration site, the primary site retries the connection to the central administration site based on the CASRetryInterval until the WaitForCASTimeout period is reached. You can specify a value of 0 to 100.

Post-Recovery Tasks
After you recover your site, there are several post-recovery tasks that you must consider before your site recovery is completed. Use the following sections to help you complete your site recovery process.

Re-Enter User Account Passwords

After a site server recovery, passwords for the user accounts specified for the site must be reentered because they are reset during the site recovery. The accounts are listed on the Finished page of the Setup Wizard after site recovery is completed and saved to C:\ConfigMgrPostRecoveryActions.html on the recovered site server. To re-enter user account passwords after site recovery 1. Open the Configuration Manager console and connect to the recovered site. 2. In the Configuration Manager console, click Administration.
813

3. In the Administration workspace, expand Security, and then click Accounts. 4. For each account in which you have to re-enter the password, do the following: a. Select the account from the list of accounts that were identified after site recovery. You can find this list in C:\ConfigMgrPostRecoveryActions.html on the recovered site server. b. On the Home tab, in the Properties group, click Properties to open the account properties. c. On the General tab, click Set, and then re-enter the passwords for the account. d. Click Verify, select the appropriate data source for the selected user account, and then click Test connection to verify that the user account can connect to the data source. e. Click OK to save the password changes, and then click OK.

Configure SSL for Site System Roles that Use IIS

When you recover site systems that run IIS and that were configured for HTTPS before the failure, you must reconfigure IIS to use the web server certificate. For more information, see Configuring IIS to Use the Web Server Certificate in the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Reinstall Hotfixes in the Recovered Site Server

After a site recovery, you must reinstall any hotfixes that were applied to the site server. A list of the previously installed hotfixes are listed on the Finished page of the Setup Wizard after site recovery and saved to C:\ConfigMgrPostRecoveryActions.html on the recovered site server.

Recover Custom Reports on the Computer Running Reporting Services

When you have created custom Reporting Services reports, and Reporting Services fails, you can recover the reports when you have backed up the report server. For more information about restoring your custom reports in Reporting Services, see Backup and Restore Operations for a Reporting Services Installation in the SQL Server 2008 Books Online.

Recover Content Files

The site database contains information about where the content files are stored on the site server, but the content files are not backed up or restored as part of the backup and recovery process. To fully recover content files, you must restore the content library and package source files to the original location. There are several methods for recovering your content files, but the easiest method is to restore the files from a file system backup of the site server. If you do not have a file system backup for the package source files, you have to manually copy or download them as you did originally when you first created the package. You can run the following query in SQL Server to find the package source location for all packages and
814

applications: SELECT * FROM v_Package. You can identify the package source site by looking at the first three characters of the package ID. For example, if the package ID is CEN00001, the site code for the source site is CEN. When you restore the package source files, they must be restored to the same location in which they were before the failure. If you do not have a file system backup that contains the content library, you have the following restore options: Import a prestaged content file: When you have a Configuration Manager hierarchy, you can create a prestaged content file with all packages and applications from another location, and then import the prestaged content file to recover the content library on the site server. For more information about prestaged content files, see the Prestage Content section in the Operations and Maintenance for Content Management in Configuration Manager topic. Update content: When you start the update content action for a package or application deployment type, the content is copied from the package source to the content library. The package source files must be available in the original location for this action to finish successfully. You must perform this action on each package and application. For more information about updating content, see the Update Content on Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager topic.

Recover Custom Software Updates on the Computer Running Updates Publisher

When you have included Updates Publisher 2011 database files in your backup plan, you can recover the databases in case of a failure on the computer on which Updates Publisher 2011 runs. For more information about Updates Publisher, see System Center Updates Publisher 2011 in the System Center TechCenter Library. Use the following procedure to restore the Updates Publisher 2011 database. To restore the Updates Publisher 2011 database 1. Reinstall Updates Publisher 2011 on the recovered computer. 2. Copy the database file (Scupdb.sdf) from your backup destination to %USERPROFILE%\AppData\Local\Microsoft\System Center Updates Publisher 2011\5.00.1727.0000\ on the computer that runs Updates Publisher 2011. 3. When more than one user runs Updates Publisher 2011 on the computer, you must copy each database file to the appropriate user profile location.

User State Migration Data

As part of the state migration point site system properties, you specify the folders that store user state migration data. After you recover a server with a folder that stores user state migration data, you must manually restore the user state migration data on the server to the same folders that stored the data prior to the failure.

815

Update Certificates Used for Cloud-Based Distribution Points

For Configuration Manager SP1 only: Configuration Manager requires a management certificate that it uses for site server to cloudbased distribution point communication. After a site recovery, you must update the certificates for cloud-based distribution points. For more information, see the About Subscriptions and Certificates for Distribution Points for Windows Azure section in the Planning for Content Management in Configuration Manager topic.

Reprovision Previously Provisioned Intel AMT-Based Computers

After you have recovered the site, perform the following configuration steps: 1. Request the AMT provisioning certificate again and select it in the out of band service point properties. 2. Reconfigure the passwords for the following accounts in the out of band management component properties: The MEBx Account The AMT Provisioning Removal Account The AMT Provisioning and Discovery Accounts

For more information about how to perform these steps, see How to Provision and Configure AMT-Based Computers in Configuration Manager. Then use the following procedure to reprovision Intel AMT-based computers that were previously provisioned. To reprovision Intel AMT-based computers 1. Ensure that you have configured the AMT Provisioning Removal Account in the out of band management component properties. 2. Remove AMT provisioning information from the Intel AMT-based computers: Do not select Disable automatic provisioning. Select Use AMT Provisioning Removal Account.

For more information about how to remove AMT provisioning information, see How to Remove AMT Information. 3. Monitor the AMT status for these computers: Not Provisioned: These computers are ready to be reprovisioned by Configuration Manager. Detected: These computers cannot be reprovisioned by Configuration Manager. If Configuration Manager cannot remove the AMT provisioning information, you must manually remove this information by configuring the BIOS extensions on the computer. Note The AMT Provisioning Removal Account cannot remove provisioning information if the audit trail is enabled and unlocked, or if the account that is
816

configured for the AMT Provisioning Removal Account is not an AMT User Account on that computer. 4. Ensure that the Enable provisioning for AMT-based computers check box is selected on the Out of Band Management tab in the collection properties. 5. Confirm that the AMT status changes to Provisioned. You can also run the View the Computers with out of band management controllers report to confirm the AMT provisioning status.

Recover a Secondary Site

For Configuration Manager SP1 only: Secondary site recovery is required when a Configuration Manager secondary site fails. You can recover a secondary site by using the Recover Secondary Site action from the Sites node in the Configuration Manager console. Unlike recovery for a central administration site or primary site, recovery for a secondary site does not use a backup file. Instead, Configuration Manager installs the secondary site files on the failed secondary site computer and then the secondary site data is reinitialized with data from the parent primary site. During the recovery process, Configuration Manager verifies that the content library exists on the secondary site computer and that the appropriate content is available. The secondary site will use the content library, if it exists on the computer and contains the appropriate content. Otherwise, to recover the content library you must redistribute or prestage the content to the secondary site. For more information, see Operations and Maintenance for Content Management in Configuration Manager. When you have a distribution point that is not on the secondary site, you are not required to reinstall the distribution point during a recovery of the secondary site. After the secondary site recovery, the site automatically synchronizes with the distribution point. You can verify the status of the secondary site recovery, by using the Show Install Status action from the Sites node in the Configuration Manager console. Important You must use a computer with the same configuration as the failed computer, such as its FQDN, to successfully recover the secondary site. The computer must also meet all secondary site prerequisites and have appropriate security rights configured. Also, use the same installation path that was used for the failed site. Important During a secondary site recovery, Configuration Manager does not install SQL Server Express if it is not installed on the computer. Therefore, before you recover a secondary site, you must manually install SQL Server Express or SQL Server. You must use the same version of SQL Server and the same instance of SQL Server that you used for the secondary site database before the failure.

See Also
Operations and Maintenance for Site Administration in Configuration Manager
817

Update System Center 2012 Configuration Manager

To update System Center 2012 Configuration Manager, you can install a cumulative update or a service pack: A cumulative update provides a rollup of multiple updates for the current product version. A service pack upgrades Configuration Manager to a new version of the product. For information about upgrading Configuration Manager, see Planning to Upgrade System Center 2012 Configuration Manager. Note This topic provides general guidance about how to update System Center 2012 Configuration Manager. For details about a specific update, refer to its corresponding Knowledge Base (KB) article at Microsoft Support. Use the following information to help you install updates for Configuration Manager: About Cumulative Updates for Configuration Manager About Update Bundles for Configuration Manager How to Install Updates Use Updates Publisher 2011 to Install Updates Use Software Deployment to Install Updates Create Collections for Deploying Updates to Configuration Manager Deploy Updates for Configuration Manager

About Cumulative Updates for Configuration Manager

In System Center 2012 Configuration Manager, you install cumulative updates to update Configuration Manager sites and clients. Cumulative updates for Configuration Manager are similar to cumulative updates for other Microsoft products, such as SQL Server. Cumulative updates include one or more fixes for a specific version of Configuration Manager. Each new cumulative update is described in a Microsoft Knowledge Base article. Typically, cumulative updates release quarterly, but this schedule is subject to change, based on the volume and nature of the issues that are addressed. When you install a cumulative update for Configuration Manager, the update installs an update bundle. Update bundles contain the update files for one or more components of Configuration Manager. You can install a cumulative update on the site server of a central administration site or primary site.

818

About Update Bundles for Configuration Manager

When you run a cumulative update for Configuration Manager on a site server, it installs and runs an update bundle. Update bundles can run on a central administration site server, a primary site server, a secondary site server, or a computer that runs an instance of the SMS Provider. However, if you plan to create deployments to install updates on additional computers, you must install the update bundle on a central administration site server or primary site server. An update bundle contains fixes for Configuration Manager. When the update bundle runs, it extracts the update files for each applicable component from the update bundle, and then starts a wizard that guides you through a process to configure the updates and deployment options for the updates. When you complete the wizard, the updates in the bundle that apply to the site server are installed on the site server. However, the wizard also creates deployments that you can use to install the updates on additional computers. You deploy the updates to additional computers by using a supported deployment method, such as a software deployment package or Microsoft System Center Updates Publisher 2011. When the wizard runs, it creates a .cab file on the site server for use with Updates Publisher 2011. Optionally, you can configure the wizard to also create one or more packages for software deployment. You can use these deployments to install updates on components, such as clients or the Configuration Manager console. You can also install updates manually on computers that do not run the Configuration Manager client. The following three groups in Configuration Manager can be updated: System Center 2012 Configuration Manager server roles, which include: Central administration site Primary site Secondary site Remote SMS Provider Note Updates for site system roles, including updates for the site database, are installed as part of the update for site servers. With Configuration Manager SP1, updates for site system roles include updates that apply to cloud-based distribution points. However, updates that apply to a pulldistribution point, install as an update for the Configuration Manager client and not as an update for site system roles. System Center 2012 Configuration Manager console System Center 2012 Configuration Manager client

Each updates bundle for Configuration Manager is a self-extractable .exe file (SFX) that contains the files that are necessary to install the update on the applicable components of Configuration Manager. Typically, the SFX file can contain the following files.
File More information

<Product>-<service pack>-<cumulative update

This is the update file. The command line for

819

File

More information

version>-<KB article ID>-<platform><language>.msi

this file is managed by Updatesetup.exe. For example: configMgr-2012-rtm-cu1-kb1234567-x64enu.msi

Updatesetup.exe

This .msi wrapper manages the installation of the update bundle. When you run the update, Updatesetup.exe detects the display language of the computer where it runs. By default, the user interface for the update is in English. However, when the display language is supported, the user interface displays in the computer's local language.

License_<language>.rtf

When applicable, each update contains one or more license files for supported languages. When the update applies to the Configuration Manager console or clients, the update bundle includes separate Windows Installer patch (.msp) files. For example: Configuration Manager console update: ConfigMgr2012AdminUI-RTM-cu1kb1234567-i386.msp ConfigMgr2012ac-RTM-cu1-kb1234567i386.msp ConfigMgr2012ac-RTM-cu1-kb1234567x64.msp

<Product&updatetype><servicepack><cumulative update version><KB article ID>-<platform>.msp

Client update:

By default, the update bundle logs its actions to a .log file on the site server. The log file has the same name as the update bundle and is written to the %SystemRoot%/Temp folder. When you run the update bundle, it extracts a file with the same name as the update bundle to a temporary folder on the computer, and then runs Updatesetup.exe. Updatesetup.exe starts the Cumulative Update <number> for System Center 2012 Configuration Manager <Service pack> <KB Number> Wizard. The wizard creates a series of folders under the System Center 2012 Configuration Manager installation folder on the site server. The folder structure resembles the following: \\<Server Name>\SMS_<Site Code>\Hotfix\<KB Number>\<Update Type>\<Platform>.
820

The following table provides details about the folders in the folder structure.
Folder name More information

<Server name>

This is the name of the site server where you run the update bundle. This is the share name of the System Center 2012 Configuration Manager installation folder. This is the ID number of the Knowledge Base article for this update bundle. These are the types of updates for Configuration Manager. The wizard creates a separate folder for each type of update that is contained in the update bundle. The folder names represent the update types. They include the following: Server: Includes updates to site servers, site database servers, and computers that run the SMS Provider. Client: Includes updates to the Configuration Manager client. AdminConsole: Includes updates to the Configuration Manager console

SMS_<Site Code>

<KB Number>

<Update type>

In addition to the preceding update types, the wizard creates a folder named SCUP. This folder does not represent an update type, but instead contains the .cab file for Updates Publisher 2011. <Platform> This is a platform-specific folder. It contains update files that are specific to a type of processor. These folders include: x64 I386

To help you to deploy the updates to computers other than the site server where you run the update bundle, the wizard can create a software deployment package for each category of components that are included in the update (site server and computers that run the SMS Provider, Configuration Manager console, and clients). You can then deploy each package to computers that run the Configuration Manager client. Also, the wizard always creates a .cab
821

file that you can import to Updates Publisher 2011 in case you choose to use Updates Publisher 2011. For information about how to use the package to deploy the updates, see the Use Software Deployment to Install Updates section in this topic. For information about how to use Updates Publisher 2011 to deploy the updates, see the Use Updates Publisher 2011 to Install Updates section in this topic.

How to Install Updates

To install updates, you must first install the update bundle on a site server. When you install an update bundle, it starts the Cumulative Update <Number> for System Center 2012 Configuration Manager <Service Pack> <KB Number> Wizard. This wizard does the following: Extracts the update files Helps you to configure deployments Installs applicable updates on the server components of the local computer

After you install the update bundle on a site server, you can then update additional components for Configuration Manager. The following table describes update actions for these various components.
Component Instructions

Site server

Deploy updates to a remote site server when you do not choose to install the update bundle directly on that remote site server. For remote site servers, deploy server updates that include an update to the site database if you do not install the update bundle directly on that remote site server. After initial installation of the Configuration Manager console, you can install updates for the Configuration Manager console on each computer that runs the console. You cannot modify the Configuration Manager console installation files to apply the updates during the initial installation of the console. Install updates for each instance of the SMS Provider that runs on a computer other than the site server where you installed the update bundle. After initial installation of the Configuration Manager client, you can install updates for the Configuration Manager client on each computer
822

Site database

Configuration Manager console

Remote SMS Provider

Configuration Manager clients

Component

Instructions

that runs the client.

Note You can deploy updates only to computers that run the Configuration Manager client. If you reinstall a client, Configuration Manager console, or SMS Provider, you must also reinstall the updates for these components. Use the information in the following sections to install updates on the each of the components for Configuration Manager.

Update Servers
Updates for servers can include updates for sites, the site database, and computers that run an instance of the SMS Provider. Use the information in the following sections to help you update each type of server component.

Update a Site
To update a Configuration Manager site, you can install the update bundle directly on the site server, or you can deploy the updates to a site server after you install the update bundle on a different site. When you install an update on a site server, the update installation process manages additional actions that are required to apply the update, such as updating site system roles. The exception to this is the site database. The following section contains information about how to update the site database.

Update a Site Database

To update the site database, the installation process runs a file named update.sql on the site database. You can configure the update process to automatically update the site database, or you can manually update the site database later. Automatic Update of the Site Database When you install the update bundle on a site server, you can choose to automatically update the site database when the server update is installed. This decision applies only to the site server where you install the update bundle and does not apply to deployments that are created to install the updates on remote site servers. Note When you choose to automatically update the site database, the process updates a database regardless whether the database is located on the site server or on a remote computer. Important
823

Before you update the site database, create a backup of the site database. You cannot uninstall an update to the site database. For information about how to create a backup for Configuration Manager, see Backup and Recovery in Configuration Manager in the Site Administration for System Center 2012 Configuration Manager guide. Manual Update of the Site Database If you choose not to automatically update the site database when you install the update bundle on the site server, the server update does not modify the database on the site server where the update bundle runs. However, deployments that use the package that is created for software deployment or that Updates Publisher 2011 installs always update the site database. Warning When the update includes updates to both the site server and the site database, the update is not functional until the update is completed for both the site server and site database. Until the update applies to the site database, the site is in an unsupported state. To manually update a site database, use SQL Server Management Studio to connect to the site's SQL Server, and then run the update script named update.sql on that site's database. When the update bundle installs, it extracts update.sql to the following location on the site server: \\<Server Name>\SMS_<Site Code>\Hotfix\<KB Number>\update.sql. For information about how to run a script to update a SQL Server database, see the documentation for the version of SQL Server that you use for your site database server.

Update a Computer that Runs the SMS Provider

After you install an update bundle that includes updates for the SMS Provider, you must deploy the update to each computer that runs the SMS Provider. The only exception to this is the instance of the SMS Provider that was previously installed on the site server where you install the update bundle. The local instance of the SMS Provider on the site server is updated when you install the update bundle. If you remove and then reinstall the SMS Provider on a computer, you must then reinstall the update for the SMS Provider on that computer.

Update Clients
After the initial installation of the client on a computer, you can update the client. You can deploy updates with Updates Publisher 2011 or a software deployment package, or you can choose to manually install the update on each client. For more information about how to use deployments to install updates, see the Deploy Updates for Configuration Manager section in this topic. Important

824

When you install updates for clients and the update bundle includes updates for servers, be sure to also install the server updates on the primary site to which the clients are assigned. To manually install the client update, on each Configuration Manager client, you must run Msiexec.exe and reference the platform-specific client update .msp file. For example, you can use the following command line for a client update. This command line runs MSIEXEC on the client computer and references the .msp file that the update bundle extracted on the site server: msiexec.exe /p \\<ServerName>\SMS_<SiteCode>\Hotfix\<KB Number>\Client\<Platform>\<msp> /L*v <logfile>REINSTALLMODE=mous REINSTALL=ALL

Update Configuration Manager Consoles

To update a Configuration Manager console, you must install the update on the computer that runs the console after the console installation is finished. Important When you install updates for the Configuration Manager console, and the update bundle includes updates for servers, be sure to also install the server updates on the site that you use with the Configuration Manager console. If the computer that you update runs the Configuration Manager client, you can use a deployment to install the update. Alternately, you can manually install the update on each computer. For more information about how to use deployments to install updates, see the Deploy Updates for Configuration Manager section in this topic. To manually install the Configuration Manager console update, on each computer that runs the Configuration Manager console, you must run Msiexec.exe and reference the Configuration Manager console update .msp file. For example, you can use the following command line to update a Configuration Manager console. This command line runs MSIEXEC on the computer and references the .msp file that the update bundle extracted on the site server: msiexec.exe /p \\<ServerName>\SMS_<SiteCode>\Hotfix\<KB Number>\AdminConsole\<Platform>\<msp> /L*v <logfile>REINSTALLMODE=mous REINSTALL=ALL

Deploy Updates for Configuration Manager

After you install the update bundle on a site server, you can deploy updates to additional computers. Use the information in the following sections to configure deployments to distribute updates for Configuration Manager.

825

Use Updates Publisher 2011 to Install Updates

When you install the update bundle on a site server, the Cumulative Update <number> for System Center 2012 Configuration Manager <service pack> <KB Number> Wizard creates a catalog file for Updates Publisher 2011 that you can use to deploy the updates to applicable computers. The wizard always creates this catalog, even when you select the option Use package and program to deploy this update. The catalog for Updates Publisher 2011 is named SCUPCatalog.cab and can be found in the following location on the computer where the update bundle runs: \\<ServerName>\SMS_<SiteCode>\Hotfix\<KB Number>\SCUP\SCUPCatalog.cab Important Because the SCUPCatalog.cab file is created by using paths that are specific to the site server where the update bundle is installed, it cannot be used on other site servers. After the wizard is finished, you can import the catalog to Updates Publisher 2011, and then use Configuration Manager software updates to deploy the updates. For information about Updates Publisher 2011, see Updates Publisher 2011 in the TechNet library for System Center 2012. For information about software updates in Configuration Manager, see Software Updates in Configuration Manager in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Use the following procedure to import the SCUPCatalog.cab file to Updates Publisher 2011 and publish the updates. To import the updates to Updates Publisher 2011 1. Start the Updates Publisher 2011 console and click Import. 2. On the Import Type page of the Import Software Updates Catalog Wizard, select Specify the path to the catalog to import, and then specify the SCUPCatalog.cab file. 3. Click Next, and then click Next again. 4. In the Security Warning - Catalog Validation dialog box, click Accept. Close the wizard after it is finished. 5. In the Updates Publisher 2011 console, select the update that you want to deploy, and then click Publish. 6. On the Publish Options page of the Publish Software Updates Wizard, select Full Content, and then click Next. 7. Complete the wizard to publish the updates. After you import the updates to Updates Publisher 2011, you can use Configuration Manager software updates to deploy the custom updates to client computers.

Use Software Deployment to Install Updates

When you install the update bundle on the site server of a primary site or central administration site, you can configure the Cumulative Update <number> for System Center 2012 Configuration
826

Manager <service pack> <KB Number> Wizard to create update packages for software deployment. You can then deploy each package to a collection of computers that you want to update. To create a software deployment package, on the Configure Software Update Deployment page of the wizard, select the check box for each update package type that you want to update. The available types can include servers, Configuration Manager consoles, and clients. A separate package is created for each type of update that you select. Note The package for servers contains updates for the following components: Site server SMS Provider Site database

Next, on the Configure Software Update Deployment Method page of the wizard, select the option I will use software distribution. This selection directs the wizard to create the software deployment packages. Note The wizard always creates a .cab file for Updates Publisher 2011. However, if you select I will use System Center Updates Publisher, the wizard does not create software deployment packages. After the wizard is finished, you can view the packages that it creates in the Configuration Manager console in the Packages node in the Software Library workspace. You can then use your standard process to deploy software packages to Configuration Manager clients. When a package runs on a client, it installs the updates to the applicable components of Configuration Manager on the client computer. For information about how to deploy packages to Configuration Manager clients, see How to Deploy Packages and Programs in Configuration Manager in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.

Create Collections for Deploying Updates to Configuration Manager

You can deploy specific updates to applicable clients. The following information can help you to create device collections for the different components for Configuration Manager.
Component of Configuration Manager Instructions

Central administration site server

Create a direct membership query and add the central administration site server computer. Create a direct membership query and add each primary site server computer.
827

All primary site servers

Component of Configuration Manager

Instructions

All secondary site servers

Create a direct membership query and add each secondary site server computer. Create a collection with the following query criteria: Select * from SMS_R_System inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SYSTEM.SystemType = "X86-based PC"

All x86 clients

All x64 clients

Create a collection with the following query criteria: Select * from SMS_R_System inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SYSTEM.SystemType = "X64-based PC"

All computers that run the Configuration Manager console Remote computers that run an instance of the SMS Provider

Create a direct membership query and add each computer. Create a direct membership query and add each computer.

Note To update a site database, deploy the update to the site server for that site. For information about how to create collections, see How to Create Collections in Configuration Manager in the Assets and Compliance in System Center 2012 Configuration Manager guide.

See Also
Operations and Maintenance for Site Administration in Configuration Manager

Reporting in Configuration Manager

Reporting in Microsoft System Center 2012 Configuration Manager provides a set of tools and resources that help you use the advanced reporting capabilities of Microsoft SQL Server Reporting Services in the Configuration Manager console.
828

Reporting Topics
The following topics help you manage reporting in System Center 2012 Configuration Manager: Introduction to Reporting in Configuration Manager Planning for Reporting in Configuration Manager Configuring Reporting in Configuration Manager Operations and Maintenance for Reporting in Configuration Manager Security and Privacy for Reporting in Configuration Manager Technical Reference for Reporting in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Site Administration for System Center 2012 Configuration Manager

Introduction to Reporting in Configuration Manager

Reporting in System Center 2012 Configuration Manager provides a set of tools and resources that help you use the advanced reporting capabilities of SQL Server Reporting Services (SSRS) and the rich authoring experience that Reporting Services Report Builder provides. Reporting helps you gather, organize, and present information about users, hardware and software inventory, software updates, applications, site status, and other Configuration Manager operations in your organization. Reporting provides you with a number of predefined reports that you can use without changes, or that you can modify to meet your requirements, and you can create custom reports. Use the following sections to help you manage reporting in Configuration Manager: SQL Server Reporting Services Reporting Services Point Configuration Manager Reports Creating and Modifying Reports Running Reports Report Prompts Report Links

Report Folders Report Subscriptions Report Builder Whats New in Configuration Manager Whats New in Configuration Manager SP1
829

SQL Server Reporting Services

SQL Server Reporting Services provides a full range of ready-to-use tools and services to help you create, deploy, and manage reports for your organization and programming features that enable you to extend and customize your reporting functionality. Reporting Services is a serverbased reporting platform that provides comprehensive reporting functionality for a variety of data sources. Configuration Manager uses SQL Server Reporting Services as its reporting solution. Integration with Reporting Services provides the following advantages: Uses an industry standard reporting system to query the Configuration Manager database. Displays reports by using the Configuration Manager Report Viewer or by using Report Manager, which is a web-based connection to the report. Provides high performance, availability, and scalability. Provides subscriptions to reports that users can subscribe to; for example, a manager could subscribe to automatically receive an emailed report each day that details the status of a software update rollout. Exports reports that users can select in a variety of popular formats.

For more information about Reporting Services, see SQL Server Reporting Services in the SQL Server 2008 Books Online.

Reporting Services Point

The reporting services point is a site system role that is installed on a server that is running Microsoft SQL Server Reporting Services. The reporting services point copies the Configuration Manager report definitions to Reporting Services, creates report folders based on report categories, and sets security policy on the report folders and reports based on the role-based permissions for Configuration Manager administrative users. In a 10-minute interval, the reporting services point connects to Reporting Services to reapply the security policy if it has been changed, for example, by using Report Manager. For more information about how to plan for and install a reporting services point, see the following documentation: The Determine Where to Install the Reporting Services Point section in the Planning for Reporting in Configuration Manager topic. The Install a Reporting Services Point section in the Configuring Reporting in Configuration Manager topic.

Configuration Manager Reports

Configuration Manager provides report definitions for over 400 reports in over 50 report folders, which are copied to the root report folder in SQL Server Reporting Services during the reporting services point installation process. The reports are displayed in the Configuration Manager console and organized in subfolders based on the report category. Reports are not propagated up or down the Configuration Manager hierarchy; they run only against the database of the site in which they are created. However, because Configuration Manager replicates global data
830

throughout the hierarchy, you have access to hierarchy-wide information. When a report retrieves data from a site database, it has access to site data for the current site and child sites, and global data for every site in the hierarchy. Like other Configuration Manager objects, an administrative user must have the appropriate permissions to run or modify reports. To run a report, an administrative user must have the Run Report permission for the object. To create or modify a report, an administrative user must have the Modify Report permission for the object.

Creating and Modifying Reports

Configuration Manager uses Microsoft SQL Server Report Builder as the exclusive authoring and editing tool for model-based and SQL-based reports. When you create or edit a report in the Configuration Manager console, Report Builder opens. For more information about managing reports, see the Manage Configuration Manager Reports section in the Operations and Maintenance for Reporting in Configuration Manager topic.

Running Reports
When you run a report in the Configuration Manager console, Report Viewer opens and connects to Reporting Services. After you specify any required report parameters, Reporting Services then retrieves the data and displays the results in the viewer. You can also connect to the SQL Services Reporting Services, connect to the data source for the site, and run reports.

Report Prompts
A report prompt or report parameter in Configuration Manager is a report property that you can configure when a report is created or modified. Report prompts are created to limit or target the data that a report retrieves. A report can contain more than one prompt as long as the prompt names are unique and contain only alphanumeric characters that conform to the SQL Server rules for identifiers. When you run a report, the prompt requests a value for a required parameter and, based on the value, retrieves the report data. For example, the Computer information for a specific computer report retrieves the computer information for a specific computer and prompts the administrative user for a computer name. Reporting Services passes the specified value to a variable that is defined in the SQL statement for the report.

Report Links
Report links in Configuration Manager are used in a source report to provide administrative users with easy access to additional data, such as more detailed information about each of the items in the source report. If the destination report requires one or more prompts to run, the source report must contain a column with the appropriate values for each prompt. You must specify the column number that provides the value for the prompt. For example, you might link a report that lists computers that were discovered recently to a report that lists the last messages that were received for a specific computer. When the link is created, you might specify that column 2 in the
831

source report contains computer names, which is a required prompt for the destination report. When the source report is run, link icons appear to the left of each row of data. When you click the icon on a row, Report Viewer passes the value in the specified column for that row as the prompt value that is required to display the destination report. A report can be configured with only one link, and that link can connect only to a single destination resource. Warning If you move a destination report to a different report folder, the location for the destination report changes. The report link in the source report is not automatically updated with the new location, and the report link will not work in the source report.

Report Folders
Report folders in System Center 2012 Configuration Manager provide a method to sort and filter reports that are stored in Reporting Services. Report folders are particularly useful when you have many reports to manage. When you install a reporting services point, reports are copied to Reporting Services and organized into more than 50 report folders. The report folders are readonly. You cannot modify them in the Configuration Manager console.

Report Subscriptions
A report subscription in Reporting Services is a recurring request to deliver a report at a specific time or in response to an event, and in an application file format that you specify in the subscription. Subscriptions provide an alternative to running a report on demand. On-demand reporting requires that you actively select the report each time you want to view the report. In contrast, subscriptions can be used to schedule and then automate the delivery of a report. You can manage report subscriptions in the Configuration Manager console. They are processed on the report server. The subscriptions are distributed by using delivery extensions that are deployed on the server. By default, you can create subscriptions that send reports to a shared folder or to an email address. For more information about managing report subscriptions, see the Manage Report Subscriptions section in the Operations and Maintenance for Reporting in Configuration Manager topic.

Report Builder
Configuration Manager uses Microsoft SQL Server Reporting Services Report Builder as the exclusive authoring and editing tool for both model-based and SQL-based reports. When you initiate the action to create or edit a report in the Configuration Manager console, Report Builder opens. When you create or modify a report for the first time, Report Builder is installed automatically. Starting in Configuration Manager SP1, the version of Report Builder associated with the installed version of SQL Server opens when you run or edit reports. Important
832

For Configuration Manager with no service pack only: By default, Configuration Manager opens the ClickOnce version of Report Builder 2.0, which installs and runs Report Builder 2.0, when you try to create a new or modify an existing report. If your report server is running SQL Server 2008 R2, the ClickOnce version of Report Builder 3.0 is installed automatically with SQL Server 2008 R2 Reporting Services. Therefore, when Configuration Manager attempts to open the ClickOnce version of Report Builder 2.0, the file will not be available and an error is displayed. For more information about how to use Report Builder 3.0, see the Configure Reporting to Use Report Builder 3.0 section in the Configuring Reporting in Configuration Manager topic. The Report Builder installation adds support for over 20 languages. When you run Report Builder, it displays data in the language of the operating system that is running on the local computer. If Report Builder does not support the language, the data is displayed in English. Report Builder supports the full capabilities of SQL Server 2008 Reporting Services, which includes the following capabilities: Delivers an intuitive report authoring environment with an appearance similar to Microsoft Office. Offers the flexible report layout of SQL Server 2008 Report Definition Language (RDL). Provides various forms of data visualization including charts and gauges. Provides richly formatted text boxes. Exports to Microsoft Word format.

You can also open Report Builder from SQL Server Reporting Services.

Report Models in SQL Server Reporting Services

SQL Reporting Services in Configuration Manager uses report models to help administrative users select items from the database to include in model-based reports. For the administrative user who is building the report, report models expose only specified views and items to choose from. To create model-based reports, at least one report model has to be available. Report models have the following features: You can give database fields and views logical business names to facilitate producing reports. Knowledge of the database structure is not required to produce reports. You can group items logically. You can define relationships between items. You can secure model elements so that administrative users can see only the data that they have permission to see.

Although Configuration Manager provides sample report models, you can also define report models to meet your own business requirements. For more information about how to create report models, see Creating Custom Report Models in SQL Server Reporting Services.

833

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for reporting since Configuration Manager 2007: Configuration Manager no longer uses the reporting point; the reporting services point is the only site system role that Configuration Manager now uses for reporting. Full integration of the Configuration Manager 2007 R2 SQL Server Reporting Services solution: In addition to standard report management, Configuration Manager 2007 R2 introduced support for SQL Server Reporting Services reporting. System Center 2012 Configuration Manager integrates the Reporting Services solution, adds new functionality, and removes standard report management as a reporting solution. Report Builder 2.0 integration: System Center 2012 Configuration Manager uses Microsoft SQL Server 2008 Reporting Services Report Builder 2.0 as the exclusive authoring and editing tool for both model-based and SQL-based reports. Report Builder 2.0 is automatically installed when you create or modify a report for the first time. Report subscriptions in SQL Server Reporting Services let you configure the automatic delivery of specified reports by email or to a file share in scheduled intervals. You can run Configuration Manager reports in the Configuration Manager console by using Report Viewer, or you can run reports from a browser by using Report Manager. Both methods for running reports provide a similar experience. Reports in Configuration Manager are rendered in the locale of the installed Configuration Manager console. Subscriptions are rendered in the locale that SQL Server Reporting Services is installed. When you author a report, you can specify the assembly and expression.

Whats New in Configuration Manager SP1

The following items are new or have changed for reporting in Configuration Manager SP1: Configuration Manager SP1 supports Microsoft SQL Server 2012 Reporting Services. When Microsoft SQL Server 2012 or SQL Server 2008 R2 runs on the Reporting Services point, Configuration Manager opens Reporting Services Report Builder 3.0 when you create or modify reports. When Microsoft SQL Server 2008 runs on the Reporting Services point, Configuration Manager opens Reporting Services Report Builder 2.0 when you create or modify reports. Added links to SQL Server Reporting Services Report Manager and Report Server from the Reporting node in the Monitoring workspace.

See Also
Reporting in Configuration Manager
834

Planning for Reporting in Configuration Manager

Reporting in System Center 2012 Configuration Manager provides a set of tools and resources that help you use the advanced reporting capabilities of SQL Server Reporting Services. Use the following sections to help you plan for reporting in Configuration Manager.

Determine Where to Install the Reporting Services Point

When you run Configuration Manager reports at a site, the reports have access to the information in the site database in which it connects. Use the following sections to help you determine where to install the reporting services point and what data source to use. Note For more information about planning for site systems in Configuration Manager, see Planning for Site Systems in Configuration Manager.

Supported Site System Servers

You can install the reporting services point on a central administration site and primary sites, and on multiple site systems at a site and at other sites in the hierarchy. The reporting services point is not supported on secondary sites. The first reporting services point at a site is configured as the default report server. You can add more reporting services points at a site, but the default report server at each site is actively used for Configuration Manager reports. You can install the reporting services point on the site server or a remote site system. However, as a best practice for performance reasons, use Reporting Services on a remote site system server.

Data Replication Considerations

Configuration Manager classifies the data that it replicates as either global data or site data. Global data refers to objects that were created by administrative users and that are replicated to all sites throughout the hierarchy, while secondary sites receive only a subset of global data. Examples of global data include software deployments, software updates, collections, and rolebased administration security scopes. Site data refers to operational information that Configuration Manager primary sites and the clients that report to primary sites create. Site data replicates to the central administration site but not to other primary sites. Examples of site data include hardware inventory data, status messages, alerts, and the results from query-based collections. Site data is only visible at the central administration site and the primary site where the data originates. Consider the following factors to help you determine where to install your reporting services points:
835

A reporting services point with the central administration site database as its reporting data source has access to all global and site data in the Configuration Manager hierarchy. If you require reports that contain site data for multiple sites in a hierarchy, consider installing the reporting services point on a site system at the central administration site and use the central administration sites database as the reporting data source. A reporting services point with the child primary site database as its reporting data source has access to global data and site data for only the local primary site and any child secondary sites. Site data for other primary sites in the Configuration Manager hierarchy is not replicated to the primary site, and therefore Reporting Services cannot access it. If you require reports that contain site data for a specific primary site or global data, but you do not want the report user to have access to site data from other primary sites, install a reporting services point on a site system at the primary site and use the primary sites database as the reporting data source.

Network Bandwidth Considerations

Site system servers in the same site communicate with each other by using server message block (SMB), HTTP, or HTTPS, depending on how you configure the site. Because these communications are unmanaged and can occur at any time without network bandwidth control, review your available network bandwidth before you install the reporting services point role on a site system. Note For more information about planning for site systems, see Planning for Site Systems in Configuration Manager.

Planning for Role-Based Administration for Reports

Security for reporting is much like other objects in Configuration Manager where you can assign security roles and permissions to administrative users. Administrative users can only run and modify reports for which they have appropriate security rights. To run reports in the Configuration Manager console, you must have the Read right for the Site permission and the permissions configured for specific objects. However, unlike other objects in Configuration Manager, the security rights that you set for administrative users in the Configuration Manager console must also be configured in Reporting Services. When you configure security rights in the Configuration Manager console, the reporting services point connects to Reporting Services and sets appropriate permissions for reports. For example, the Software Update Manager security role has the Run Report and Modify Report permissions associated with it. Administrative users who are only assigned the Software Update Manager role can only run and modify reports for software updates. Reports for other objects are not displayed in the Configuration Manager console. The exception to this is that some reports are not associated with specific Configuration Manager securable objects. For these reports, the

836

administrative user must have the Read right for the Site permission to run the reports and the Modify right for the Site permission to modify the reports. For more information about security rights for reporting, see the File Installation and Report Folder Security Rights section in the Configuring Reporting in Configuration Manager topic. For more information about role-based administration in Configuration Manager, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic.

Supplemental Planning Topics for Reporting

Use the following additional topics to help you plan for reporting in Configuration Manager: Prerequisites for Reporting in Configuration Manager Best Practices for Reporting

See Also
Reporting in Configuration Manager

Prerequisites for Reporting in Configuration Manager

Reporting in System Center 2012 Configuration Manager has external dependencies and dependencies within the product.

Dependencies External to Configuration Manager

The following table lists the external dependencies for reporting.
Prerequisite More information

SQL Server Reporting Services

Before you can use reporting in Configuration Manager, you must install and configure SQL Server Reporting Services. For information about planning and deploying Reporting Services in your environment, see the Reporting Services section in the SQL Server 2008 Books Online.

Site system role dependencies for the computers that run the reporting services point.

See the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic.

837

Dependencies Internal to Configuration Manager

The following table lists the dependencies for reporting in Configuration Manager.
Prerequisite More information

Reporting services point

The reporting services point site system role must be configured before you can use reporting in Configuration Manager. For more information about how to install and configure a reporting services point, see Configuring Reporting in Configuration Manager.

Supported SQL Server Versions for the Reporting Services Point

The Reporting Services database can be installed on either the default instance or a named instance of a SQL Server installation. The SQL Server instance can be co-located with the site system server, or on a remote computer. The following table lists the SQL Server versions that are supported by the reporting services point.
SQL Server version Reporting Services point

SQL Server 2008 SP2 with a minimum of Cumulative Update 9 Standard Enterprise Datacenter

SQL Server 2008 SP3 with a minimum of Cumulative Update 4 Standard Enterprise Datacenter

SQL Server 2008 R2 with SP1 and with a minimum of Cumulative Update 6 Standard Enterprise Datacenter

SQL Server Express 2008 R2 with SP1 and

Not Supported
838

SQL Server version

Reporting Services point

with a minimum of Cumulative Update 4 SQL Server Express 2008 R2 with SP2 SQL Server 2012 and with a minimum of Cumulative Update 2 Standard Enterprise Not Supported

See Also
Planning for Reporting in Configuration Manager

Best Practices for Reporting

Use the following best practices for reporting in System Center 2012 Configuration Manager:

For best performance, install the reporting services point on a remote site system server
Although you can install the reporting services point on the site server or a remote site system, performance is increased when you install the reporting services point on a remote site system server.

Optimize SQL Server Reporting Services queries

Typically, any reporting delays are because of the time it takes to run queries and retrieve the results. If you are using Microsoft SQL Server, tools such as Query Analyzer and Profiler can help you optimize queries.

Schedule report subscription processing to run outside standard office hours

Whenever possible, schedule report subscription processing to run outside normal office standard hours to minimize the CPU processing on the Configuration Manager site database server. This practice also improves availability for unpredicted report requests.

839

See Also
Planning for Reporting in Configuration Manager

Configuring Reporting in Configuration Manager

Before you can create, modify, and run reports in the System Center 2012 Configuration Manager console, you must carry out a number of configuration tasks. Use the following sections in this topic to help you configure reporting in your Configuration Manager hierarchy: SQL Server Reporting Services Configure Reporting to Use Report Builder 3.0 Install a Reporting Services Point File Installation and Report Folder Security Rights Reporting Services Security Roles for Configuration Manager Verify the Reporting Services Point Installation Configure a Self-Signed Certificate for Configuration Manager Console Computers Modify Reporting Services Point Settings Configure Report Options

Before you proceed with installing and configuring Reporting Services in your hierarchy, review the following Configuration Manager reporting topics: Introduction to Reporting in Configuration Manager Planning for Reporting in Configuration Manager

SQL Server Reporting Services

SQL Server Reporting Services is a server-based reporting platform that provides comprehensive reporting functionality for a variety of data sources. The reporting services point in Configuration Manager communicates with SQL Server Reporting Services to copy Configuration Manager reports to a specified report folder, to configure Reporting Services settings, and to configure Reporting Services security settings. Reporting Services connects to the Configuration Manager site database to retrieve data that is returned when you run reports. Before you can install the reporting services point in a Configuration Manager site, you must install and configure SQL Server Reporting Services on the site system that hosts the reporting services point site system role. For information about installing Reporting Services, see the SQL Server TechNet Library. Use the following procedure to verify that SQL Server Reporting Services is installed and running correctly.

840

To verify that SQL Server Reporting Services is installed and running 1. On the desktop, click Start, click All Programs, click Microsoft SQL Server 2008 R2, click Configuration Tools, and then click Reporting Services Configuration Manager. 2. In the Reporting Services Configuration Connection dialog box, specify the name of the server that is hosting SQL Server Reporting Services, on the menu, select the instance of SQL Server on which you installed SQL Reporting Services, and then click Connect. The Reporting Services Configuration Manager opens. 3. On the Report Server Status page, verify that Report Service Status is set to Started. If it is not, click Start. 4. On the Web Service URL page, click the URL in Report Service Web Service URLs to test the connection to the report folder. The Windows Security dialog box might open and prompt you for security credentials. By default, your user account is displayed. Enter your password and click OK. Verify that the webpage opens successfully. Close the browser window. 5. On the Database page, verify that the Report Server Mode setting is configured by using Native. 6. On the Report Manager URL page, click the URL in Report Manager Site Identification to test the connection to the virtual directory for Report Manager. The Windows Security dialog box might open and prompt you for security credentials. By default, your user account is displayed. Enter your password and click OK. Verify that the webpage opens successfully. Close the browser window. Note Reporting Services Report Manager is not required for Reporting in Configuration Manager, but it is required if you want to run reports on an Internet browser or manage reports by using Report Manager. 7. Click Exit to close Reporting Services Configuration Manager.

Configure Reporting to Use Report Builder 3.0

Important This section applies only to Configuration Manager with no service pack. Starting in Configuration Manager SP1, the installed version of Report Builder opens when you run or edit reports and no manual configuration is required. By default, Configuration Manager opens the ClickOnce version of Report Builder 2.0, which installs and runs Report Builder 2.0, when you try to create a new or modify an existing report. If your report server is running SQL Server 2008 R2, the ClickOnce version of Report Builder 3.0 is installed automatically with SQL Server 2008 R2 Reporting Services. Therefore, when Configuration Manager attempts to open the ClickOnce version of Report Builder 2.0, the file will not be available and an error is displayed.

841

To create new or modify existing reports by using Report Builder 3.0, you must change the Report Builder manifest name in the registry on the computer running the Configuration Manager console. After you change the manifest name, Configuration Manager will open the ClickOnce version of Report Builder 3.0, and then install Report Builder 3.0 on the computer. Use the following procedure to change the Report Builder manifest name from Report Builder 2.0 to Report Builder 3.0. To change the Report Builder manifest name to Report Builder 3.0 1. On the computer running the Configuration Manager console, open the Windows Registry Editor. 2. Browse to HKEY_LOCAL_MACHINE/SOFTWARE/Wow6432Node/Microsoft/ConfigMgr10/Admi nUI/Reporting. 3. Double-click the ReportBuilderApplicationManifestName key to edit the value data. 4. Change ReportBuilder_2_0_0_0.application to ReportBuilder_3_0_0_0.application, and then click OK. 5. Close the Windows Registry Editor.

Install a Reporting Services Point

The reporting services point must be installed on a site to manage reports at the site. The reporting services point copies report folders and reports to SQL Server Reporting Services, applies the security policy for the reports and folders, and sets configuration settings in Reporting Services. You must configure a reporting services point before reports are displayed in the Configuration Manager console, and before you can manage the reports in Configuration Manager. The reporting services point is a site system role that must be configured on a server with Microsoft SQL Server Reporting Services installed and running. For more information about prerequisites, see Prerequisites for Reporting in Configuration Manager. Important After you install a reporting services point on a site system, do not change the URL for the report server. For example, if you create the reporting services point, and then in Reporting Services Configuration Manager you modify the URL for the report server, the Configuration Manager console will continue to use the old URL and you will be unable to run, edit, or create reports from the console. When you must change the URL report server, remove the reporting services point, change the URL, and then reinstall the reporting services point. Use the following procedure to install the reporting services point. To install the reporting services point on a site system 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Servers
842

and Site System Roles. Tip To list only site systems that host the reporting services point site role, right-click Servers and Site System Roles to select Reporting services point. 3. Add the reporting services point site system role to a new or existing site system server by using the associated step: Note For more information about configuring site systems, see Install and Configure Site System Roles for Configuration Manager. New site system: On the Home tab, in the Create group, click Create Site System Server. The Create Site System Server Wizard opens. Existing site system: Click the server on which you want to install the reporting services point site system role. When you click a server, a list of the site system roles that are already installed on the server are displayed in the results pane. On the Home tab, in the Server group, click Add Site System Role. The Add Site System Roles Wizard opens. 4. On the General page, specify the general settings for the site system server. When you add the reporting services point to an existing site system server, verify the values that you previously configured. 5. On the System Role Selection page, select Reporting services point in the list of available roles, and then click Next. 6. On the Reporting services Point page, configure the following settings: Site database server name: Specify the name of the server that hosts the Configuration Manager site database. Typically, the wizard automatically retrieves the fully qualified domain name (FQDN) for the server. To specify a database instance, use the format <Server Name>\<Instance Name>. Database name: Specify the Configuration Manager site database name, and then click Verify to confirm that the wizard has access to the site database. Security The user account that is creating the reporting services point must have Read access to the site database. If the connection test fails, a red warning icon appears. Move the cursor over this icon to read details of the failure. Correct the failure, and then click Test again. Folder name: Specify the folder name that is created and used to host the Configuration Manager reports in Reporting Services. Reporting Services server instance: Select in the list the instance of SQL Server for Reporting Services. When there is only one instance found, by default, it is listed and selected. When no instances are found, verify that SQL Server Reporting Services is installed and configured, and that the SQL Server Reporting Services service is started on the site system.
843

Security Configuration Manager makes a connection in the context of the current user to Windows Management Instrumentation (WMI) on the selected site system to retrieve the instance of SQL Server for Reporting Services. The current user must have Read access to WMI on the site system, or the Reporting Services instances cannot be retrieved. Reporting Services Point Account: Click Set, and then select an account to use when SQL Server Reporting Services on the reporting services point connects to the Configuration Manager site database to retrieve the data that are displayed in a report. Select Existing account to specify a Windows user account that has previously been configured as a Configuration Manager account, or select New account to specify a Windows user account that is not currently configured as a Configuration Manager account. Configuration Manager automatically grants the specified user access to the site database. The user is displayed in the Accounts subfolder of the Security node in the Administration workspace with the ConfigMgr Reporting Services Point account name. The specified Windows user account and password are encrypted and stored in the Reporting Services database. Reporting Services retrieves the data for reports from the site database by using this account and password. Security The account that you specify must have Log on Locally permissions on the computer hosting the Reporting Services database. 7. On the Reporting Services Point page, click Next. 8. On the Summary page, verify the settings, and then click Next to install the reporting services point. After the wizard is completed, report folders are created, and the Configuration Manager reports are copied to the specified report folders. Note When report folders are created and reports are copied to the report server, Configuration Manager determines the appropriate language for the objects. If the associated language pack is installed on the site, Configuration Manager creates the objects in the same language as the operating system running on the report server on the site. If the language is not available, the reports are created and displayed in English. When you install a reporting services point on a site without language packs, the reports are installed in English. If you install a language pack after you install the reporting services point, you must uninstall and reinstall the reporting services point for the reports to be available in the appropriate language pack language. For more information about language packs, see Technical Reference for Language Packs in Configuration Manager.

844

File Installation and Report Folder Security Rights

Configuration Manager performs the following actions to install the reporting services point and to configure Reporting Services: Security The actions in the following list are performed by using the credentials of the account that is configured for the SMS_Executive service, which typically is the site server local system account. Installs the reporting services point site role. Creates the data source in Reporting Services with the stored credentials that you specified in the wizard. This is the Windows user account and password that Reporting Services uses to connect to the site database when you run reports. Creates the Configuration Manager root folder in Reporting Services. Adds the ConfigMgr Report Users and ConfigMgr Report Administrators security roles in Reporting Services. Creates subfolders and deploys Configuration Manager reports from %ProgramFiles%\SMS_SRSRP to Reporting Services. Adds the ConfigMgr Report Users role in Reporting Services to the root folders for all user accounts in Configuration Manager that have Site Read rights. Adds the ConfigMgr Report Administrators role in Reporting Services to the root folders for all user accounts in Configuration Manager that have Site Modify rights. Retrieves the mapping between report folders and Configuration Manager secured object types (maintained in the Configuration Manager site database). Configures the following rights for administrative users in Configuration Manager to specific report folders in Reporting Services: Adds users and assigns the ConfigMgr Report Users role to the associated report folder for administrative users who have Run Report permissions for the Configuration Manager object. Adds users and assigns the ConfigMgr Report Administrators role to the associated report folder for administrative users who have Modify Report permissions for the Configuration Manager object.

Configuration Manager connects to Reporting Services and sets the permissions for users on the Configuration Manager and Reporting Services root folders and specific report folders. After the initial installation of the reporting services point, Configuration Manager connects to Reporting Services in a 10-minute interval to verify that the user rights configured on the report folders are the associated rights that are set for Configuration Manager users. When users are added or user rights are modified on the report folder by using Reporting Services Report Manager, Configuration Manager overwrites those changes by using the role-based assignments stored in the site database. Configuration Manager also removes users that do not have Reporting rights in Configuration Manager.

845

Reporting Services Security Roles for Configuration Manager

When Configuration Manager installs the reporting services point, adds the following security roles in Reporting Services: ConfigMgr Report Users: Users assigned with this security role can only run Configuration Manager reports. ConfigMgr Report Administrators: Users assigned with this security role can perform all tasks related to reporting in Configuration Manager.

Verify the Reporting Services Point Installation

After you add the reporting services point site role, you can verify the installation by looking at specific status messages and log file entries. Use the following procedure to verify that the reporting services point installation was successful. Warning You can skip this procedure if reports are displayed in the Reports subfolder of the Reporting node in the Monitoring workspace in the Configuration Manager console. To verify the reporting services point installation 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand System Status, and then click Component Status. 3. Click SMS_SRS_REPORTING_POINT in the list of components. 4. On the Home tab, in the Component group, click Show Messages, and then click All. 5. Specify a date and time for a period before you installed the reporting services point, and then click OK. 6. Verify that status message ID 1015 is listed, which indicates that the reporting services point was successfully installed. Alternatively, you can open the Srsrp.log file, located in <ConfigMgr Installation Path>\Logs, and look for Installation was successful. In Windows Explorer, navigate to <ConfigMgr Installation Path>\Logs. 7. Open Srsrp.log and step through the log file starting from the time that the reporting services point was successfully installed. Verify that the report folders were created, the reports were deployed, and the security policy on each folder was confirmed. Look for Successfully checked that the SRS web service is healthy on server after the last line of security policy confirmations.

846

Configure a Self-Signed Certificate for Configuration Manager Console Computers

There are many options for you to author SQL Server Reporting Services reports. When you create or edit reports in the Configuration Manager console, Configuration Manager opens Report Builder to use as the authoring environment. Regardless of how you author your Configuration Manager reports, a self-signed certificate is required for server authentication to the site database server. Configuration Manager automatically installs the certificate on the site server and the computers with the SMS Provider installed. Therefore, you can create or edit reports from the Configuration Manager console when it runs from one of these computers. However, when you create or modify reports from a Configuration Manager console that is installed on a different computer, you must export the certificate from the site server and then add it to the Trusted People certificate store on the computer that runs the Configuration Manager console. Note For more information about other report authoring environments for SQL Server Reporting Services, see Comparing Report Authoring Environments in the SQL Server 2008 Books Online. Use the following procedure as an example of how to transfer a copy of the self-signed certificate from the site server to another computer that runs the Configuration Manager console when both computers run Windows Server 2008 R2. If you cannot follow this procedure because you have a different operating system version, refer to your operating system documentation for the equivalent procedure. To transfer a copy of self-signed certificate from the site server to another computer 1. Perform the following steps on the site server to export the self-signed certificate: a. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in. b. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. c. In the Certificate snap-in dialog box, select Computer account, and then click Next.

d. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. e. In the Add or Remove Snap-ins dialog box, click OK. f. In the console, expand Certificates (Local Computer), expand Trusted People, and select Certificates.

g. Right-click the certificate with the friendly name of <FQDN of site server>, click All Tasks, and then select Export. h. Complete the Certificate Export Wizard by using the default options and save the certificate with the .cer file name extension. 2. Perform the following steps on the computer that runs the Configuration Manager console
847

to add the self-signed certificate to the Trusted People certificate store: a. Repeat the preceding steps 1.a through 1.e to configure the Certificate snap-in MMC on the management point computer. b. In the console, expand Certificates (Local Computer), expand Trusted People, right-click Certificates, select All Tasks, and then select Import to start the Certificate Import Wizard. c. On the File to Import page, select the certificate saved in step 1.h, and then click Next.

d. On the Certificate Store page, select Place all certificates in the following store, with the Certificate store set to Trusted People, and then click Next. e. Click Finish to close the wizard and complete the certificate configuration on the computer.

Modify Reporting Services Point Settings

After the reporting services point is installed, you can modify the site database connection and authentication settings in the reporting services point properties. Use the following procedure to modify the reporting services point settings. To modify reporting services point settings 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles to list the site systems. Tip To list only site systems that host the reporting services point site role, right-click Servers and Site System Roles to select Reporting services point. 3. Select the site system that hosts the reporting services point on which you want to modify settings, and then select Reporting service point in Site System Roles. 4. On the Site Role tab, in the Properties group, click Properties. 5. On the Reporting Services Point Properties dialog box, you can modify the following settings: Site database server name: Specify the name of the server that hosts the Configuration Manager site database. Typically, the wizard automatically retrieves the fully qualified domain name (FQDN) for the server. To specify a database instance, use the format <Server Name>\<Instance Name>. Database name: Specify the System Center 2012 Configuration Manager site database name, and then click Verify to confirm that the wizard has access to the site database. Security The user account that is creating the reporting services point must have Read access to the site database. If the connection test fails, a red warning
848

icon appears. Move the cursor over this icon to read details of the failure. Correct the failure, and then click Test again. User account: Click Set, and then select an account that is used when SQL Server Reporting Services on the reporting services point connects to the Configuration Manager site database to retrieve the data that are displayed in a report. Select Existing account to specify a Windows user account that has existing Configuration Manager rights or select New account to specify a Windows user account that currently does not have rights in Configuration Manager. Configuration Manager automatically grants the specified user account access to the site database. The account is displayed as the ConfigMgr SRS reporting point account in the Accounts subfolder of the Security node in the Administration workspace. The specified Windows user account and password are encrypted and stored in the Reporting Services database. Reporting Services retrieves the data for reports from the site database by using this account and password. Security When the site database is on a remote site system, the account that you specify must have the Log on Locally permission for the computer. 6. Click OK to save the changes and exit the dialog box.

Upgrading SQL Server

After you upgrade SQL Server, and SQL Server Reporting Services that is used as the data source for a reporting services point, you might experience errors when you run or edit reports from the Configuration Manager console. For reporting to work properly from the Configuration Manager console, you must remove the reporting services point site system role for the site and reinstall it. However, after the upgrade you can continue to run and edit reports successfully from an Internet browser.

Configure Report Options

Use the report options for a Configuration Manager site to select the default reporting services point that is used to manage your reports. Although you can have more than one reporting services point at a site, only the default report server selected in report options is used to manage reports. Use the following procedure to configure report options for your site. To configure report options 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting, and then click Reports. 3. On the Home tab, in the Settings group, click Report Options. 4. Select the default report server in the list, and then click OK. If no reporting services points are listed in the list, verify that you have a reporting services point successfully installed and configured in the site.
849

See Also
Reporting in Configuration Manager

Operations and Maintenance for Reporting in Configuration Manager

After the infrastructure is in place for reporting in Microsoft System Center 2012 Configuration Manager, there are a number of operations that you typically perform to manage reports and report subscriptions. Use the following sections in this topic to help you manage the operations for reports and report subscriptions in your Configuration Manager hierarchy: Manage Configuration Manager Reports Run a Configuration Manager Report Modify the Properties for a Configuration Manager Report Edit a Configuration Manager Report Create a Model-Based Report Create a SQL-Based Report Create a Report Subscription to Deliver a Report to a File Share Create a Report Subscription to Deliver a Report by Email

Manage Report Subscriptions

Manage Configuration Manager Reports

Configuration Manager provides over 400 predefined reports that help you gather, organize, and present information about users, hardware and software inventory, software updates, applications, site status, and other Configuration Manager operations in your organization. You can use the predefined reports as they are, or you can modify a report to meet your requirements. You can also create custom model-based and SQL-based reports to meet your requirements. Use the following sections to help you manage Configuration Manager reports.

Run a Configuration Manager Report

Reports in Configuration Manager are stored in SQL Server Reporting Services, and the data rendered in the report is retrieved from the Configuration Manager site database. You can access reports in the Configuration Manager console or by using Report Manager, which you access in a web browser. You can open reports on any computer that has access to the computer that is running SQL Server Reporting Services, and you must have sufficient rights to view the reports. When you run a report, the report title, description, and category are displayed in the language of the local operating system.
850

Warning To run reports, you must have Read rights for the Site permission and the Run Report permission that is configured for specific objects. Note Report Manager is a web-based report access and management tool that you use to administer a single report server instance on a remote location over an HTTP connection. You can use Report Manager for operational tasks, for example, to view reports, modify report properties, and manage associated report subscriptions. This topic provides the steps to view a report and modify report properties in Report Manager, but for more information about the other options that Report Manager provides, see Report Manager in SQL Server 2008 Books Online. Use the following procedures to run a Configuration Manager report. To run a report in the Configuration Manager console 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting, and then click Reports to list the available reports. Tip If no reports are listed, verify that the reporting services point is installed and configured. For more information, see Configuring Reporting in Configuration Manager. 3. Select the report that you want to run, and then on the Home tab, in the Report Group section, click Run to open the report. 4. When there are required parameters, specify the parameters, and then click View Report. To run a report in a web browser 1. In your web browser, enter the Report Manager URL, for example, http://Server1/Reports. You can determine the Report Manager URL on the Report Manager URL page in Reporting Services Configuration Manager. 2. In Report Manager, click the report folder for Configuration Manager, for example, ConfigMgr_CAS. Tip If no reports are listed, verify that the reporting services point is installed and configured. For more information, see Configuring Reporting in Configuration Manager. 3. Click the report category for the report that you want to run, and then click the link for the report. The report opens in Report Manager. 4. When there are required parameters, specify the parameters, and then click View
851

Report.

Modify the Properties for a Configuration Manager Report

In the Configuration Manager console, you can view the properties for a report, such as the report name and description, but to change the properties, use Report Manager. Use the following procedure to modify the properties for a Configuration Manager report. To modify report properties in Report Manager 1. In your web browser, enter the Report Manager URL, for example, http://Server1/Reports. You can determine the Report Manager URL on the Report Manager URL page in Reporting Services Configuration Manager. 2. In Report Manager, click the report folder for Configuration Manager, for example, ConfigMgr_CAS. Tip If no reports are listed, verify that the Reporting Services point is installed and configured. For more information, see Configuring Reporting in Configuration Manager 3. Click the report category for the report for which you want to modify properties, and then click the link for the report. The report opens in Report Manager. 4. Click the Properties tab. You can modify the report name and description. 5. When you are finished, click Apply. The report properties are saved on the report server, and the Configuration Manager console retrieves the updated report properties for the report.

Edit a Configuration Manager Report

When an existing Configuration Manager report does not retrieve the information that you have to have or does not provide the layout or design that you want, you can edit the report in Report Builder. Security The user account must have Site Modify permission and Modify Report permissions on the specific objects associated with the report that you want to modify. Important When Configuration Manager is upgraded to a newer version, new reports overwrite the predefined reports. If you modify a predefined report, you must back up the report before you install the new version, and then restore the report in Reporting Services. If you are making significant changes to a predefined report, consider creating a new report instead. New reports that you create before you upgrade a site are not overwritten. Use the following procedure to edit the properties for a Configuration Manager report.
852

To edit report properties 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting, and then click Reports to list the available reports. 3. Select the report that you want to modify, and then on the Home tab, in the Report Group section, click Edit. Enter your user account and password if you are prompted, and then click OK. If Report Builder is not installed on the computer, you are prompted to install it. Click Run to install Report Builder, which is required to modify and create reports. Important For Configuration Manager with no service pack only: If you are running SQL Server 2008 R2, you must modify the Report Builder manifest name to have Configuration Manager open Report Builder 3.0 instead of Report Builder 2.0. For more information, see the Configure Reporting to Use Report Builder 3.0 section in the Configuring Reporting in Configuration Manager topic. 4. In Report Builder, modify the appropriate report settings, and then click Save to save the report to the report server.

Create a Model-Based Report

A model-based report lets you interactively select the items you want to include in your report. For more information about creating custom report models, see Creating Custom Report Models in SQL Server Reporting Services. Security The user account must have Site Modify permission to create a new report. The user can only create a report in folders for which the user has Modify Report permissions. Use the following procedure to create a model-based Configuration Manager report. To create a model-based report 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting and click Reports. 3. On the Home tab, in the Create section, click Create Report to open the Create Report Wizard. 4. On the Information page, configure the following settings: Type: Select Model-based Report to create a report in Report Builder by using a Reporting Services model. Name: Specify a name for the report. Description: Specify a description for the report. Server: Displays the name of the report server on which you are creating this report.
853

Path: Click Browse to specify a folder in which you want to store the report.

Click Next. 5. On the Model Selection page, select an available model in the list that you use to create this report. When you select the report model, the Preview section displays the SQL Server views and entities that are made available by the selected report model. 6. On the Summary page, review the settings. Click Previous to change the settings or click Next to create the report in Configuration Manager. 7. On the Confirmation page, click Close to exit the wizard, and then open Report Builder to configure the report settings. Enter your user account and password if you are prompted, and then click OK. If Report Builder is not installed on the computer, you are prompted to install it. Click Run to install Report Builder, which is required to modify and create reports. Important For Configuration Manager with no service pack only: If you are running SQL Server 2008 R2, you must modify the Report Builder manifest name to have Configuration Manager open Report Builder 3.0 instead of Report Builder 2.0. For more information, see the Configure Reporting to Use Report Builder 3.0 section in the Configuring Reporting in Configuration Manager topic. 8. In Microsoft Report Builder, create the report layout, select data in the available SQL Server views, add parameters to the report, and so on. For more information about using Report Builder to create a new report, see the Report Builder Help. 9. Click Run to run your report. Verify that the report provides the information that you expect. Click Design to return to the Design view to modify the report, if needed. 10. Click Save to save the report to the report server. You can run and modify the new report in the Reports node in the Monitoring workspace.

Create a SQL-Based Report

A SQL-based report lets you retrieve data that is based on a report SQL statement. Important When you create an SQL statement for a custom report, do not directly reference SQL Server tables. Instead, reference reporting SQL Server views (view names that start with v_) from the site database. Starting in Configuration Manager SP1, you can also reference public stored procedures (stored procedure names that start with sp_) from the site database. Security The user account must have Site Modify permission to create a new report. The user can only create a report in folders for which the user has Modify Report permissions. Use the following procedure to create a SQL-based Configuration Manager report. To create a SQL-based report
854

1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting, and then click Reports. 3. On the Home tab, in the Create section, click Create Report to open the Create Report Wizard. 4. On the Information page, configure the following settings: Type: Select SQL-based Report to create a report in Report Builder by using a SQL statement. Name: Specify a name for the report. Description: Specify a description for the report. Server: Displays the name of the report server on which you are creating this report. Path: Click Browse to specify a folder in which you want to store the report.

Click Next. 5. On the Summary page, review the settings. Click Previous to change the settings or click Next to create the report in Configuration Manager. 6. On the Confirmation page, click Close to exit the wizard and open Report Builder to configure the report settings. Enter your user account and password if you are prompted, and then click OK. If Report Builder is not installed on the computer, you are prompted to install it. Click Run to install Report Builder, which is required to modify and create reports. Important For Configuration Manager with no service pack only: If you are running SQL Server 2008 R2, you must modify the Report Builder manifest name to have Configuration Manager open Report Builder 3.0 instead of Report Builder 2.0. For more information, see the Configure Reporting to Use Report Builder 3.0 section in the Configuring Reporting in Configuration Manager topic. 7. In Microsoft Report Builder, provide the SQL statement for the report or build the SQL statement by using columns in available SQL Server views, add parameters to the report, and so on. 8. Click Run to run your report. Verify that the report provides the information that you expect. Click Design to return to the Design view to modify the report, if needed. 9. Click Save to save the report to the report server. You can run the new report in the Reports node in the Monitoring workspace.

Manage Report Subscriptions

Report subscriptions in SQL Server Reporting Services let you configure the automatic delivery of specified reports by email or to a file share at scheduled intervals. Use the Create Subscription Wizard in System Center 2012 Configuration Manager to configure report subscriptions.

855

Create a Report Subscription to Deliver a Report to a File Share

When you create a report subscription to deliver a report to a file share, the report is copied in the specified format to the file share that you specify. You can subscribe to and request delivery for only one report at a time. Unlike reports that are hosted and managed by a report server, reports that are delivered to a shared folder are static files. Interactive features that are defined for the report do not work for reports that are stored as files on the file system. Interaction features are represented as static elements. If the report includes charts, the default presentation is used. If the report links through to another report, the link is rendered as static text. If you want to retain interactive features in a delivered report, use email delivery instead. For more information about email delivery, see the Create a Report Subscription to Deliver a Report by Email later in the topic. When you create a subscription that uses file share delivery, you must specify an existing folder as the destination folder. The report server does not create folders on the file system. The folder that you specify must be accessible over a network connection. When you specify the destination folder in a subscription, use a UNC path and do not include trailing backslashes in the folder path. For example, a valid UNC path for the destination folder is: \\<servername>\reportfiles\operations\2011. Reports can be rendered in a variety of file formats, such as MHTML or Excel. To save the report in a specific file format, select that rendering format when creating your subscription. For example, choosing Excel saves the report as a Microsoft Excel file. Although you can select any supported rendering format, some formats work better than others when rendering to a file. Use the following procedure to create a report subscription to deliver a report to a file share. To create a report subscription to deliver a report to a file share 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting and click Reports to list the available reports. You can select a report folder to list only the reports that are associated with the folder. 3. Select the report that you want to add to the subscription, and then on the Home tab, in the Report Group section, click Create Subscription to open the Create Subscription Wizard. 4. On the Subscription Delivery page, configure the following settings: Report delivered by: Select Windows File Share to deliver the report to a file share. File Name: Specify the file name for the report. By default, the report file does not include a file name extension. Select Add file extension when created to automatically add a file name extension to this report based on the render format. Path: Specify a UNC path to an existing folder where you want to deliver this report (for example, \\<server name>\<server share>\<report folder>). Note The user name specified later on this page must have access to this server
856

share and have Write permissions on the destination folder. Render Format: Select one of the following formats for the report file: XML file with report data: Saves the report in Extensible Markup Language format. CSV (comma delimited): Saves the report in comma-separated-value format. TIFF file: Saves the report in Tagged Image File Format. Acrobat (PDF) file: Saves the report in Acrobat Portable Document Format. HTML 4.0: Saves the report as a webpage viewable only in browsers that support HTML 4.0. Internet Explorer 5 and later versions support HTML 4.0. Note If you have images in your report, the HTML 4.0 format does not include them in the file. MHTML (web archive): Saves the report in MIME HTML format (mhtml), which is viewable in many web browsers. RPL Renderer: Saves the report in Report Page Layout (RPL) format. Excel: Saves the report as a Microsoft Excel spreadsheet. Word: Saves the report as a Microsoft Word document.

User Name: Specify a Windows user account with permissions to access the destination server share and folder. The user account must have access to this server share and have Write permission on the destination folder. Password: Specify the password for the Windows user account. In Confirm Password, re-enter the password. Select one of the following options to configure the behavior when a file of the same name exists in the destination folder: Overwrite an existing file with a newer version: Specifies that when the report file already exists, the new version overwrites it. Do not overwrite an existing file: Specifies that when the report file already exists, there is no action. Increment file names as newer versions are added: Specifies that when the report file already exists, a number is added to the new report to the file name to distinguish it from other versions.

Description: Specifies the description for the report subscription.

Click Next. 5. On the Subscription Schedule page, select one of the following delivery schedule options for the report subscription: Use shared schedule: A shared schedule is a previously defined schedule that can be used by other report subscriptions. Select this check box, and then select a shared schedule in the list if any have been specified. Create new schedule: Configure the schedule on which this report runs, including the interval, start time and date, and the end date for this subscription.
857

6. On the Subscription Parameters page, specify the parameters for this report that are used when it is run unattended. When there are no parameters for the report, this page is not displayed. 7. On the Summary page, review the report subscription settings. Click Previous to change the settings or click Next to create the report subscription. 8. On the Completion page, click Close to exit the wizard. Verify that the report subscription was created successfully. You can view and modify report subscriptions in the Subscriptions node under Reporting in the Monitoring workspace.

Create a Report Subscription to Deliver a Report by Email

When you create a report subscription to deliver a report by email, an email is sent to the recipients that you configure, and the report is included as an attachment. The report server does not validate email addresses or obtain email addresses from an email server. You must know in advance which email addresses you want to use. By default, you can email reports to any valid email account within or outside of your organization. You can select one or both of the following email delivery options: Send a notification and a hyperlink to the generated report. Send an embedded or attached report. The rendering format and browser determine whether the report is embedded or attached. If your browser supports HTML 4.0 and MHTML, and you select the MHTML (web archive) rendering format, the report is embedded as part of the message. All other rendering formats (CSV, PDF, Word, and so on) deliver reports as attachments. Reporting Services does not check the size of the attachment or message before sending the report. If the attachment or message exceeds the maximum limit allowed by your mail server, the report is not delivered. Important You must configure the email settings in Reporting Services for the Email delivery option to be available. For more information about configuring the email settings in Reporting Services, see Configuring a Report Server for Email Delivery in the SQL Server Books Online. Use the following procedure to create a report subscription to deliver a report by using email. To create a report subscription to deliver a report by email In the Configuration Manager console, click Monitoring. In the Monitoring workspace, expand Reporting and click Reports to list the available reports. You can select a report folder to list the only the reports that are associated with the folder. Select the report that you want to add to the subscription, and then on the Home tab, in the Report Group section, click Create Subscription to open the Create Subscription Wizard. On the Subscription Delivery page, configure the following settings: Report delivered by: Select E-mail to deliver the report as an attachment in an
858

email message. To: Specify a valid email address to send this report to. Note You can enter multiple email recipients by separating each email address with a semicolon. Cc: Optionally, specify an email address to copy this report to. Bcc: Optionally, specify an email address to send a blind copy of this report to. Reply To: Specify the reply address to use if the recipient replies to the email message. Subject: Specify a subject line for the subscription email message. Priority: Select the priority flag for this email message. Select Low, Normal, or High. The priority setting is used by Microsoft Exchange to set a flag indicating the importance of the email message. Comment: Specify text to be added to the body of the subscription email message. Description: Specify the description for this report subscription. Include Link: Includes a URL to the subscribed report in the body of the email message. Include Report: Specify that the report is attached to the e-mail message. The format in which the report will be attached is specified in the Render Format list. Render Format: Select one of the following formats for the attached report: XML file with report data: Saves the report in Extensible Markup Language format. CSV (comma delimited): Saves the report in comma-separated-value format. TIFF file: Saves the report in Tagged Image File Format. Acrobat (PDF) file: Saves the report in Acrobat Portable Document Format. MHTML (web archive): Saves the report in MIME HTML format (mhtml), which is viewable in many web browsers. Excel: Saves the report as a Microsoft Excel spreadsheet. Word: Saves the report as a Microsoft Word document.

On the Subscription Schedule page, select one of the following delivery schedule options for the report subscription: Use shared schedule: A shared schedule is a previously defined schedule that can be used by other report subscriptions. Select this check box, and then select a shared schedule in the list if any have been specified. Create new schedule: Configure the schedule on which this report will run, including the interval, start time and date, and the end date for this subscription.

On the Subscription Parameters page, specify the parameters for this report that are used when it is run unattended. When there are no parameters for the report, this page is not displayed. On the Summary page, review the report subscription settings. Click Previous to change
859

the settings or click Next to create the report subscription. On the Completion page, click Close to exit the wizard. Verify that the report subscription was created successfully. You can view and modify report subscriptions in the Subscriptions node under Reporting in the Monitoring workspace.

See Also
Reporting in Configuration Manager

Creating Custom Report Models in SQL Server Reporting Services

Sample report models are included in Microsoft System Center 2012 Configuration Manager, but you can also define report models to meet your own business requirements, and then deploy the report model to Configuration Manager to use when you create new model-based reports. The following table provides the steps to create and deploy a basic report model. Note For the steps to create a more advanced report model, see the Steps for Creating an Advanced Report Model in SQL Server Reporting Services section in this topic.
Step Description More information

Verify that SQL Server Business Intelligence Development Studio is installed

Report models are designed and built by using SQL Server Business Intelligence Development Studio. Verify that SQL Server Business Intelligence Development Studio is installed on the computer on which you are creating the custom report model.

For more information about SQL Server Business Intelligence Development Studio, see the SQL Server 2008 documentation.

Create a report model project

A report model project For more information, see the contains the definition of the To create the report model data source (a .ds file), the project section in this topic. definition of a data source view (a .dsv file), and the report model (an .smdl file). After creating a report model project, you have to define one For more information, see the To define the data source for
860

Define a data source for a report model

Step

Description

More information

data source from which you extract business data. Typically, this is the Configuration Manager site database. Define a data source view for a report model After defining the data sources that you use in your report model project, the next step is to define a data source view for the project. A data source view is a logical data model based on one or more data sources. Data source views encapsulate access to the physical objects, such as tables and views, contained in underlying data sources. SQL Server Reporting Services generates the report model from the data source view. Data source views facilitate the model design process by providing you with a useful representation of the data that you specified. Without changing the underlying data source, you can rename tables and fields, and add aggregate fields and derived tables in a data source view. For an efficient model, add only those tables to the data source view that you intend to use. Create a report model A report model is a layer on top of a database that identifies business entities, fields, and roles. When published, by using these models, Report Builder users can develop reports without

the report model section in this topic.

For more information, see the To define the data source view for the report model section in this topic.

For more information, see the To create the report model section in this topic.

861

Step

Description

More information

having to be familiar with database structures or understand and write queries. Models are composed of sets of related report items that are grouped together under a friendly name, with predefined relationships between these business items and with predefined calculations. Models are defined by using an XML language called Semantic Model Definition Language (SMDL). The file name extension for report model files is .smdl. Publish a report model To build a report by using the model that you just created, you must publish it to a report server. The data source and data source view are included in the model when it is published. Before you can use a custom report model in the Create Report Wizard to create a model-based report, you must deploy the report model to Configuration Manager. For more information, see the To publish the report model for use in SQL Server Reporting Services section in this topic.

Deploy the report model to Configuration Manager

For more information, see the To deploy the custom report model to Configuration Manager section in this topic.

Steps for Creating a Basic Report Model in SQL Server Reporting Services
You can use the following procedures to create a basic report model that users in your site can use to build particular model-based reports based on data in a single view of the System Center 2012 Configuration Manager database. You create a report model that presents information about the client computers in your site to the report author. This information is taken from the v_R_System view in the System Center 2012 Configuration Manager database.

862

On the computer where you perform these procedures, ensure that you have installed SQL Server Business Intelligence Development Studio and that the computer has network connectivity to the reporting services point server. For detailed information about SQL Server Business Intelligence Development Studio, see the SQL Server 2008 documentation. To create the report model project 1. On the desktop, click Start, click Microsoft SQL Server 2008, and then click SQL Server Business Intelligence Development Studio. 2. After SQL Server Business Intelligence Development Studio opens in Microsoft Visual Studio, click File, click New, and then click Project. 3. In the New Project dialog box, select Report Model Project in the Templates list. 4. In the Name box, specify a name for this report model. For this example, type Simple_Model. 5. To create the report model project, click OK. 6. The Simple_Model solution is displayed in Solution Explorer. Note If you cannot see the Solution Explorer pane, click View, and then click Solution Explorer. To define the data source for the report model 1. In the Solution Explorer pane of SQL Server Business Intelligence Development Studio, right-click Data Sources to select Add New Data Source. 2. On the Welcome to the Data Source Wizard page, click Next. 3. On the Select how to define the connection page, verify that Create a data source based on an existing or new connection is selected, and then click New. 4. In the Connection Manager dialog box, specify the following connection properties for the data source: Server name: Type the name of your System Center 2012 Configuration Manager site database server, or select it in the list. If you are working with a named instance instead of the default instance, type <database server>\<instance name>. Select Use Windows Authentication. In Select or enter a database name list, select the name of your Configuration Manager site database.

5. To verify the database connection, click Test Connection. 6. If the connection succeeds, click OK to close the Connection Manager dialog box. If the connection does not succeed, verify that the information you entered is correct, and then click Test Connection again. 7. On the Select how to define the connection page, verify that Create a data source based on an existing or new connection is selected, verify that the data source you have just specified is selected in Data connections, and then click Next.
863

8. In Data source name, specify a name for the data source, and then click Finish. For this example, type Simple_Model. 9. The data source Simple_Model.ds is now displayed in Solution Explorer under the Data Sources node. Note To edit the properties of an existing data source, double-click the data source in the Data Sources folder of the Solution Explorer pane to display the data source properties in Data Source Designer. To define the data source view for the report model 1. In Solution Explorer, right-click Data Source Views to select Add New Data Source View. 2. On the Welcome to the Data Source View Wizard page, click Next. The Select a Data Source page is displayed. 3. In the Relational data sources window, verify that the Simple_Model data source is selected, and then click Next. 4. On the Select Tables and Views page, select the following view in the Available objects list to be used in the report model: v_R_System (dbo). Tip To help locate views in the Available objects list, click the Name heading at the top of the list to sort the objects in alphabetical order. 5. After selecting the view, click > to transfer the object to the Included objects list. 6. If the Name Matching page is displayed, accept the default selections, and click Next. 7. When you have selected the objects that you require, click Next, and then specify a name for the data source view. For this example, type Simple_Model. 8. Click Finish. The Simple_Model.dsv data source view is displayed in the Data Source Views folder of Solution Explorer. To create the report model 1. In Solution Explorer, right-click Report Models to select Add New Report Model. 2. On the Welcome to the Report Model Wizard page, click Next. 3. On the Select Data Source Views page, select the data source view in the Available data source views list, and then click Next. For this example, select Simple_Model.dsv. 4. On the Select report model generation rules page, accept the default values, and then click Next. 5. On the Collect Model Statistics page, verify that Update model statistics before generating is selected, and then click Next. 6. On the Completing the Wizard page, specify a name for the report model. For this example, verify that Simple_Model is displayed.
864

7. To complete the wizard and create the report model, click Run. 8. To exit the wizard, click Finish. The report model is shown in the Design window. To publish the report model for use in SQL Server Reporting Services 1. In Solution Explorer, right-click the report model to select Deploy. For this example, the report model is Simple_Model.smdl. 2. Examine the deployment status at the lower left corner of the SQL Server Business Intelligence Development Studio window. When the deployment has finished, Deploy Succeeded is displayed. If the deployment fails, the reason for the failure is displayed in the Output window. The new report model is now available on your SQL Server Reporting Services website. 3. Click File, click Save All, and then close SQL Server Business Intelligence Development Studio. To deploy the custom report model to Configuration Manager 1. Locate the folder in which you created the report model project. For example, %USERPROFILE%\Documents\Visual Studio 2008\Projects\<Project Name>. 2. Copy the following files from the report model project folder to a temporary folder on your computer: <Model Name>.dsv <Model Name>.smdl

3. Open the preceding files by using a text editor, such as Notepad. 4. In the file <Model Name>.dsv, locate the first line of the file, which reads as follows: <DataSourceView xmlns="http://schemas.microsoft.com/analysisservices/2003/engine"> Edit this line to read as follows: <DataSourceView xmlns="http://schemas.microsoft.com/analysisservices/2003/engine" xmlns:xsi="RelationalDataSourceView"> 5. Copy the entire contents of the file to the Windows Clipboard. 6. Close the file <Model Name>.dsv. 7. In the file <Model Name>.smdl, locate the last three lines of the file, which appear as follows:
</Entity> </Entities>

</SemanticModel>

8. Paste the contents of the file <Model Name>.dsv directly before the last line of the file (<SemanticModel>). 9. Save and close the file <Model Name>.smdl.
865

10. Copy the file <Model Name>.smdl to the folder %programfiles%\Microsoft Configuration Manager \AdminConsole\XmlStorage\Other on the Configuration Manager site server. Important After copying the report model file to the Configuration Manager site server, you must exit and restart the Configuration Manager console before you can use the report model in the Create Report Wizard.

Steps for Creating an Advanced Report Model in SQL Server Reporting Services
You can use the following procedures to create an advanced report model that users in your site can use to build particular model-based reports based on data in multiple views of the System Center 2012 Configuration Manager database. You create a report model that presents information about the client computers and the operating system installed on these computers to the report author. This information is taken from the following views in the System Center 2012 Configuration Manager database: V_R_System: Contains information about discovered computers and the System Center 2012 Configuration Manager client. V_GS_OPERATING_SYSTEM : Contains information about the operating system installed on the client computer.

Selected items from the preceding views are consolidated into one list, given friendly names, and then presented to the report author in Report Builder for inclusion in particular reports. On the computer where you perform these procedures, ensure that you have installed SQL Server Business Intelligence Development Studio and that the computer has network connectivity to the reporting services point server. For detailed information about SQL Server Business Intelligence Development Studio, see the SQL Server documentation. To create the report model project 1. On the desktop, click Start, click Microsoft SQL Server 2008, and then click SQL Server Business Intelligence Development Studio. 2. After SQL Server Business Intelligence Development Studio opens in Microsoft Visual Studio, click File, click New, and then click Project. 3. In the New Project dialog box, select Report Model Project in the Templates list. 4. In the Name box, specify a name for this report model. For this example, type Advanced_Model. 5. To create the report model project, click OK. 6. The Advanced_Model solution is displayed in Solution Explorer. Note If you cannot see the Solution Explorer pane, click View, and then click Solution Explorer.
866

To define the data source for the report model 1. In the Solution Explorer pane of SQL Server Business Intelligence Development Studio, right-click Data Sources to select Add New Data Source. 2. On the Welcome to the Data Source Wizard page, click Next. 3. On the Select how to define the connection page, verify that Create a data source based on an existing or new connection is selected, and then click New. 4. In the Connection Manager dialog box, specify the following connection properties for the data source: Server name: Type the name of your System Center 2012 Configuration Manager site database server, or select it in the list. If you are working with a named instance instead of the default instance, type <database server>\<instance name>. Select Use Windows Authentication. In the Select or enter a database name list, select the name of your System Center 2012 Configuration Manager site database.

5. To verify the database connection, click Test Connection. 6. If the connection succeeds, click OK to close the Connection Manager dialog box. If the connection does not succeed, verify that the information you entered is correct, and then click Test Connection again. 7. On the Select how to define the connection page, verify that Create a data source based on an existing or new connection is selected, verify that the data source you have just specified is selected in the Data connections list box, and then click Next. 8. In Data source name, specify a name for the data source and then click Finish. For this example, type Advanced_Model. 9. The data source Advanced_Model.ds is displayed in Solution Explorer under the Data Sources node. Note To edit the properties of an existing data source, double-click the data source in the Data Sources folder of the Solution Explorer pane to display the data source properties in Data Source Designer. To define the data source view for the report model 1. In Solution Explorer, right-click Data Source Views to select Add New Data Source View. 2. On the Welcome to the Data Source View Wizard page, click Next. The Select a Data Source page is displayed. 3. In the Relational data sources window, verify that the Advanced_Model data source is selected, and then click Next. 4. On the Select Tables and Views page, select the following views in the Available objects list to be used in the report model: v_R_System (dbo)
867

v_GS_OPERATING_SYSTEM (dbo)

After selecting each view, click > to transfer the object to the Included objects list. Tip To help locate views in the Available objects list, click the Name heading at the top of the list to sort the objects in alphabetical order. 5. If the Name Matching dialog box appears, accept the default selections, and click Next. 6. When you have selected the objects you require, click Next, and then specify a name for the data source view. For this example, type Advanced_Model. 7. Click Finish. The Advanced_Model.dsv data source view is displayed in the Data Source Views folder of Solution Explorer. To define relationships in the data source view 1. In Solution Explorer, double-click Advanced_Model.dsv to open the Design window. 2. Right-click the title bar of the v_R_System window to select Replace Table, and then click With New Named Query. 3. In the Create Named Query dialog box, click the Add Table icon (typically the last icon in the ribbon). 4. In the Add Table dialog box, click the Views tab, select V_GS_OPERATING_SYSTEM in the list, and then click Add. 5. Click Close to close the Add Table dialog box. 6. In the Create Named Query dialog box, specify the following information: Name: Specify the name for the query. For this example, type Advanced_Model. Description: Specify a description for the query. For this example, type Example Reporting Services report model.

7. In the v_R_System window, select the following items in the list of objects to display in the report model: ResourceID ResourceType Active0 AD_Domain_Name0 AD_SiteName0 Client0 Client_Type0 Client_Version0 CPUType0 Hardware_ID0 User_Domain0 User_Name0 Netbios_Name0
868

Operating_System_Name_and0

8. In the v_GS_OPERATING_SYSTEM box, select the following items in the list of objects to display in the report model: ResourceID Caption0 CountryCode0 CSDVersion0 Description0 InstallDate0 LastBootUpTime0 Locale0 Manufacturer0 Version0 WindowsDirectory0

9. To present the objects in these views as one list to the report author, you must specify a relationship between the two tables or views by using a join. You can join the two views by using the object ResourceID, which appears in both views. 10. In the v_R_System window, click and hold the ResourceID object and drag it to the ResourceID object in the v_GS_OPERATING_SYSTEM window. 11. Click OK. 12. The Advanced_Model window replaces the v_R_System window and contains all of the necessary objects required for the report model from the v_R_System and the v_GS_OPERATING_SYSTEM views. You can now delete the v_GS_OPERATING_SYSTEM window from the Data Source View Designer. Right-click the title bar of the v_GS_OPERATING_SYSTEM window to select Delete Table from DSV. In the Delete Objects dialog box, click OK to confirm the deletion. 13. Click File, and then click Save All. To create the report model 1. In Solution Explorer, right-click Report Models to select Add New Report Model. 2. On the Welcome to the Report Model Wizard page, click Next. 3. On the Select Data Source View page, select the data source view in the Available data source views list, and then click Next. For this example, select Simple_Model.dsv. 4. On the Select report model generation rules page, do not change the default values, and click Next. 5. On the Collect Model Statistics page, verify that Update model statistics before generating is selected, and then click Next. 6. On the Completing the Wizard page, specify a name for the report model. For this example, verify that Advanced_Model is displayed.
869

7. To complete the wizard and create the report model, click Run. 8. To exit the wizard, click Finish. 9. The report model is shown in the Design window. To modify object names in the report model 1. In Solution Explorer, right-click a report model to select View Designer. For this example, select Advanced_Model.smdl. 2. In the report model Design view, right-click any object name to select Rename. 3. Type a new name for the selected object, and then press Enter. For example, you could rename the object CSD_Version_0 to read Windows Service Pack Version. 4. When you have finished renaming objects, click File, and then click Save All. To publish the report model for use in SQL Server Reporting Services 1. In Solution Explorer, right-click Advanced_Model.smdl to select Deploy. 2. Examine the deployment status at the lower left corner of the SQL Server Business Intelligence Development Studio window. When the deployment has finished, Deploy Succeeded is displayed. If the deployment fails, the reason for the failure is displayed in the Output window. The new report model is now available on your SQL Server Reporting Services website. 3. Click File, click Save All, and then close SQL Server Business Intelligence Development Studio. To deploy the custom report model to Configuration Manager 1. Locate the folder in which you created the report model project. For example, %USERPROFILE%\Documents\Visual Studio 2008\Projects\<Project Name>. 2. Copy the following files from the report model project folder to a temporary folder on your computer: <Model Name>.dsv <Model Name>.smdl

3. Open the preceding files by using a text editor, such as Notepad. 4. In the file <Model Name>.dsv, locate the first line of the file, which reads as follows: <DataSourceView xmlns="http://schemas.microsoft.com/analysisservices/2003/engine"> Edit this line to read as follows: <DataSourceView xmlns="http://schemas.microsoft.com/analysisservices/2003/engine" xmlns:xsi="RelationalDataSourceView"> 5. Copy the entire contents of the file to the Windows Clipboard. 6. Close the file <Model Name>.dsv. 7. In the file <Model Name>.smdl, locate the last three lines of the file, which appear as
870

follows:
</Entity> </Entities>

</SemanticModel>

8. Paste the contents of the file <Model Name>.dsv directly before the last line of the file (<SemanticModel>). 9. Save and close the file <Model Name>.smdl. 10. Copy the file <Model Name>.smdl to the folder %programfiles%\Microsoft Configuration Manager\AdminConsole\XmlStorage\Other on the Configuration Manager site server. Important After copying the report model file to the Configuration Manager site server, you must exit and restart the Configuration Manager console before you can use the report model in the Create Report Wizard.

See Also
Configuring Reporting in Configuration Manager

Security and Privacy for Reporting in Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security best practices and privacy information for reporting in System Center 2012 Configuration Manager. Configuration Manager reports display information that is collected during standard Configuration Manager management operations. For example, you can display a report of information that has been collected from discovery or inventory. Reports can also contain the current status information for client management operations, such as deploying software, and checking for compliance. For more information about any security best practices and privacy information for Configuration Manager operations that might generate data that can be displayed in reports, see Security Best Practices and Privacy Information for Configuration Manager.

871

See Also
Reporting in Configuration Manager

Technical Reference for Reporting in Configuration Manager

This section contains technical reference information for reporting in System Center 2012 Configuration Manager.

Technical Reference Topics

There is currently no technical reference information for reporting in Configuration Manager.

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Reporting in Configuration Manager

Security and Privacy for Site Administration in Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This section contains security and privacy information for System Center 2012 Configuration Manager sites and the hierarchy: Security Best Practices for Site Administration Security Best Practices for the Site Server Security Best Practices for SQL Server Security Best Practices for Site Systems that Run IIS Security Best Practices for the Management Point Security Best Practices for the Fallback Status Point Security Issues for Site Administration

Privacy Information for Discovery

872

Security Best Practices for Site Administration

Use the following security best practices to help you secure System Center 2012 Configuration Manager sites and the hierarchy.
Security best practice More information

Run Setup only from a trusted source and secure the communication channel between the Setup media and the site server.

To help prevent tampering of the source files, run Setup from a trusted source. If you store the files on the network, secure the network location. If you do run Setup from a network location, to help prevent an attacker from tampering with the files as they are transmitted over the network, use IPsec or SMB signing between the source location of the Setup files and the site server. In addition, if you use the Setup Downloader to download the files that are required by Setup, make sure that you also secure the location where these files are stored and secure the communication channel for this location when you run Setup.

Extend the Active Directory schema for System Center 2012 Configuration Manager and publish sites to Active Directory Domain Services.

Schema extensions are not required to run Microsoft System Center 20 12 Configuration Manager, but they do create a more secure environment because Configuration Manager clients and site servers can retrieve information from a trusted source.
873

Security best practice

More information

If clients are in an untrusted domain, deploy the following site system roles in the clients domain: Management point Distribution point Application Catalog website point Note A trusted domain for Configuration Manager requires Kerberos authentication so if clients are in another forest that does not have a two-way forest trust with the site servers forest, these clients are considered to be in untrusted domain. An external trust is not sufficient for this purpose. Use IPsec to secure communications between site system servers and sites. Although Configuration Manager does secure communication between the site server and the computer that runs SQL Server, Configuration Manager does not secure communication between site system roles and SQL Server. Only some site systems (the enrollment point and the Application Catalog web service point) can be configured for
874

Security best practice

More information

HTTPS for intrasite communication. If you do not use additional controls to secure these server-to-server channels, attackers can use various spoofing and man-in-themiddle attacks against site systems. Use SMB signing when you cannot use IPsec. Note It is particularly important to secure the communication channel between the site server and the package source server. This communication uses SMB. If you cannot use IPsec to secure this communication, use SMB signing to ensure that the files are not tampered with before clients download and run them. Do not change the security groups that Configuration Manager creates and manages for site system communication: SMS_SiteSystemToSiteServerConnection_SMSProv_< SiteCode> SMS_SiteSystemToSiteServerConnection_Stat_<SiteC ode> SMS_SiteSystemToSiteServerConnection_MP_<SiteCode> Configuration Manager automatically creates and manages these security groups. This includes removing computer accounts when a site system role is removed. To ensure service continuity and least privileges, do not manually edit these groups.
875

Security best practice

More information

If clients cannot query the Global Catalog server for Configuration Manager information, manage the trusted root key provisioning process.

If clients cannot query the Global Catalog for Configuration Manager information, they must rely on the trusted root key to authenticate valid management points. The trusted root key is stored in the client registry and can be set by using Group Policy or manual configuration. If the client does not have a copy of the trusted root key before it contacts a management point for the first time, it trusts the first management point it communicates with. To reduce the risk of an attacker misdirecting clients to an unauthorized management point, you can pre-provision the clients with the trusted root key. For more information, see Planning for the Trusted Root Key.

Use non-default port numbers.

When you use non-default port numbers, this can provide additional security because it makes it harder for attackers to explore the environment in preparation for an attack. If you decide to use non-default ports, plan for them before you install Configuration Manager and use them consistently across all sites in the hierarchy. Client
876

Security best practice

More information

request ports and Wake on LAN are examples where you can use non-default port numbers. Use role separation on site systems. Although you can install all the site system roles on a single computer, this practice is rarely used on production networks because it creates a single point of failure. When you isolate each site system role on a different server, this reduces the chance that an attack against vulnerabilities on one site system can be used against a different site system. Many site system roles require the installation of Internet Information Services (IIS) on the site system and this increases the attack surface. If you must combine site system roles to reduce hardware expenditure, combine IIS site system roles only with other site system roles that require IIS. Important The fallback status point role is an exception: Because this site system role accepts unauthenticated data from clients, the fallback status point role should
877

Reduce the attack profile.

Security best practice

More information

never be assigned to any other Configuration Manager site system role. Follow security best practices for Windows Server and run the Security Configuration Wizard on all site systems. The Security Configuration Wizard (SCW) helps you to create a security policy that you can apply to any server on your network. After you install the System Center 2012 Configuration Manager template, SCW recognizes Configuration Manager site system roles, services, ports, and applications. It then permits the communication that is required for Configuration Manager, and blocks communication that is not required. The Security Configuration Wizard is included with the toolkit for System Center 2012 Configuration Manager, which you can download from the Microsoft Download Center: System Center 2012 Configuration Manager Component Add-ons and Extensions. Configure static IP addresses for site systems. Static IP addresses are easier to protect from name resolution attacks. Static IP addresses also make the configuration of
878

Security best practice

More information

IPsec easier, which is a security best practice for securing communication between site systems in Configuration Manager. Do not install other applications on site system servers. When you install other applications on site system servers, you increase the attack surface for Configuration Manager and risk incompatibility issues. Enable the signing and encryption options for the site. Ensure that all clients can support the SHA-256 hash algorithm and then enable the option Require SHA-256. Grant administrative access to Configuration Manager only to users that you trust and then grant them minimum permissions by using the built-in security roles or by customizing the security roles. Administrative users who can create, modify, and deploy applications, task sequence, software updates, configuration items and configuration baselines, can potentially control devices in the Configuration Manager hierarchy. Periodically audit administrative user assignments and their authorization level to verify
879

Require signing and enable encryption as a site option.

Restrict and monitor Configuration Manager administrative users and use role-based administration to grant these users the minimum permissions that they require.

Security best practice

More information

required changes. For more information about configuring role-based administration, see Configure Role-Based Administration. Secure Configuration Manager backups and secure the communication channel when you backup and restore. When you back up Configuration Manager, this information includes certificates and other sensitive data that could be used by an attacker for impersonation. Use SMB signing or IPsec when you transfer this data over the network, and secure the backup location. Whenever you export or import objects from the Configuration Manager console to a network location, secure the location and secure the network channel. Restrict who can access the network folder. Use SMB signing or IPsec between the network location and the site server, and between the computer that runs the Configuration Manager console and site server to prevent an attacker from tampering with the exported data. Use IPsec to encrypt the data on the network to prevent information disclosure. To remove the PeerTrust that was originally established with the site system and site system roles, manually remove the Configuration Manager certificates for the failed server in the Trusted People certificate store on
880

If a site system fails to uninstall or stops functioning and cannot be restored, manually remove the Configuration Manager certificates for this server from other Configuration Manager servers.

Security best practice

More information

other site system servers. This is particularly important if you repurpose the server without reformatting it. For more information about these certificates, see the section Cryptographic Controls for Server Communication in Technical Reference for Cryptographic Controls Used in Configuration Manager. Do not configure Internet-based site systems to bridge the perimeter network and the intranet. Do not configure site system servers to be multihomed so that they connected to the perimeter network and the intranet. Although this configuration allows Internet-based site systems to accept client connections from the Internet and the intranet, it eliminates a security boundary between the perimeter network and the intranet. By default, site systems initiate connections to the site server to transfer data, which can be a security risk when the connection initiation is from an untrusted network to the trusted network. When site systems accept connections from the Internet or reside in an untrusted forest, configure the site system option
881

If the site system server is on an untrusted network (such as a perimeter network), configure the site server to initiate connections to the site system.

Security best practice

More information

Require the site server to initiate connections to this site system so that after the installation of the site system and any site system roles, all connections are initiated from the trusted network. If you use a web proxy server for Internet-based client management, use SSL bridging to SSL, by using termination with authentication. When you configure SSL termination at the proxy web server, packets from the Internet are subject to inspection before they are forwarded to the internal network. The proxy web server authenticates the connection from the client, terminates it, and then opens a new authenticated connection to the Internetbased site systems. When Configuration Manager client computers use a proxy web server to connect to Internet-based site systems, the client identity (client GUID) is securely contained within the packet payload so that the management point does not consider the proxy web server to be the client. If your proxy web server cannot support the requirements for SSL bridging, SSL tunneling is also supported. This is a less secure option because the SSL packets from the Internet are forwarded to the site systems without
882

Security best practice

More information

termination, so they cannot be inspected for malicious content. If your proxy web server cannot support the requirements for SSL bridging, you can use SSL tunneling. However, this is a less secure option because the SSL packets from the Internet are forwarded to the site systems without termination, so they cannot be inspected for malicious content. Warning Mobile devices that are enrolled by Configuration Manager cannot use SSL bridging and must use SSL tunneling only. If you configure the site to wake up computers to install software: Use AMT power commands rather than traditional wake-up packets If you use traditional wake-up packets, use unicast rather than subnet-directed broadcasts If you must use subnet-directed broadcasts, configure routers to allow IP-directed broadcasts only from the site server and only on a non-default port number Whenever possible, use a mail server that supports authenticated access and use the computer account of the site server for authentication. If you must specify a user account for authentication, use an
883

For more information about the different wake on LAN technologies, see Planning for Client Communication in Configuration Manager.

If you use email notification, configure authenticated access to the SMTP mail server.

Security best practice

More information

account that has the least privileges. Note In Configuration Manager SP1, email notifications are no longer restricted to Endpoint Protection.

Security Best Practices for the Site Server

Use the following security best practices to help you secure the Configuration Manager site server.
Security best practice More information

Install Configuration Manager on a member server instead of a domain controller.

The Configuration Manager site server and site systems do not require installation on a domain controller. Domain controllers do not have a local Security Accounts Management (SAM) database other than the domain database. When you install Configuration Manager on a member server, you can maintain Configuration Manager accounts in the local SAM database rather than in the domain database. This practice also lowers the attack surface on your domain controllers.

Install secondary sites by avoiding copying the files to the secondary site server over the network.

When you run Setup and create a secondary site, do not select the option to copy the files from the parent site to the secondary site, or use a network source location. When you copy files over the network, a skilled attacker could hijack the secondary site installation package and tamper with the files before they are installed, although timing this attack would be difficult. This attack can be mitigated by using
884

Security best practice

More information

IPsec or SMB when you transfer the files. Instead of copying the files over the network, on the secondary site server, copy the source files from media to a local folder. Then, when you run Setup to create a secondary site, on the Installation Source Files page, select Use the source files at the following location on the secondary site computer (most secure), and specify this folder. For more information, see the Install a Secondary Site section in the Install Sites and Create a Hierarchy for Configuration Manager topic.

Security Best Practices for SQL Server

Configuration Manager uses SQL Server as the back-end database. If the database is compromised, attackers could bypass Configuration Manager and access SQL Server directly to launch attacks through Configuration Manager. Consider attacks against the SQL Server to be very high risk and must be mitigated appropriately. Use the following security best practices to help you secure SQL Server for Configuration Manager.
Security best practice More information

Do not use the Configuration Manager site database server to run other SQL Server applications.

When you increase the access to the Configuration Manager site database server, this increases the risk to your Configuration Manager data. If the Configuration Manager site database is compromised, other applications on the same SQL Server computer then also become at risk. Although Configuration Manager accesses the site database by using a Windows account and Windows authentication, it is still possible to configure SQL Server to use SQL Server mixed mode. SQL Server mixed mode allows additional SQL logins to access the database, which is not required and increases the attack surface.
885

Configure SQL Server to use Windows authentication.

Security best practice

More information

Take additional steps to ensure that secondary sites that use SQL Server Express have the latest software updates.

When you install a primary site, Configuration Manager downloads SQL Server Express from the Microsoft Download Center and copies the files to the primary site server. When you install a secondary site and select the option that installs SQL Server Express, Configuration Manager installs the previously downloaded version and does not check whether new versions are available. To ensure that the secondary site has the latest versions, perform one of the following: After the secondary site is installed, run Windows Update on the secondary site server. Before you install the secondary site, manually install SQL Server Express on the computer that will run the secondary site server and ensure that you install the latest version and any software updates. Then install the secondary site and select the option to use an existing SQL Server instance.

Periodically run Windows Update for these sites and all installed versions of SQL Server to make sure that they have the latest software updates. Follow best practices for SQL Server. Identify and follow the best practices for your version of SQL Server. However, take into consideration the following requirements for Configuration Manager: The computer account of the site server must be a member of the Administrators group on the computer that runs SQL Server. If you follow the SQL Server recommendation of provision admin principals explicitly, the account that you use to run Setup on the site server must be a member of the SQL Users group. If you install SQL Server by using a domain user account, make sure that the site server computer account is configured for a
886

Security best practice

More information

Service Principal Name (SPN) that is published to Active Directory Domain Services. Without the SPN, Kerberos authentication will fail and Configuration Manager Setup will fail.

Security Best Practices for Site Systems that Run IIS

Several site system roles in Configuration Manager require IIS. When you secure IIS, this allows Configuration Manager to operate correctly and it reduces the risk of security attacks. When it is practical, minimize the number of servers that require IIS. For example, run only the number of management points that you require to support your client base, taking into consideration high availability and network isolation for Internet-based client management. Use the following security best practices to help you secure the site systems that run IIS.
Security best practice. More information

Disable IIS functions that you do not require.

Install only the minimum IIS features for the site system role that you install. For more information, see the Site System Requirements in the Supported Configurations for Configuration Manager topic. When clients connect to a site system by using HTTP rather than by using HTTPS, they use Windows authentication, which might fall back to using NTLM authentication rather than Kerberos authentication. When NTLM authentication is used, clients might connect to a rogue server. The exception to this security best practice might be distribution points because package access accounts do not work when the distribution point is configured for HTTPS. Package access accounts provide authorization to the content, so that you can restrict which users can access the content. For more information, see Security Best Practices for Content Management.

Configure the site system roles to require HTTPS.

Configure a certificate trust list (CTL) in IIS for the following site system roles:

A certificate trust list (CTL) is a defined list of trusted root certification authorities. When you
887

Security best practice.

More information

A distribution point that is configured for HTTPS. A management that is configured for HTTPS and enabled to support mobile devices.

use a CTL with Group Policy and a PKI deployment, a CTL allows you to supplement the existing trusted root certification authorities that are configured on your network, such as those automatically installed with Microsoft Windows or added through Windows enterprise root certification authorities. However, when a CTL is configured in IIS, a CTL defines a subset of those trusted root certification authorities. This subset provides you with more control over security because the CTL restricts the client certificates that are accepted to only those that are issued from the list of certification authorities in the CTL. For example, Windows ships with a number of well-known third-party certification authority certificates, such as VeriSign and Thawte. By default, the computer that runs IIS trusts certificates that chain to these well-known certification authorities. When you do not configure IIS with a CTL for the listed site system roles, any device that has a client certificate issued from these certification authorities are accepted as a valid Configuration Manager client. If you configure IIS with a CTL that did not include these certification authorities, client connections are refused if the certificate chained to these certification authorities. However, for Configuration Manager clients to be accepted for the listed site system roles, you must configure IIS with a CTL that specifies the certification authorities that are used by Configuration Manager clients. Note Only the listed site system roles require you to configure a CTL in IIS; the certificate issuers list that Configuration Manager uses for management points provides the same functionality for client computers when they connect to
888

Security best practice.

More information

HTTPS management points. For more information about how to configure a list of trusted certification authorities in IIS, refer to your IIS documentation. Do not put the site server on a computer with IIS. Role separation helps to reduce the attack profile and improve recoverability. In addition, the computer account of the site server typically has administrative privileges on all site system roles (and possibly on Configuration Manager clients, if you use client push installation). Although you can host multiple web-based applications on the IIS servers that are also used by Configuration Manager, this practice can significantly increase your attack surface. A poorly configured application could allow an attacker to gain control of a Configuration Manager site system, which could allow an attacker to gain control of the hierarchy. If you must run other web-based applications on Configuration Manager site systems, create a custom web site for Configuration Manager site systems. Use a custom web site. For site systems that run IIS, you can configure Configuration Manager to use a custom website instead of the default website for IIS. If you must run other web applications on the site system, you must use a custom website. This setting is a site -wide setting rather than a setting for a specific site system. In addition to providing additional security, you must use a custom website if you run other web applications on the site system. If you switch from the default website to a custom website after any distribution point roles are installed, remove the default virtual directories. When you change from using the default website to using a custom website, Configuration Manager does not remove the old virtual directories. Remove the virtual directories that Configuration Manager originally created under the default website. For example, the virtual directories to remove
889

Use dedicated IIS servers for Configuration Manager.

Security best practice.

More information

for a distribution point are the following: Follow best practices for IIS Server. SMS_DP_SMSPKG$ SMS_DP_SMSSIG$ NOCERT_SMS_DP_SMSPKG$ NOCERT_SMS_DP_SMSSIG$

Identify and follow the best practices for your version of IIS Server. However, take into consideration any requirements that Configuration Manager has for specific site system roles. For more information, see the Site System Requirements section in the Supported Configurations for Configuration Manager topic.

Security Best Practices for the Management Point

Management points are the primary interface between devices and Configuration Manager. Consider attacks against the management point and the server that it runs on to be very high risk and to be mitigated appropriately. Apply all appropriate security best practices and monitor for unusual activity. Use the following security best practices to help secure a management point in Configuration Manager.
Security best practice More information

When you install a Configuration Manager client on the management point, assign it to that management points site.

Avoid the scenario where a Configuration Manager client that is on a management point site system is assigned to a site other than the management points site. If you migrate from Configuration Manager 2007 to System Center 2012 Configuration Manager, migrate the Configuration Manager 2007 client to System Center 2012 Configuration Manager as soon as possible.

890

Security Best Practices for the Fallback Status Point

Use the following security best practices if you install a fallback status point in Configuration Manager. For more information about the security considerations when you install a fallback status point, see Determine Whether You Require a Fallback Status Point.
Security best practice More information

Do not run other site system roles on the site system and do not install it on a domain controller.

Because the fallback status point is designed to accept unauthenticated communication from any computer, running this site system role with other site system roles or on a domain controller greatly increases the risk to that server.

When you use PKI certificates for client communication in Configuration Manager, If Configuration Manager site systems do not install the fallback status point before you install accept HTTP client communication, you might the clients. not know that clients are unmanaged because of PKI-related certificate issues. However, if clients are assigned to a fallback status point, these certificate issues will be reported by the fallback status point. For security reasons, you cannot assign a fallback status point to clients after they are installed; you can assign this role only during client installation. Avoid using the fallback status point in the perimeter network. By design, the fallback status point accepts data from any client. Although a fallback status point in the perimeter network could help you to troubleshoot Internet-based clients, you must balance the troubleshooting benefits with the risk of a site system that accepts unauthenticated data in a publicly accessible network. If you do install the fallback status point in the perimeter network or any untrusted network, configure the site server to initiate data transfers rather than the default setting that allows the fallback status point to initiate a connection to the site server.

891

Security Issues for Site Administration

Review the following security issues for Configuration Manager: Configuration Manager has no defense against an authorized administrative user who uses Configuration Manager to attack the network. Unauthorized administrative users are a high security risk and could launch numerous attacks, which include the following: Use software deployment to automatically install and run malicious software on every Configuration Manager client computer in the enterprise. Use remote control to take remote control of a Configuration Manager client without client permission. Configure rapid polling intervals and extreme amounts of inventory to create denial of service attacks against the clients and servers. Use one site in the hierarchy to write data to another site's Active Directory data.

The site hierarchy is the security boundary; consider sites to be management boundaries only. Audit all administrative user activity and routinely review the audit logs. Require all Configuration Manager administrative users to undergo a background check before they are hired and require periodic rechecks as a condition of employment. If the enrollment point is compromised, an attacker could obtain certificates for authentication and steal the credentials of users who enroll their mobile devices. The enrollment point communicates with a certification authority and can create, modify, and delete Active Directory objects. Never install the enrollment point in the perimeter network and monitor for unusual activity. If you allow user policies for Internet-based client management or configure the Application Catalog website point for users when they are on the Internet, you increase your attack profile. In addition to using PKI certificates for client-to-server connections, these configurations require Windows authentication, which might fall back to using NTLM authentication rather than Kerberos. NTLM authentication is vulnerable to impersonation and replay attacks. To successfully authenticate a user on the Internet, you must allow a connection from the Internet-based site system server to a domain controller. The Admin$ share is required on site system servers. The Configuration Manager site server uses the Admin$ share to connect to and perform service operations on site systems. Do not disable or remove the Admin$ share. Configuration Manager uses name resolution services to connect to other computers and these services are hard to secure against security attacks such as spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. Identify and follow any security best practices for the version of DNS and WINS that you use for name resolution.

892

Privacy Information for Discovery

Discovery creates records for network resources and stores them in the System Center 2012 Configuration Manager database. Discovery data records contain computer information such as IP address, operating system, and computer name. Active Directory discovery methods can also be configured to discover any information that is stored in Active Directory Domain Services. The only discovery method that is enabled by default is Heartbeat Discovery, but that method only discovers computers that are already have the System Center 2012 Configuration Manager client software installed. Discovery information is not sent to Microsoft. Discovery information is stored in the Configuration Manager database. Information is retained in the database until it is deleted by the site maintenance task Delete Aged Discovery Data every 90 days. You can configure the deletion interval. Before you configure additional discovery methods or extend Active Directory discovery, consider your privacy requirements.

See Also
Site Administration for System Center 2012 Configuration Manager

Technical Reference for Site Administration in Configuration Manager

Technical Reference Topics
Technical Reference for Site Communications in Configuration Manager Technical Reference for Ports Used in Configuration Manager Technical Reference for Log Files in Configuration Manager Technical Reference for Accounts Used in Configuration Manager Technical Reference for Cryptographic Controls Used in Configuration Manager Technical Reference for Language Packs in Configuration Manager Technical Reference for Unicode and ASCII Support in Configuration Manager Technical Reference for the Hierarchy Maintenance Tool (Preinst.exe) in Configuration Manager Technical Reference for the Prerequisite Checker in Configuration Manager Technical Reference for International Support in Configuration Manager Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority

893

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Site Administration for System Center 2012 Configuration Manager

Technical Reference for Site Communications in Configuration Manager

The following sections provide technical details about site-to-site communications in System Center 2012 Configuration Manager. Types of Replication in Configuration Manager Database Replication File-Based Replication

Types of Replication in Configuration Manager

System Center 2012 Configuration Manager transfers data between sites by using database replication and file-based replication. Additionally, the data that is replicated is grouped into the following classifications: Global data that replicates by using database replication. Site data that replicates by using database replication. File content that replicates by using file-based replication.

The following table identifies replication methods and data types in System Center 2012 Configuration Manager.
Replication Type Data Type Examples

Database replication

Global data

Collections, package metadata, and deployments Collection membership, hardware inventory, and alerts Software packages and software updates

Database replication

Site data

File-based replication

File content

Database Replication
Database replication in System Center 2012 Configuration Manager uses Configuration Manager database replication. Configuration Manager database replication uses the SQL Server Service

894

Broker to transfer data between the SQL Server database of different sites in a hierarchy. By default, the SQL Server Service Broker installs with SQL Server, and uses port 4022. Data, represented as objects, can include different types of information such as configuration settings or client inventory or status information. When a new site installs, a snapshot of the parent sites database is taken by bulk copy (BCP) and transferred by server message blocks (SMB) to the new site where it is inserted by BCP to the local database. Objects replicated by database replication include the following:
Global Data

Alert rules Client discovery Collections rules and count Configuration Items metadata Deployments Operating system images (boot images and driver packages) Package metadata Program metadata Site control file Site security objects (security roles and security scopes) Software updates metadata System Resource List (site system servers)

Site Data

Alert messages Asset Intelligence client access license (CAL) tracking data Client Health data Client Health history Collection membership results Component and Site Status Summarizers

895

Site Data

Hardware inventory Software distribution status details Software inventory and metering Software updates site data Status messages Status summary data

File-Based Replication
File-based replication in System Center 2012 Configuration Manager transfers data in file format between System Center 2012 Configuration Manager sites. This is accomplished by use of a sender and file replication route that together define how and when a network connection to a parent or child site can be established. In a change from past versions of Configuration Manager, a single type of sender is supported by System Center 2012 Configuration Manager. File-based replication uses the Server Message Block protocol. Important With Configuration Manager SP1, the term address is now file replication route. If you use Configuration Manager with no service pack, replace file replication route with the word address. Objects replicated by file-based replication include the following:
Data Destination

Package files used by deployments Data from secondary sites

Sent to primary and secondary sites. Sent to the primary site (parent) of the secondary site. Forwarded to the assigned site when only a single fallback status point is in use. Forwarded to the assigned site when not processed at the site where they are generated.

Fallback status point state messages

Discovery data records

See Also
Technical Reference for Site Administration in Configuration Manager
896

Technical Reference for Ports Used in Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. System Center 2012 Configuration Manager is a distributed client/server system. The distributed nature of Configuration Manager means that connections can be established between site servers, site systems, and clients. Some connections use ports that are not configurable, and some support custom ports you specify. You must verify that the required ports are available if you use any port filtering technology such as firewalls, routers, proxy servers, and IPsec. Note If you support Internet-based clients by using SSL bridging, in addition to port requirements, you might have to also allow some HTTP verbs and headers to traverse your firewall. For more information, see Prerequisites for Internet-Based Client Management in the Planning for Communications in Configuration Manager topic. The port listings that follow are used by Configuration Manager and do not include information for standard Windows services, such as Group Policy settings for Active Directory Domain Services and Kerberos authentication. For information about Windows Server services and ports, see Service overview and network port requirements for the Windows Server system. Configurable Ports Non-Configurable Ports Ports Used by Configuration Manager Clients and Site Systems Additional Lists of Ports AMT Out of Band Management Ports Client to Server Shares Connections to Microsoft SQL Server External Connections made by Configuration Manager Installation Requirements for Site Systems that Support Internet-Based Clients Ports Used by Configuration Manager Client Installation Ports Used by Windows Server

Configurable Ports
Configuration Manager allows you to configure the ports for the following types of communication: Application Catalog Website point to Application Catalog web service point Enrollment proxy point to enrollment point
897

Client to site systems that run IIS Client to Internet (as proxy server settings) Software update point to Internet (as proxy server settings) Software update point to WSUS server Site server to site database server Reporting services points Note The ports in use for the reporting services point site system role are configured in SQL Server Reporting Services. These ports are then used by Configuration Manager during communications to the reporting services point. Be sure to review these ports defining the IP filter information for IPsec policies or for configuring firewalls.

By default, the HTTP port used for client to site system communication is port 80, and the default HTTPS port is 443. Ports for client-to-site system communication over HTTP or HTTPS can be changed during Setup or in the Site Properties for your Configuration Manager site. The ports in use for the reporting services point site system role are configured in SQL Server Reporting Services. These ports are then used by Configuration Manager during communications to the reporting services point. Be sure to review these ports defining the IP filter information for IPsec policies or for configuring firewalls.

Non-Configurable Ports
Configuration Manager does not allow you to configure ports for the following types of communication: Site to site Site server to site system Configuration Manager console to SMS Provider Configuration Manager console to the Internet Connections to cloud services, such as Windows Intune and cloud-based distribution points

Ports Used by Configuration Manager Clients and Site Systems

The following sections detail the ports used for communication in Configuration Manager. The arrows in the section title, between the computers, represent the direction of the communication: -- > indicates one computer initiates communication and the other computer always responds < -- > indicates that either computer can initiate communication

Asset Intelligence Synchronization Point < -- > Microsoft

898

Description

UDP

TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Application Catalog Web Service Point -- > SQL Server

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

Application Catalog Website Point -- > Application Catalog Web Service Point
Description UDP TCP

Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)

--

80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available)

--

Endpoint Protection Point -- > Internet

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80

Enrollment Proxy Point -- > Enrollment Point

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443 (See note 2, Alternate Port Available)

Enrollment Point -- > SQL Server

899

Description

UDP

TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

Exchange Server Connector -- > Exchange Online

Description UDP TCP

Windows Remote Management over HTTPS

--

5986

Exchange Server Connector -- > On Premises Exchange Server

Description UDP TCP

Windows Remote Management over HTTP

--

5985

Client -- > Application Catalog Website Point

Description UDP TCP

Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)

--

80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available)

--

Client -- > Client

In addition to the ports listed in the following table, wake-up proxy also uses Internet Control Message Protocol (ICMP) echo request messages from one client to another client when they are configured for wake-up proxy. This communication is used to confirm whether the other client computer is awake on the network. ICMP is sometimes referred to as TCP/IP ping commands. ICMP does not have a UDP or TCP protocol number, and so it is not listed in the following table. However, any host-based firewalls on these client computers or intervening network devices within the subnet must permit ICMP traffic for wake-up proxy communication to succeed.

900

Description

UDP

TCP

Wake on LAN

9 (See note 2, Alternate Port Available) 25536 (See note 2, Alternate Port Available)

--

Wake-up proxy

--

Client -- > Cloud-Based Distribution Point

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Client -- > Distribution Point

Description UDP TCP

Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)

--

80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available)

--

Client -- > Distribution Point Configured for Multicast

Description UDP TCP

Server Message Block (SMB) Multicast Protocol

-63000-64000

445 --

Client -- > Distribution Point Configured for PXE

Description UDP TCP

Dynamic Host Configuration Protocol (DHCP) Trivial File Transfer Protocol

67 and 68

--

69 (See note 4 Trivial FTP

-901

Description

UDP

TCP

(TFTP) Boot Information Negotiation Layer (BINL)

(TFTP) Daemon) 4011 --

Client -- > Fallback Status Point

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 2, Alternate Port Available)

Client -- > Global Catalog Domain Controller

A Configuration Manager client does not contact a global catalog server when it is a workgroup computer or when it is configured for Internet-only communication.
Description UDP TCP

Global Catalog LDAP Global Catalog LDAP SSL

---

3268 3269

Client -- > Management Point

Description UDP TCP

Client notification (default communication before falling back to HTTP or HTTPS) Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)

--

10123 (See note 2, Alternate Port Available)

--

80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available)

--

Client -- > Software Update Point

902

Description

UDP

TCP

Hypertext Transfer Protocol (HTTP)

--

80 or 8530 (See note 3, Windows Server Update Services) 443 or 8531 (See note 3, Windows Server Update Services)

Secure Hypertext Transfer Protocol (HTTPS)

--

Client -- > State Migration Point

Description UDP TCP

Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS) Server Message Block (SMB)

--

80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available) 445

--

--

Client -- > System Health Validator

The client requires the ports established by the Windows Network Access Protection client, which is dependent upon the enforcement client being used. For example, DHCP enforcement will use ports UDP 67 and 68. IPsec enforcement will use ports TCP 80 or 443 to the Health Registration Authority, port UDP 500 for IPsec negotiation and the additional ports needed for the IPsec filters. For more information, see the Windows Network Access Protection documentation. For help with configuring firewalls for IPsec, see How to Enable IPsec Traffic Through a Firewall.

Configuration Manager Console -- > Client

Description UDP TCP

Remote Control (control) Remote Assistance (RDP and RTC)

---

2701 3389

Configuration Manager Console -- > Internet

903

Description

UDP

TCP

Hypertext Transfer Protocol (HTTP)

--

80

Configuration Manager Console -- > Reporting Services Point

Description Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS) UDP -TCP 80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available)

--

Configuration Manager Console -- > Site Server

Description UDP TCP

RPC (initial connection to WMI to locate provider system)

--

135

Configuration Manager Console -- > SMS Provider

Description UDP TCP

RPC Endpoint Mapper RPC

135 --

135 DYNAMIC

Mac Computer -- > Enrollment Proxy Point

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Management Point -- > Domain Controller

904

Description

UDP

TCP

Lightweight Directory Access Protocol (LDAP) LDAP (Secure Sockets Layer [SSL] connection) Global Catalog LDAP Global Catalog LDAP SSL RPC Endpoint Mapper RPC

--

389

636

636

--135 --

3268 3269 135 DYNAMIC

Management Point < -- > Site Server

(See note 5, Communication between the site server and site systems)
Description UDP TCP

RPC Endpoint mapper RPC Server Message Block (SMB)

----

135 DYNAMIC 445

Management Point -- > SQL Server

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

Mobile Device -- > Enrollment Proxy Point

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Mobile Device -- > Windows Intune

905

Description

UDP

TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Out of Band Service Point --> Enrollment Point

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Out of Band Service Point --> AMT Management Controller

Description UDP TCP

Power control, provisioning, and discovery

--

16993

Out of Band Management Console --> AMT Management Controller

Description UDP TCP

General management tasks Serial over LAN and IDE redirection

---

16993 16995

Reporting Services Point -- > SQL Server

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

Site Server < -- > Application Catalog Web Service Point

906

Description

UDP

TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC

Site Server < -- > Application Catalog Website Point

Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC

Site Server < -- > Asset Intelligence Synchronization Point

Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC

Site Server -- > Client

Description UDP TCP

Wake on LAN

9 (See note 2, Alternate Port Available)

--

Site Server -- > Cloud-Based Distribution Point

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

907

Site Server -- > Distribution Point

(See note 5, Communication between the site server and site systems)
Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC

Site Server -- > Domain Controller

Description UDP TCP

Lightweight Directory Access Protocol (LDAP) LDAP (Secure Sockets Layer [SSL] connection) Global Catalog LDAP Global Catalog LDAP SSL RPC Endpoint Mapper RPC

--

389

636

636

--135 --

3268 3269 135 DYNAMIC

Site Server < -- > Endpoint Protection Point

Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC

Site Server < -- > Enrollment Point

Description UDP TCP

Server Message Block (SMB)

--

445
908

Description

UDP

TCP

RPC Endpoint Mapper RPC

135 --

135 DYNAMIC

Site Server < -- > Enrollment Proxy Point

Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC

Site Server -- > Internet

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 1, Proxy Server port)

Site Server < -- > Fallback Status Point

(See note 5, Communication between the site server and site systems)
Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC

Site Server < -- > Reporting Services Point

(See note 5, Communication between the site server and site systems)
Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper

-135

445 135
909

Description

UDP

TCP

RPC

--

DYNAMIC

Site Server < -- > Site Server

Description UDP TCP

Server Message Block (SMB)

--

445

Site Server -- > SQL Server

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

Site Server -- > SMS Provider

Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC

Site Server < -- > Software Update Point

(See note 5, Communication between the site server and site systems)
Description UDP TCP

Server Message Block (SMB) Hypertext Transfer Protocol (HTTP)

---

445 80 or 8530 (See note 3, Windows Server Update Services) 443 or 8531 (See note 3, Windows Server Update Services)
910

Secure Hypertext Transfer Protocol (HTTPS)

--

Site Server < -- > State Migration Point

(See note 5, Communication between the site server and site systems)
Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper

-135

445 135

Site Server < -- > System Health Validator

(See note 5, Communication between the site server and site systems)
Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC

SMS Provider -- > SQL Server

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

Software Update Point -- > Internet

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 1, Proxy Server port)

Software Update Point -- > Upstream WSUS Server

911

Description

UDP

TCP

Hypertext Transfer Protocol (HTTP)

--

80 or 8530 (See note 3, Windows Server Update Services) 443 or 8531 (See note 3, Windows Server Update Services)

Secure Hypertext Transfer Protocol (HTTPS)

--

SQL Server --> SQL Server

Intersite database replication requires the SQL Server at one site to communicate directly with the SQL Server of its parent or child site.
Description UDP TCP

SQL Server Service Broker

--

4022 (See note 2, Alternate Port Available)

Windows Intune Connector -- > Windows Intune

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Notes for Ports Used by Configuration Manager Clients and Site Systems
1. Proxy Server port: This port cannot be configured but can be routed through a configured proxy server. 2. Alternate Port Available: An alternate port can be defined within Configuration Manager for this value. If a custom port has been defined, substitute that custom port when defining the IP filter information for IPsec policies or for configuring firewalls. 3. Windows Server Update Services: WSUS can be installed either on the default Web site (port 80) or a custom Web site (port 8530). After installation, the port can be changed. You do not have to use the same port number throughout the site hierarchy. If the HTTP port is 80, the HTTPS port must be 443. If the HTTP port is anything else, the HTTPS port must be 1 higher for example, 8530 and 8531.
912

4. Trivial FTP (TFTP) Daemon: The Trivial FTP (TFTP) Daemon system service does not require a user name or password and is an integral part of the Windows Deployment Services (WDS). The Trivial FTP Daemon service implements support for the TFTP protocol defined by the following RFCs: RFC 350TFTP RFC 2347Option extension RFC 2348Block size option RFC 2349Time-out interval, and transfer size options

Trivial File Transfer Protocol is designed to support diskless boot environments. TFTP Daemons listen on UDP port 69 but respond from a dynamically allocated high port. Therefore, enabling this port will allow the TFTP service to receive incoming TFTP requests but will not allow the selected server to respond to those requests. Allowing the selected server to respond to inbound TFTP requests cannot be accomplished unless the TFTP server is configured to respond from port 69. 5. Communication between the site server and site systems: By default, communication between the site server and site systems is bi-directional. The site server initiates communication to configure the site system, and then most site systems connect back to the site server to send status information. Reporting service points and distribution points do not send status information. If you select Require the site server to initiate connections to this site system on the site system properties, after the site system is installed, it will not initiate communication to the site server. Instead, the site server initiates the connections and uses the Site System Installation Account for authentication to the site system server.

Additional Lists of Ports

The following sections provide additional information about ports used by Configuration Manager.

AMT Out of Band Management Ports

The following information lists the ports used by out of band management: Out of Band Service Point --&gt; Enrollment Point Out of Band Service Point --&gt; AMT Management Controller Out of Band Management Console --&gt; AMT Management Controller

Client to Server Shares

Clients use Server Message Block (SMB) whenever they connect to UNC shares. For example: Manual client installation that specifies the CCMSetup.exe /source: command line property. Endpoint Protection clients that download definition files from a UNC path.
UDP TCP

Description

Server Message Block (SMB)

--

445
913

Connections to Microsoft SQL Server

For communication to the SQL Server database engine and for intersite replication, you can use the default SQL Server port or specify custom ports: Intersite communications use the SQL Server Service Broker, which defaults to port TCP 4022. Intrasite communication between the SQL Server database engine and various Configuration Manager site system roles default to port TCP 1433. Warning Configuration Manager does not support dynamic ports. Because SQL Server named instances by default use dynamic ports for connections to the database engine, when you use a named instance, you must manually configure the static port that you want to use for intrasite communication. The following site system roles communicate directly with the SQL Server database: Application Catalog web service point Enrollment point role Management point Site server Reporting services point SMS Provider SQL Server --> SQL Server

When a SQL Server hosts a database from more than one site, each database must use a separate instance of SQL Server, and each instance must be configured with a unique set of ports. If you have a firewall enabled on the SQL Server computer, ensure that it is configured to allow the ports in use by your deployment, and at any locations on the network between computers that communicate with the SQL Server. For an example of how to configure SQL Server to use a specific port, see How to: Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager) in the SQL Server TechNet library.

External Connections made by Configuration Manager

Configuration Manager clients or site systems can make the following external connections: Asset Intelligence Synchronization Point &lt; -- &gt; Microsoft Endpoint Protection Point -- &gt; Internet Client -- &gt; Global Catalog Domain Controller Configuration Manager Console -- &gt; Internet Management Point -- &gt; Domain Controller Site Server -- &gt; Domain Controller Software Update Point -- &gt; Internet
914

Software Update Point -- &gt; Upstream WSUS Server

Installation Requirements for Site Systems that Support InternetBased Clients

Management points and distribution points that support internet-based clients, the software update point, and the fallback status point use the following ports for installation and repair: Site server --> site system: RPC endpoint mapper using UDP and TCP port 135. Site server --> site system: RPC dynamic TCP ports. Site server < --> site system: Server message blocks (SMB) using TCP port 445. Site server --> distribution point: RPC endpoint mapper using UDP and TCP port 135. Site server --> distribution point: RPC dynamic TCP ports

Application and package installations on distribution points require the following RPC ports:

Use IPsec to help secure the traffic between the site server and site systems. If you must restrict the dynamic ports that are used with RPC, you can use the Microsoft RPC configuration tool (rpccfg.exe) to configure a limited range of ports for these RPC packets. For more information about the RPC configuration tool, see How to configure RPC to use certain ports and how to help secure those ports by using IPsec. Important Before you install these site systems, ensure that the remote registry service is running on the site system server and that you have specified a Site System Installation Account if the site system is in a different Active Directory forest without a trust relationship.

Ports Used by Configuration Manager Client Installation

The ports that are using during client installation depend on the client deployment method. See Ports Used During Configuration Manager Client Deployment in the Windows Firewall and Port Settings for Client Computers in Configuration Manager topic for a list of ports for each client deployment method. For information about how to configure Windows Firewall on the client for client installation and post-installation communication, see Windows Firewall and Port Settings for Client Computers in Configuration Manager.

Ports Used by Windows Server

The following table lists some of the key ports that Windows Server uses and their respective functions. For a more complete list of Windows Server services and network ports requirements, see Service overview and network port requirements for the Windows Server system.
Description UDP TCP

Domain Name System (DNS) Dynamic Host Configuration

53 67 and 68

53 -915

Description

UDP

TCP

Protocol (DHCP) NetBIOS Name Resolution NetBIOS Datagram Service NetBIOS Session Service 137 138 ---139

See Also
Technical Reference for Site Administration in Configuration Manager

Technical Reference for Log Files in Configuration Manager

In System Center 2012 Configuration Manager, client and site server components record process information in individual log files. By default, client and server component logging is enabled in Configuration Manager. You can use the information in these log files to help you troubleshoot issues that might occur in your Configuration Manager hierarchy. The following sections provide details about the different log files. Use this information to view and monitor Configuration Manager client and server logs for operation details and identify error information that might help you to troubleshoot any problems. About Configuration Manager Log Files Configure Logging Options by Using the Configuration Manager Service Manager Locating Configuration Manager Logs Client Operations Client Installation Log Files Client for Linux and UNIX Client for Mac Computers Site Server and Site System Server Logs Site Server Installation Log Files Fallback Status Point Logs Files Management Point Logs Files Software Update Point Log Files Application Management
916

Configuration Manager Client Logs

Configuration Manager Site Server Log Files

Log Files for Configuration Manager Functionality

Asset Intelligence Backup and Recovery Client Notification (Configuration Manager SP1 Only) Compliance Settings Configuration Manager Console Content Management Discovery Endpoint Protection Inventory Metering Migration Mobile Devices Operating System Deployment Out of Band Management Power Management Remote Control Reporting Role-Based Administration Software Updates and Network Access Protection Wake On LAN Windows Intune Connector Windows Update Agent WSUS Server

About Configuration Manager Log Files

By default, most processes in Configuration Manager write operational information to a log file that is dedicated to that process. These log files are identified by the .LOG or .LO_ extension. Configuration Manager writes to the .LOG file until that log reaches it maximum size. When the log is full, the .LOG file is copied to a file of the same name but with the .LO_ extension, and the process or component continues to write to the .LOG file. When the .LOG file again reaches its maximum size, the .LO_ file is overwritten and the process repeats. Some components establish a log file history by appending a date and time stamp to the log file name and by retaining the .LOG extension. To view the logs, you can use the Configuration Manager log viewer tool, CMTrace, which is located in the \SMSSETUP\TOOLS folder of the System Center 2012 Configuration Manager source media. The CMTrace tool is also added to all boot images that are added to the Software Library.

917

Whats New in Configuration Manager

The Configuration Manager 2007 log viewer tool, Trace32, is now replaced with CMTrace.

Configure Logging Options by Using the Configuration Manager Service Manager

Configuration Manager supports options that enable you to change where log files are stored and the log file size. Use the following procedure to use the Configuration Manager Service Manager to modify the size of log files, the name and location of the log file, and to force multiple components to write to a single log file. To modify logging for a component: 1. In the Configuration Manager console, click Monitoring, click System Status, and then click either Site Status or Component Status. 2. On the Home tab, in the Component group, click Start and select Configuration Manager Service Manager. 3. When the Configuration Manager Service Manager opens, connect to the site that you want to manage. If you do not see the site that you want to manage, click Site, click Connect, and then enter the name of the site server for the correct site. 4. Expand the site and navigate to Components or Servers, depending on where the components that you want to manage are located. 5. In the right pane, select one or more components. 6. On the Component menu, click Logging. 7. In the Configuration Manager Component Logging dialog box, complete the available configuration options for your selection. 8. Click OK to save the configuration.

Locating Configuration Manager Logs

By default, Configuration Manager log files are stored in a variety of locations that depend on the process that creates the log file, and on the configuration of your site systems. Because the location of the log on a given computer can vary, use search to locate the relevant log files on your Configuration Manager computers to help you troubleshoot a specific scenario.

Configuration Manager Client Logs

The following sections list the log files related to client operations, and client installation.

918

Client Operations
The following table lists the log files found on the Configuration Manager client.
Log name Description

CAS.log

Content Access service. Maintains the local package cache on the client. Records actions for starting applications on the client marked as "run as 32bit". Records Configuration Manager client status evaluation activities and details for components that are required by the Configuration Manager client. Records the Configuration Manager client status evaluation activities that are initiated by the evaluation scheduled task. Records activities of the client and the SMS Agent Host service. This log file also includes information about enabling and disabling wakeup proxy. Records activities related to communications between the client and management points. Records activities related to client notification operations. Records activities related to the maintenance and capture of data related to client performance counters. Records client service restart activity. Records activities for the client SDK interfaces. Maintains certificates for Active Directory Domain Services and management points. Records details about configuration item definition downloads. Records tasks that are initiated for each application and deployment type, such as content download or install or uninstall actions. Records the signing and authentication activity
919

Ccm32BitLauncher.log

CcmEval.log

CcmEvalTask.log

CcmExec.log

CcmMessaging.log

CCMNotificationAgent.log

Ccmperf.log

CcmRestart.log CCMSDKProvider.log CertificateMaintenance.log

CIDownloader.log

CITaskMgr.log

ClientAuth.log

Log name

Description

for the client. ClientIDManagerStartup.log Creates and maintains the client GUID and identifies tasks performed during client registration and assignment. Records tasks that are related to client site assignment. Records the results of running the Configuration Manager HTTPS Readiness Assessment Tool. This tool checks whether computers have a PKI client authentication certificate that can be used for Configuration Manager. Records information for the remote control service. Schedules the Background Intelligent Transfer Service (BITS) or the Server Message Block (SMB) to download or to access packages. Records all BITS communication for policy or package access. Records information about the installation of the Endpoint Protection client and the application of antimalware policy to that client. Records details about packages and task sequences that run on the client. Records details about enhanced detection methods that are used when verbose or debug logging is enabled. Records the history of Endpoint Protection malware detection and events related to client status. Records all SMB package access tasks. Records the activity of the Windows Management Instrumentation (WMI) provider for software inventory and file collection. Records the activity for state messages that
920

ClientLocation.log

CMHttpsReadiness.log

CmRcService.log

ContentTransferManager.log

DataTransferService.log

EndpointProtectionAgent

execmgr.log

ExpressionSolver.log

ExternalEventAgent.log

FileBITS.log FileSystemFile.log

FSPStateMessage.log

Log name

Description

are sent to the fallback status point by the client. InternetProxy.log Records the network proxy configuration and usage activity for the client. Records activities of hardware inventory, software inventory, and heartbeat discovery actions on the client. Records the activity for location cache usage and maintenance for the client. Records the client activity for locating management points, software update points, and distribution points. Records the activity for general maintenance task activity for the client. Records the activity of the WMI provider for .MIF files. Monitors all software metering processes. Records requests for policies made by using the Data Transfer service. Records policy changes. Records details about the evaluation of policies on client computers, including policies from software updates. Records the process of remediation and compliance for all providers located in %Program Files%\Microsoft Policy Platform, except the file provider. Records activities for policy system SDK interfaces. Records information about enabling or disabling and configuring the wake-up proxy client settings. Records the activities of the power management provider (PWRInvProvider) hosted in the Windows Management
921

InventoryAgent.log

LocationCache.log

LocationServices.log

MaintenanceCoordinator.log

Mifprovider.log

mtrmgr.log PolicyAgent.log

PolicyAgentProvider.log PolicyEvaluator.log

PolicyPlatformClient.log

PolicySdk.log

Pwrmgmt.log

PwrProvider.log

Log name

Description

Instrumentation (WMI) service. On all supported versions of Windows, the provider enumerates the current settings on computers during hardware inventory and applies power plan settings. SCClient_<domain>@<username>_1.log Records the activity in Software Center for the specified user on the client computer. Records the historical activity in Software Center for the specified user on the client computer. Records activities of scheduled tasks for all client operations. Records the activity for notifying users about software for the specified user. Records the historical information for notifying users about software for the specified user. Records configuration and inventory policy creation in WMI. Main log file for wake-up proxy. Records usage of the Configuration Manager client in Control Panel. Records activity for installed Windows Installer applications that are updated with current distribution point source locations. Records status messages that are created by the client components. Generates a usage data report that is collected by the metering agent. This data is logged in Mtrmgr.log. Records details about user device affinity. Records information specific to the evaluation of App-V deployment types. Records operations related to write filters on Windows Embedded clients.

SCClient_<domain>@<username>_2.log

Scheduler.log

SCNotify_<domain>@<username>_1.log

SCNotify_<domain>@<username>_1<date_time>.log setuppolicyevaluator.log

SleepAgent_<domain>@<@SYSTEM_0.log smscliui.log

SrcUpdateMgr.log

StatusAgent.log

SWMTRReportGen.log

UserAffinity.log VirtualApp.log

Wedmtrace.log

922

Log name

Description

wakeprxy-install.log

Records installation information when clients receive the client setting option to enable wakeup proxy. Records information about uninstalling wake-up proxy when clients receive the client setting option to disable wake-up proxy, if wake-up proxy was previously enabled.

wakeprxy-uninstall.log

Client Installation Log Files

The following table lists the log files that contain information related to the installation of the Configuration Manager client.
Log name Description

ccmsetup.log

Records ccmsetup tasks for client setup, client upgrade, and client removal. Can be used to troubleshoot client installation problems. Records ccmsetup tasks for client status and remediation. Records the repair activities of the client agent. Records setup tasks performed by client.msi. Can be used to troubleshoot client installation or removal problems.

ccmsetup-ccmeval.log

CcmRepair.log client.msi.log

Client for Linux and UNIX

For Configuration Manager SP1 only: The Configuration Manager client for Linux and UNIX records information in the following log files.
Log name Details

scxcm.log

This is the log file for the core service of the Configuration Manager client for Linux and UNIX (ccmexec.bin). This log file contains information about the installation and ongoing operations of ccmexec.bin. By default, this log file is created in the following
923

Log name

Details

location: /var/opt/microsoft/scxcm.log To change the location of the log file, edit /opt/microsoft/configmgr/etc/scxcm.conf and change the PATH field. You do not need to restart the client computer or service for the change to take effect. You can set the log level to one of four different settings: ERROR: Indicates problems that require attention. WARNING: Indicates possible problems for the client operations. INFO: More detailed logging that indicates the status of various events on the client. TRACE: Verbose logging that is typically used to diagnose problems.

To change the log level, edit /opt/microsoft/configmgr/etc/scxcm.conf and change each instance of the tag MODULE to the desired log level. scxcmprovider.log This is the log file for the CIM service of the Configuration Manager client for Linux and UNIX (nwserver.bin). This log file contains information about the ongoing operations of nwserver.bin. By default, this log is created in the following location: /var/opt/microsoft/configmgr/scxcmprovider.log To change the location of the log file, edit /opt/microsoft/nanowbem/etc/scxcmprovider.conf and change the PATH field. You do not need to restart the client computer or service for the change to take effect. You can set the log level to one of three different settings: ERROR: Indicates problems that require attention. WARNING: Indicates possible problems for the client operations. INFO: More detailed logging that indicates the
924

Log name

Details

status of various events on the client. To change the log level, edit /opt/microsoft/nanowbem/etc/ scxcmprovider.conf and change each instance of the tag MODULE to the desired log level. Under normal operating conditions the ERROR log level should be used. The ERROR level of logging creates the smallest log file. As the log level is increased from ERROR to WARNING to INFO to TRACE, each step results in a larger log file as more data is written to the log file.

Client for Mac Computers

For Configuration Manager SP1 only: The Configuration Manager client for Mac computers records information in the following log files.
Log name Details

CCMClient-<date_time>.log

Records activities that are related to the Mac client operations, which includes application management, inventory, and error logging. This log file is located in the folder /Library/Application Support/Microsoft/CCM/Logs on the Mac computer.

CCMAgent-<date_time>.log

Records information that is related to client operations, which includes user logon and logoff operations and Mac computer activity. This log file is located in the folder ~/Library/Logs on the Mac computer.

CCMNotifications-<date_time>.log

Records activities that are related to Configuration Manager notifications displayed on the Mac computer. This log file is located in the folder ~/Library/Logs on the Mac computer.

CCMPrefPane-<date_time>.log

Records activities related to the Configuration Manager preferences dialog box on the Mac computer, which includes general status and error logging. This log file is located in the folder
925

Log name

Details

~/Library/Logs on the Mac computer. Additionally, the log file SMS_DM.log on the site system server records communication between Mac computers and the management point that is enabled for mobile devices and Mac computers.

Configuration Manager Site Server Log Files

The following sections list log files found on the site server or related to specific site system roles.

Site Server and Site System Server Logs

The following table lists the log files found on the Configuration Manager site server and site system servers.
Log name Description Computer with log file

adctrl.log ADForestDisc.log

Records enrollment processing activity. Records Active Directory Forest Discovery actions. Records account creation and security group details in Active Directory. Records Active Directory Group Discovery actions. Records Active Directory System Discovery actions. Records Active Directory User Discovery actions. Records client push installation activities. Records the certificate activities for intra-site communications. Records activities of the client health manager.

Site server

Site server

ADService.log

Site server

Site server

adsgdis.log adsysdis.log

Site server

adusrdis.log

Site server

ccm.log

Site server

CertMgr.log

Site system server

chmgr.log

Site server

926

Log name

Description

Computer with log file

Cidm.log

Records changes to the client settings by the Client Install Data Manager (CIDM). Records details about when collections are created, changed, and deleted by the Collection Evaluator. Records the status of component threads monitored for the site server. Records Component Status Summarizer tasks. Records the initial installation of COM registration results for a site server. Records information about the processing of Management Information Format (MIF) files and hardware inventory in the Configuration Manager database. Records activities of the discovery data manager. Records incoming site-tosite communication transfers. Records details about package creation, compression, delta replication, and information updates. Records information about

Site server

colleval.log

Site server

compmon.log

Site system server

compsumm.log

Site server

ComRegSetup.log

Site system server

dataldr.log

Site Server

ddm.log

Site server

despool.log

Site server

distmgr.log

Site server

EPCtrlMgr.log

Site server
927

Log name

Description

Computer with log file

the synchronization of malware threat information from the Endpoint Protection site system role server into the Configuration Manager database. EPMgr.log Records the status of the Endpoint Protection site system role. Provides information about the installation of the Endpoint Protection site system role. Site system server

EPSetup.log

Site system server

EnrollSrv.log

Records activities of the Site system server enrollment service process. Records activities of the enrollment website process. Records activities of the fallback status point site system role. Records information about site configuration changes, and the publishing of site information in Active Directory Domain Services. Records the files that are moved from the management point to the corresponding INBOXES folder on the site server. Records file transfer activities between inbox folders. Records the processing of Site system server

EnrollWeb.log

fspmgr.log

Site system server

hman.log

Site server

Inboxast.log

Site server

inboxmgr.log

Site server

inboxmon.log

Site server
928

Log name

Description

Computer with log file

inbox files and performance counter updates. invproc.log Records the forwarding of MIF files from a secondary site to its parent site. Records information for Migration actions involving migration jobs, shared distribution points, and distribution point upgrades. Site server

migmctrl.log

The top-level site in the System Center 2012 Configuration Manager hierarchy, and each child primary site Note In a multi-primary site hierarchy, use the log file created at the central administration site.

mpcontrol.log

Records the registration of the management point with WINS. Records the availability of the management point every 10 minutes. Records the actions of the management point component that moves client files to the corresponding INBOXES folder on the site server. Records details of about the management point installation. Records the management point installation wrapper process. Records Network Discovery actions.

Site system server

mpfdm.log

Site system server

mpMSI.log

Site server

MPSetup.log

Site server

netdisc.log

Site server

929

Log name

Description

Computer with log file

ntsvrdis.log

Records the discovery activity of site system servers. Records the processing of object change notifications for replication. Records advertisement updates.

Site server

Objreplmgr

Site server

offermgr.log

Site server

offersum.log

Records the summarization Site server of deployment status messages. Records the activities of applying updates to operating system image files. Records the processing of outbox files and performance counter updates. Records the results of the installation of performance counters. Records the actions of the SMS Executive component that is responsible for sending content from a primary site to a remote distribution point. Records updates to the client policies to reflect changes to client settings or deployments. Records the activities of database replication between sites in the hierarchy. Site server

OfflineServicingMgr.log

outboxmon.log

Site server

PerfSetup.log

Site system server

PkgXferMgr.log

Site server

policypv.log

Primary site server

rcmctrl.log

Site server

930

Log name

Description

Computer with log file

replmgr.log

Records the replication of Site server files between the site server components and the Scheduler component. Records errors, warnings, and information about running the Resource Explorer. Records details about automatic deployment rules for the identification, content download, and software update group and deployment creation. Records details about siteto-site job and file replication. Records the files that transfer by file-based replication between sites. Records information about the processing of software inventory data to the site database. Records details about the maintenance of the installed site components on all site system servers in the site. Records site setting changes made to site control objects in the database. Records the availability and disk space monitoring process of all site systems. Records Configuration The computer that runs the Configuration Manager console

ResourceExplorer.log

ruleengine.log

Site server

schedule.log

Site server

sender.log

Site server

sinvproc.log

Site server

sitecomp.log

Site server

sitectrl.log

Site server

sitestat.log

Site server

SmsAdminUI.log

The computer that runs the

931

Log name

Description

Computer with log file

Manager console activity.

Configuration Manager console Site system server

SMSAWEBSVCSetup.log

Records the installation activities of the Application Catalog web service. Records output from the site backup process. Records database changes. Records the installation activities of the enrollment web service. Records the installation activities of the enrollment website. Records the processing of all site server component threads. Records messages generated by the installation of a fallback status point. Records the installation activities of the Application Catalog website. Records WMI provider access to the site database. Records detailed results of the reporting point installation process from the MSI output. Records results of the reporting point installation process. Records the maintenance

smsbkup.log

Site server

smsdbmon.log

Site server

SMSENROLLSRVSetup.log

Site system server

SMSENROLLWEBSetup.log

Site system server

smsexec.log

Site server or site system server

SMSFSPSetup.log

Site system server

SMSPORTALWEBSetup.log

Site system server

SMSProv.log

Computer with the SMS Provider

srsrpMSI.log

Site system server

srsrpsetup.log

Site system server

Srvacct.log

Site server
932

Log name

Description

Computer with log file

of accounts when the site uses standard security. statesys.log Records the processing of state system messages. Records the writing of all status messages to the database. Records the processing of metering files and settings. Site server

statmgr.log

Site server

swmproc.log

Site server

Site Server Installation Log Files

The following table lists the log files that contain information related to site installation.
Log name Description Computer with log file

ConfigMgrPrereq.log

Records pre-requisite component evaluation and installation activities. Records detailed output from site server setup. Records information related to activity in the Setup wizard. Records information about the progress of launching the secondary site installation process. Details of the actual setup process are contained in ConfigMgrSetup.log. Records information about the installation, use, and removal of a Windows service that is used to test network connectivity and permissions between servers, using the computer account of the server initiating the connection.

Site server

ConfigMgrSetup.log

Site Server

ConfigMgrSetupWizard.log

Site Server

SMS_BOOTSTRAP.log

Site Server

smstsvc.log

Site server and site systems

933

Fallback Status Point Logs Files

The following table lists the log files that contain information related to the fallback status point.
Log name Description Computer with log file

FspIsapi

Records details about communications to the fallback status point from mobile device legacy clients and client computers.

Site system server

fspMSI.log

Records messages generated by Site system server the installation of a fallback status point. Records activities of the fallback status point site system role. Site system server

fspmgr.log

Management Point Logs Files

The following table lists the log files that contain information related to the management point.
Log name Description Computer with log file

CcmIsapi.log

Records client messaging activity on the endpoint. Records the client registration activity processed by the management point. Records the conversion of XML.ddr records from clients, and copies them to the site server. Records the activities of the core management point and client framework components. Records client authorization activity. Records policy request activity from client computers. Records details about the

Site system server

MP_CliReg.log

Site system server

MP_Ddr.log

Site system server

MP_Framework.log

Site system server

MP_GetAuth.log

Site system server

MP_GetPolicy.log

Site system server

MP_Hinv.log

Site system server

934

Log name

Description

Computer with log file

conversion of XML hardware inventory records from clients and the copy of those files to the site server. MP_Location.log Records location request and reply activity from clients. Site system server

MP_OOBMgr.log

Records the management point Site system server activities related to receiving OTP from a client. Records policy communication. Records the transfer of files that are collected from the client. Records the hardware inventory retry processes. Records details about the conversion of XML software inventory records from clients and the copy of those files to the site server. Records details about file collection. Records details about the conversion of XML.svf status message files from clients and the copy of those files to the site server. Records the registration of the management point with WINS. Records the availability of the management point every 10 minutes. Records the actions of the management point component that moves client files to the corresponding INBOXES folder on the site server. Site system server Site system server

MP_Policy.log MP_Relay.log

MP_Retry.log

Site system server

MP_Sinv.log

Site system server

MP_SinvCollFile.log

Site system server

MP_Status.log

Site system server

mpcontrol.log

Site server

mpfdm.log

Site system server

935

Log name

Description

Computer with log file

mpMSI.log

Records details of about the management point installation.

Site server

MPSetup.log

Records the management point Site server installation wrapper process.

Software Update Point Log Files

he following table lists the log files that contain information related to the software update point.
Log name Description Computer with log file

objreplmgr.log

Records details about the replication of software updates notification files from a parent to child sites. Records details about the process of downloading software updates from the update source to the download destination on the site server.

Site server

PatchDownloader.log

The computer hosting the Configuration Manager console from which downloads are initiated

ruleengine.log

Records details about Site server automatic deployment rules for the identification, content download, and software update group and deployment creation. Records details about the software update point installation. When the software update point installation completes, Installation was successful is written to this log file. Site system server

SUPSetup.log

WCM.log

Records details about the Site server that connects to software update point the Windows Server Update configuration and connections Services (WSUS) server to the Windows Server Update Services (WSUS)
936

Log name

Description

Computer with log file

server for subscribed update categories, classifications, and languages. WSUSCtrl.log Records details about the configuration, database connectivity, and health of the WSUS server for the site. Records details about the software updates synchronization process. Records details about the Inventory Tool for the Microsoft Updates synchronization process. Site system server

wsyncmgr.log

Site system server

WUSSyncXML.log

The client computer configured as the synchronization host for the Inventory Tool for Microsoft Updates.

Log Files for Configuration Manager Functionality

The following sections list log files related to the different functions in Configuration Manager.

Application Management
The following table lists the log files that contain information related to Application Management.
Log name Description Computer with log file

AppIntentEval.log

Records details about the current and intended state of applications, their applicability, whether requirements were met, deployment types, and dependencies. Records details about the discovery or detection of applications on client computers. Records details about enforcement actions (install

Client

AppDiscovery.log

Site system server

AppEnforce.log

Site system server

937

Log name

Description

Computer with log file

and uninstall) taken for applications on the client. awebsctl.log Records the monitoring activities for the Application Catalog web service point site system role. Records detailed installation information for the Application Catalog web service point site system role. Records the activities of the application management SDK. Records details about when collections are created, changed, and deleted by the Collection Evaluator. Records the activity of the Application Catalog, which includes its use of Silverlight. Records the monitoring activities for the Application Catalog website point site system role. Records the MSI installation activity for the Application Catalog website role. Site system server

awebsvcMSI.log

Site system server

Ccmsdkprovider.log

Client

colleval.log

Site system server

ConfigMgrSoftwareCatalog.log

Client

portlctl.log

Site system server

portlwebMSI.log

Site system server

PrestageContent.log

Records the details about the Site system server use of the ExtractContent.exe tool on a remote prestaged distribution point. This tool extracts content that has been exported to a file. Records the activity of the Application Catalog web Site system server

ServicePortalWebService.log

938

Log name

Description

Computer with log file

service. ServicePortalWebSite.log Records the activity of the Application Catalog website. Records details about the distribution point health monitoring scheduled task that is configured on a distribution point. Site system server

SMSdpmon.log

Site server

SoftwareCatalogUpdateEndpoint.log

Records the activities for managing the URL for the Application Catalog shown in Software Center. Records the activities for Software Center prerequisite component validation.

Client

SoftwareCenterSystemTasks.log

Client

The following table lists the log files that contain information related to deploying packages and programs.
Log name Description Computer with log file

colleval.log

Records details about when collections are created, changed, and deleted by the Collection Evaluator. Records details about packages and task sequences that run.

Site server

execmgr.log

Client

Asset Intelligence
The following table lists the log files that contain information related to Asset Intelligence.
Log Name Description Computer with Log File

AssetAdvisor.log

Records the activities of Asset Intelligence inventory actions.

Client

939

Log Name

Description

Computer with Log File

aikbmgr.log

Records details about the processing of XML files from the inbox for updating the Asset Intelligence catalog. Records the interaction of the Asset Intelligence synchronization point with SCO (System Center Online), the online web service. Records details about the installation of Asset Intelligence synchronization point site system role. Records details about the installation of Asset Intelligence synchronization point site system role. Records details about discovering software with an associated software identification tag. Also records activities relating to hardware inventory. Records details about the processing of imported licensing files.

Site server

AIUpdateSvc.log

Site system server

AIUSMSI.log

Site system server

AIUSSetup.log

Site system server

ManagedProvider.log

Site system server

MVLSImport.log

Site system server

Backup and Recovery

The following table lists log files that contain information related to backup and recovery actions including site resets, and changes to the SMS Provider.
Log name Description Computer with log file

ConfigMgrSetup.log

Records information about setup and recovery tasks when Configuration Manager recovers a site from backup.

Site server

940

Log name

Description

Computer with log file

Smsbkup.log

Records details about the site backup activity. Records output from the site database backup process when SQL Server is installed on a different server than the site server. Records information about the state of the Configuration Manager VSS writer that is used by the backup process.

Site server

smssqlbkup.log

Site database server

Smswriter.log

Site server

Client Notification (Configuration Manager SP1 Only)

The following table lists the log files that contain information related to client notification.
Log name Description Computer with log file

bgbmgr.log

Records details about the activities of the site server relating to client notification tasks and processing online and task status files. Records the activities of the notification server such as client-server communications and pushing tasks to clients. Also records information about online and task status files generation to be sent to the site server. Records the activities of the notification server installation wrapper process during installation and uninstall. Records details about the notification server installation and uninstall.

Site server

BGBServer.log

Management point

BgbSetup.log

Management point

bgbisapiMSI.log

Management point

941

Log name

Description

Computer with log file

BgbHttpProxy.log

Records the activities of the notification HTTP proxy as it relays the messages of clients using HTTP to and from the notification server. Records the activities of the notification agent such as client-server communication and information about tasks received and dispatched to other client agents.

Client

CcmNotificationAgent.log

Client

Compliance Settings
The following table lists the log files that contain information related to compliance settings.
Log name Description Computer with log file

CIAgent.log

Records details about the Client process of remediation and compliance for compliance settings, software updates, and application management. Records information about configuration item task scheduling. Records high-level information about the evaluation, conflict reporting, and remediation of configuration items and applications. Records information about reporting policy platform results into state messages for configuration items. Records information about reading configuration item synclets from Windows Management Instrumentation Client

CITaskManager.log

DCMAgent.log

Client

DCMReporting.log

Client

DcmWmiProvider.log

Client

942

Log name

Description

Computer with log file

(WMI).

Configuration Manager Console

The following table lists the log files that contain information related to the Configuration Manager console.
Log name Description Computer with log file

ConfigMgrAdminUISetup.log

Records the installation of the Configuration Manager console. Records information about the operation of the Configuration Manager console. Records activities performed by the SMS Provider. Configuration Manager console activities use the SMS provider.

Computer that runs the Configuration Manager console Computer that runs the Configuration Manager console

SmsAdminUI.log

Smsprov.log

Site server or site system server

Content Management
The following table lists the log files that contain information related to content management.
Description Log name Computer with log file

For Configuration Manager SP1 only: DataTransferService.log

Records all BITS communication for policy or package access. This log is also used for content management by pulldistribution points. Records details about content that the pull-distribution point transfers from source distribution points.

A computer that is configured as a pulldistribution point

For Configuration Manager SP1 only: PullllDP.log

A computer that is configured as a pulldistribution point

943

Description Log name

Computer with log file

PrestageContent.log

Records the details about the use of the ExtractContent.exe tool on a remote prestaged distribution point. This tool extracts content that has been exported to a file. Records details about the distribution point health monitoring scheduled task that are configured on a distribution point. Records details about the extraction of compressed files received from a primary site. This log is generated by the WMI Provider of the remote distribution point.

Site system role

SMSdpmon.log

Site system role

smsdpprov.log

A distribution point computer that is not colocated with the site server.

Discovery
he following table lists the log files that contain information related to Discovery.
Log name Description Computer with log file

adsgdis.log

Records Active Directory Security Group Discovery actions. Records Active Directory System Discovery actions.

Site server

adsysdis.log

Site server

adusrdis.log

Records Active Directory User Site server Discovery actions. Records Active Directory Forest Discovery actions. Records activities of the discovery data manager. Site server

ADForestDisc.Log

ddm.log

Site server

InventoryAgent.log

Records activities of hardware Client

944

Log name

Description

Computer with log file

inventory, software inventory, and heartbeat discovery actions on the client. netdisc.log Records Network Discovery actions. Site server

Endpoint Protection
The following table lists the log files that contain information related to Endpoint Protection.
Log name Description Computer with log file

EndpointProtectionAgent.log

Records details about the installation of the Endpoint Protection client and the application of antimalware policy to that client. Records details about the synchronization of malware threat information from the Endpoint Protection role server into the Configuration Manager database. Monitors the status of the Endpoint Protection site system role. Provides information about the installation of the Endpoint Protection site system role.

Client

EPCtrlMgr.log

Site system server

EPMgr.log

Site system server

EPSetup.log

Site system server

Inventory
The following table lists the log files that contain information related to processing inventory data.
Log name Description Computer with log file

dataldr.log

Records information about the processing of Management

Site server

945

Log name

Description

Computer with log file

Information Format (MIF) files and hardware inventory in the Configuration Manager database. invproc.log Records the forwarding of MIF Secondary site server files from a secondary site to its parent site. Records information about the processing of software inventory data to the site database. Site server

sinvproc.log

Metering
The following table lists the log files that contain information related to metering.
Log name Description Computer with log file

mtrmgr.log

Monitors all software metering processes.

Site server

Migration
The following table lists the log files that contain information related to migration.
Log name Description Computer with log file

migmctrl.log

Records information about migration actions that involve migration jobs, shared distribution points, and distribution point upgrades.

The top-level site in the System Center 2012 Configuration Manager hierarchy, and each child primary site Note In a multi-primary site hierarchy, use the log file created at the central administration site.

946

Mobile Devices
The following sections list the log files that contain information related to managing mobile devices .

Enrollment
The following table lists logs that contain information related to mobile device enrollment.
Log name Description Computer with log file

DMPRP.log

Records communication between management points that are enabled for mobile devices and the management point endpoints. Records the Windows Installer data for the configuration of a management point that is enabled for mobile devices. Records the configuration of the management point when it is enabled for mobile devices.

Site system server

dmpmsi.log

Site system server

DMPSetup.log

Site system server

enrollsrvMSI.log

Records the Windows Installer data for the configuration of an enrollment point. Records communication between mobile devices and the enrollment proxy point. Records the Windows Installer data for the configuration of an enrollment proxy point. Records communication between an enrollment proxy point and an enrollment point. Records communication between mobile devices, Mac computers and the management point that is enabled for mobile devices

Site system server

enrollmentweb.log

Site system server

enrollwebMSI.log

Site system server

enrollmentservice.log

Site system server

SMS_DM.log

Site system server

947

Log name

Description

Computer with log file

and Mac computers.

Exchange Server Connector

The following table lists logs that contain information related to the Exchange Server connector.
Log name Description Computer with log file

easdisc.log

Records the activities and the status of the Exchange Server connector.

Site server

Mobile Device Legacy

The following table lists logs that contain information related to the mobile device legacy client.
Log name Description Computer with log file

DmCertEnroll.log

Records details about certificate enrollment data on mobile device legacy clients.

Client

DMCertResp.htm

Records the HTML response Client from the certificate server when the mobile device legacy client enroller program requests a PKI certificate. Records the GUIDs of all the mobile device legacy clients that communicate with the management point that is enabled for mobile devices. Records registration requests and responses to and from mobile device legacy clients. Records client setup data for mobile device legacy clients. Records client transfer data for mobile device legacy clients and for ActiveSync Site system server

DmClientHealth.log

DmClientRegistration.log

Site system server

DmClientSetup.log

Client

DmClientXfer.log

Client

948

Log name

Description

Computer with log file

deployments. DmCommonInstaller.log Records client transfer file installation for configuring mobile device legacy client transfer files. Client

DmInstaller.log

Records whether DMInstaller Client correctly calls DmClientSetup, and whether DmClientSetup exits with success or failure for mobile device legacy clients. Records all the site database Site system server connections and queries made by the management point that is enabled for mobile devices. Records all the discovery data Site system server from the mobile device legacy clients on the management point that is enabled for mobile devices. Records hardware inventory data from mobile device legacy clients on the management point that is enabled for mobile devices. Records mobile device legacy client communication with a management point that is enabled for mobile devices. Records the Windows Installer data for the configuration of a management point that is enabled for mobile devices. Records the configuration of the management point when it is enabled for mobile devices. Records software distribution data from mobile device Site system server

DmpDatastore.log

DmpDiscovery.log

DmpHardware.log

DmpIsapi.log

Site system server

dmpmsi.log

Site system server

DMPSetup.log

Site system server

DmpSoftware.log

Site system server

949

Log name

Description

Computer with log file

legacy clients on a management point that is enabled for mobile devices. DmpStatus.log Records status messages Site system server data from mobile device clients on a management point that is enabled for mobile devices. Records client communication Client from mobile device legacy clients with a management point that is enabled for mobile devices. Records details about communications to the fallback status point from mobile device legacy clients and client computers. Site system server

DmSvc.log

FspIsapi.log

Operating System Deployment

The following table lists the log files that contain information related to operating system deployment.
Log name Description Computer with log file

CAS.log

Records details when distribution points are found for referenced content.

Client

ccmsetup.log

Records ccmsetup tasks for Client client setup, client upgrade, and client removal. Can be used to troubleshoot client installation problems. Records details for task sequence media creation. The computer that runs the Configuration Manager console Site system server
950

CreateTSMedia.log

Dism.log

Records driver installation

Log name

Description

Computer with log file

actions or update apply actions for offline servicing. Distmgr.log Records details about the configuration of enabling a distribution point for PXE. Site system server

DriverCatalog.log

Records details about Site system server device drivers that have been imported into the driver catalog. Records information for multicast package transfer and client request responses. Records health check, namespace, session creation and certificate check actions. Records changes to configuration, security mode and availability. Records multicast provider interaction with Windows Deployment Services (WDS). Records details about multicast server role installation. Records details about multicast server role installation. Records details about multicast performance counter updates. Records management point responses to the client ID requests task sequences initiated from PXE or boot Site system server

mcsisapi.log

mcsexec.log

Site system server

mcsmgr.log

Site system server

mcsprv.log

Site system server

MCSSetup.log

Site system server

MCSMSI.log

Site system server

Mcsperf.log

Site system server

MP_ClientIDManager.log

Site system server

951

Log name

Description

Computer with log file

media. MP_DriverManager.log Records management point responses to Auto Apply Driver task sequence action requests. Records details of offline servicing schedules and update apply actions on operating system .wim files. Site system server

OfflineServicingMgr.log

Site system server

Setupact.log

Records details about Client Windows Sysprep and setup logs. Records details about Client Windows Sysprep and setup logs. Records details about Client Windows Sysprep and setup logs. Records details about the client state capture and restore actions, and threshold information. Records details about the results of state migration point health checks and configuration changes. Records installation and configuration details about the state migration point. Records the state migration point performance counter updates. Records details about the responses to clients that PXE boot and details about the expansion of boot images and boot files. Client

Setupapi.log

Setuperr.log

smpisapi.log

Smpmgr.log

Site system server

smpmsi.log

Site system server

smpperf.log

Site system server

smspxe.log

Site system server

952

Log name

Description

Computer with log file

smssmpsetup.log

Records installation and configuration details about the state migration point. Records task sequence activities.

Site system server

Smsts.log

Client

TSAgent.log

Records the outcome of task Client sequence dependencies before starting a task sequence. Records details about task sequences when they are imported, exported, or edited. Records details about the User State Migration Tool (USMT) and restoring user state data. Records details about the User State Migration Tool (USMT) and capturing user state data. Site system server

TaskSequenceProvider.log

loadstate.log

Client

scanstate.log

Client

Out of Band Management

The following sections list the log files that contain information related to out of band management, for when you manage Intel AMT-based computers.

Site System Roles for Out of Band Management

The following table lists the log files that contain information related to the out of band service point.
Log name Description Computer with log file

amtopmgr.log

Records the activities of the out of band service point, which include the discovery of management controllers, provisioning, audit log control,

Out of band service point site system server

953

Log name

Description

Computer with log file

and power control commands. adctrl.log Records details about managing Active Directory accounts that are used by out of band management. Site server

ADService.log Records details about account creation and security group details in Active Directory. amtproxymgr.log Records details about the activities of the site server relating to provisioning and sending instruction files to the out of band service point, which include the following: Discovery of management controllers AMT provisioning Audit log control Power control commands

Site server

Site server

This log file also records information about out of band management site replication. amtspsetup.log Records details about the installation of the out of band service point. Out of band service point site system server

Out of Band Management Client Computer Log Files

The following table lists the log files that contain information about the management activities on Intel AMT-based computers.
Log name Description Computer with log file

oobmgmt.log

Records details about out of band management activities on AMT-based computers, which includes the AMT provisioning state of the management

Client

954

Log name

Description

Computer with log file

controller.

Out of Band Management Console Log Files

The following table lists the log files that contain information related to the out of band management console.
Log name Description Computer with log file

Oobconsole_<Machine Name>_<User Name>.log

Records details about running the out of band management console.

Computer that runs the out of band management console

Power Management
The following table lists the log files that contain information related to power management.
Log name Description Computer with log file

pwrmgmt.log

Records details about power management activities on the client computer, which include monitoring and the enforcement of settings by the Power Management Client Agent.

Client

Remote Control
The following table lists the log files that contain information related to remote control.
Log name Description Computer with log file

CMRcViewer.log

Records details about the activity of the remote control viewer.

Located in the %temp% folder on the computer running the remote control viewer.

955

Reporting
The following table lists the Configuration Manager log files that contain information related to reporting.
Log name Description Computer with log file

srsrp.log

Records information about the activity and status of the reporting services point. Records detailed results of the reporting services point installation process from the MSI output. Records results of the reporting services point installation process.

Site system server

srsrpMSI.log

Site system server

srsrpsetup.log

Site system server

Role-Based Administration
The following table lists the log files that contain information related to managing role-based administration.
Log name Description Computer with log file

hman.log

Records information about site configuration changes, and the publishing of site information to Active Directory Domain Services. Records WMI provider access to the site database.

Site server

SMSProv.log

Computer with the SMS Provider

Software Updates and Network Access Protection

The following table lists the log files that contain information related to software updates and Network Access Protection.
Log name Description Computer with log file

ccmcca.log

Records details about the processing of compliance

Client
956

Log name

Description

Computer with log file

evaluation based on Configuration Manager NAP policy processing, and contains the processing of remediation for each software update required for compliance. ccmperf.log Records activities related to the maintenance and capture of data related to client performance counters. Records details about the process of downloading software updates from the update source to the download destination on the site server. Client

PatchDownloader.log

The computer hosting the Configurati on Manager console from which downloads are initiated

PolicyEvaluator.log

Records details about the evaluation of policies on client Client computers, including policies from software updates. Records details about the coordination of system restarts on client computers after software update installations. Records details about scan requests for software updates, the WSUS location, and related actions. Records details about tracking of remediation and compliance. However, the software updates log file, Updateshandler.log, provides more informative details about installing the software updates required for compliance. This log file is shared with compliance settings. Client

RebootCoordinator.log

ScanAgent.log

Client

SdmAgent.log

Client

ServiceWindowManager. Records details about the evaluation of maintenance log windows. smssha.log

Client

The main log file for the Configuration Manager Network Client Access Protection client and it contains a merged statement of health information from the two Configuration Manager components: location services (LS) and the configuration compliance agent (CCA). This log file also contains information about the interactions between the Configuration Manager System
957

Log name

Description

Computer with log file

Health Agent and the operating system NAP agent, and also between the Configuration Manager System Health Agent and both the configuration compliance agent and the location services. It provides information about whether the NAP agent successfully initialized, the statement of health data, and the statement of health response. Smsshv.log This is the main log file for the System Health Validator point and records the basic operations of the System Health Validator service, such as the initialization progress. Records details about the retrieval of Configuration Manager health state references from Active Directory Domain Services. Records details about the cache store used to hold the Configuration Manager NAP health state references retrieved from Active Directory Domain Services, such as reading from the store and purging entries from the local cache store file. The cache store is not configurable. Site system server

Smsshvadcacheclient.lo g

Site system server

SmsSHVCacheStore.log

Site system server

smsSHVQuarValidator.lo Records client statement of health information and g processing operations. To obtain full information, change the registry key LogLevel from 1 to 0 in the following location: HKLM\SOFTWARE\Microsoft\SMSSHV\Logging\@G LOBAL smsshvregistrysettings.l og Records any dynamic change to the System Health Validator component configuration while the service is running. Records the success or failure (with failure reason) of installing the System Health Validator point. Records details about the scan process for the Inventory Tool for Microsoft Updates. Records details about software updates state messages that are created and sent to the management point. Records details about the software update point

Site system server

Site system server

SMSSHVSetup.log

Site system server Client

SmsWusHandler.log

StateMessage.log

Client

SUPSetup.log

Site system
958

Log name

Description

Computer with log file

installation. When the software update point installation completes, Installation was successful is written to this log file. UpdatesDeployment.log Records details about deployments on the client, including software update activation, evaluation, and enforcement. Verbose logging shows additional information about the interaction with the client user interface. Records details about software update compliance scanning and about the download and installation of software updates on the client. Records details about compliance status for the software updates that were assessed during the compliance scan cycle. Records details about software update point configurations and connections to the Windows Server Update Services (WSUS) server for subscribed update categories, classifications, and languages. Records details about the configuration, database connectivity, and health of the WSUS server for the site. Records details about the software updates synchronization process. Records details about the Windows Update Agent on the client when it searches for software updates.

server

Client

UpdatesHandler.log

Client

UpdatesStore.log

Client

WCM.log

Site server

WSUSCtrl.log

Site system server Site server

wsyncmgr.log

WUAHandler.log

Client

Wake On LAN
The following table lists the log files that contain information related to using Wake on LAN. Note If you supplement Wake On LAN by using wake-up proxy in Configuration Manager SP1, this activity is logged on the client. For example, see CcmExec.log and SleepAgent_<domain>@SYSTEM_0.log in the Client Operations section of this topic.
Log name Description Computer with log file

wolcmgr.log

Records details about which

Site server
959

Log name

Description

Computer with log file

clients need to be sent wake-up packets, the number of wakeup packets sent, and the number of wake-up packets retried. wolmgr.log Records details about wake-up procedures, such as when to wake up deployments that are configured for Wake On LAN. Site server

Windows Intune Connector

The following table lists the log files that contain information related to the Windows Intune connector.
Log name Description Computer with log file

CertMgr.log

Records certificate and proxy account information. Records details about when collections are created, changed, and deleted by the Collection Evaluator. Records license enablement for users. Records information about the processing of MIX files. Records activities of the discovery data manager.

Site server

CollEval.log

Primary site and central administration site

Cloudusersync.log

Computer with the Windows Intune connector Site server

Dataldr.log

ddm.log

Site server

Distmgr.log

Records details about Top-level site server content distribution requests. Records details on downloads from Windows Intune. Computer with the Windows Intune connector

Dmpdownloader.log

Dmpuploader.log

Records details for Computer with the uploading database changes Windows Intune connector to Windows Intune.
960

Log name

Description

Computer with log file

hman.log

Records information about message forwarding. Records the processing of policy and assignment. Records policy generation of all policies.

Site server

objreplmgr.log

Primary site server

PolicyPV.log

Site server

outgoingcontentmanager.log

Records content uploaded to Computer with the Windows Intune. Windows Intune connector Records details of connector role installation. Records Configuration Manager console activity. Site server

Sitecomp.log

SmsAdminUI.log

Computer that runs the Configuration Manager console

Smsprov.log

Records activities performed Computer with the by the SMS Provider. SMS Provider Configuration Manager console activities use the SMS Provider. Records details about the Windows Intune connector installer service. Records the processing of mobile device management messages. Computer with the Windows Intune connector

SrvBoot.log

Statesys.log

Primary site and central administration site

Windows Update Agent

The following table lists the log files that contain information related to the Windows Update Agent.
Log name Description Computer with log file

WindowsUpdate.log

Records details about when the Windows Update Agent connects to the WSUS server and retrieves the software updates for compliance

Client

961

Log name

Description

Computer with log file

assessment and whether there are updates to the agent components.

WSUS Server
The following table lists the log files that contain information related to the WSUS server.
Log name Description Computer with log file

Change.log

Records details about the WSUS server database information that has changed. Records details about the software updates that are synchronized from the configured update source to the WSUS server database.

WSUS server

SoftwareDistribution.log

WSUS server

See Also
Technical Reference for Site Administration in Configuration Manager

Technical Reference for Accounts Used in Configuration Manager

Use the following information to identify the Windows groups and the accounts that are used in System Center 2012 Configuration Manager, how they are used, and any requirements.

962

Windows Groups That Configuration Manager Creates and Uses

Configuration Manager automatically creates and in many cases, automatically maintains the following Windows groups: Note When Configuration Manager creates a group on a computer that is a domain member, the group is a local security group. If the computer is a domain controller, the group is a domain local group that is shared among all domain controllers in the domain.

ConfigMgr_CollectedFilesAccess
This group is used by Configuration Manager to grant access to view files collected by software inventory. The following table lists additional details for this group:
Detail More information

Type and location

This group is a local security group created on the primary site server. Note When you uninstall a site, this group is not automatically removed and must be manually deleted.

Membership

Configuration Manager automatically manages the group membership. Membership includes administrative users that are granted the View Collected Files permission to the Collection securable object from an assigned security role. By default, this group has Read permission to the following folder on the site server: %path%\Microsoft Configuration Manager\sinv.box\FileCol.

Permissions

ConfigMgr_DViewAccess
This group is a local security group created on the site database server or database replica server by System Center 2012 Configuration Manager and is not currently used. This group is reserved for future use by Configuration Manager.

963

ConfigMgr Remote Control Users

This group is used by Configuration Manager remote tools to store the accounts and groups that you configure in the permitted viewers list that are assigned to each client. The following table lists additional details for this group:
Detail More information

Type and location

This group is a local security group created on the Configuration Manager client when the client receives policy that enables remote tools. Important After you disable remote tools for a client, this group is not automatically removed and must be manually deleted this from each client computer.

Membership

By default, there are no members in this group. When you add users to the Permitted Viewers list, they are automatically added to this group. Tip Use the Permitted Viewers list to manage the membership of this group instead of adding users or groups directly to this group. In addition to being a Permitted Viewer, an administrative user must have the Remote Control permission to the Collection object. You can assign this permission by using the Remote Tools Operator security role.

Permissions

By default, this group does not have permissions to any locations on the computer, and is used only to hold the list of Permitted Viewers.

SMS Admins
This group is used by Configuration Manager to grant access to the SMS Provider, through WMI. Access to the SMS Provider is required to view and modify objects in the Configuration Manager console. Note
964

The role-based administration configuration of an administrative user determines which objects they can view and manage when using the Configuration Manager console. The following table lists additional details for this group:
Detail More information

Type and location

This group is a local security group created on each computer that has a SMS Provider. Note When you uninstall a site, this group is not automatically removed and must be manually deleted.

Membership

Configuration Manager automatically manages the group membership. By default, each administrative user in a hierarchy and the site server computer account are members of the SMS Admins group on each SMS Provider computer in a site. SMS Admins rights and permissions are set in the WMI Control MMC snap-in. By default, the SMS Admins group is granted Enable Account and Remote Enable on the Root\SMS namespace. Authenticated Users has Execute Methods, Provider Write, and Enable Account Note Administrative users who will use a remote Configuration Manager console require Remote Activation DCOM permissions on both the site server computer and the SMS Provider computer. It is a best practice to grant these rights to the SMS Admins to simplify administration instead of granting these rights directly to users or groups. For more information, see the Configure DCOM Permissions for Remote Configuration Manager Console Connections section in the Manage Site and Hierarchy Configurations topic.
965

Permissions

SMS_SiteSystemToSiteServerConnection_MP_<sitecode>
This group is used by Configuration Manager management points that are remote from the site server to connect to the site database. This group provides a management point access to the inbox folders on the site server and the site database. The following table lists additional details for this group:
Detail More information

Type and location

This group is a local security group created on each computer that has a SMS Provider. Note When you uninstall a site, this group is not automatically removed and must be manually deleted.

Membership

Configuration Manager automatically manages the group membership. By default, membership includes the computer accounts of remote computers that have a management point for the site. By default, this group has Read, Read & execute, and List folder contents permission to the %path%\Microsoft Configuration Manager\inboxes folder on the site server. Additionally, this group has the additional permission of Write to various subfolders below the inboxes to which the management point writes client data.

Permissions

SMS_SiteSystemToSiteServerConnection_SMSProv_<sitecode>
This group is used by Configuration Manager SMS Provider computers that are remote from the site server to connect to the site server. The following table lists additional details for this group:
Detail More information

Type and location

This group is a local security group created on the site server.

966

Detail

More information

Note When you uninstall a site, this group is not automatically removed and must be manually deleted. Membership Configuration Manager automatically manages the group membership. By default, membership includes the computer account or the domain user account that is used to connect to the site server from each remote computer that has installed a SMS Provider for the site. By default, this group has Read, Read & execute, and List folder contents permission to the %path%\Microsoft Configuration Manager\inboxes folder on the site server. Additionally, this group has the additional permission of Write or the permissions of Write and Modify to various subfolders below the inboxes to which the SMS Provider requires access. This group also has Read, Read & execute, List folder contents, Write, and Modify permissions to the folders below %path%\Microsoft Configuration Manager\OSD\boot and Read permission to the folders below %path%\Microsoft Configuration Manager\OSD\Bin on the site server.

Permissions

SMS_SiteSystemToSiteServerConnection_Stat_<sitecode>
This group is used by the File Dispatch Manager on Configuration Manager remote site system computers to connect to the site server. The following table lists additional details for this group:
Detail More information

Type and location

This group is a local security group created on the site server. Note
967

Detail

More information

When you uninstall a site, this group is not automatically removed and must be manually deleted. Membership Configuration Manager automatically manages the group membership. By default, membership includes the computer account or the domain user account that is used to connect to the site server from each remote site system computer that runs the File Dispatch Manager. By default, this group has Read, Read & execute, and List folder contents permission to the %path%\Microsoft Configuration Manager\inboxes folder and various subfolders below that location on the site server. Additionally, this group has the additional permissions of Write and Modify to the %path%\Microsoft Configuration Manager\inboxes\statmgr.box folder on the site server.

Permissions

SMS_SiteToSiteConnection_<sitecode>
This group is used by Configuration Manager to enable file-based replication between sites in a hierarchy. For each remote site that directly transfers files to this site, this group contains the following accounts: Accounts configured as a Site Address Account, from Configuration Manager sites with no service pack Accounts configured as a File Replication Account, from Configuration Manager SP1 sites Note For Configuration Manager SP1 only, the File Replication Account replaces the Site Address Account. The following table lists additional details for this group:
Detail More information

Type and location

This group is a local security group created on the site server. When you install a new site as a child of another site, Configuration Manager
968

Membership

Detail

More information

automatically adds the computer account of the new site to the group on the parent site server, and the parent sites computer account to the group on the new site server. If you specify another account for file-based transfers, add that account to this group on the destination site server. Note When you uninstall a site, this group is not automatically removed and must be manually deleted. Permissions By default, this group has full control to the %path%\Microsoft Configuration Manager\inboxes\despoolr.box\receive folder.

Accounts That Configuration Manager Uses

You can configure the following accounts for Configuration Manager:

Active Directory Group Discovery Account

The Active Directory Group Discovery Account is used to discover local, global, and universal security groups, the membership within these groups, and the membership within distribution groups from the specified locations in Active directory Domain Services. Distribution groups are not discovered as group resources. This account can be a computer account of the site server that runs discovery, or a Windows user account. It must have Read access permission to the Active Directory locations that are specified for discovery.

Active Directory System Discovery Account

The Active Directory System Discovery Account is used to discover computers from the specified locations in Active Directory Domain Services. This account can be a computer account of the site server that runs discovery, or a Windows user account. It must have Read access permission to the Active Directory locations that are specified for discovery.

969

Active Directory User Discovery Account

The Active Directory User Discovery Account is used to discover user accounts from the specified locations in Active Directory Domain Services. This account can be a computer account of the site server that runs discovery, or a Windows user account. It must have Read access permission to the Active Directory locations that are specified for discovery.

Active Directory Forest Account

The Active Directory Forest Account is used to discovery network infrastructure from Active Directory forests, and is also used by central administration sites and primary sites to publish site data to the Active Directory Domain Services of a forest. Note Secondary sites always use the secondary site server computer account to publish to Active Directory. Note Active Directory Forest Account must be a global account to discover and publish to untrusted forests. If you do not use the computer account of the site server, you can only select a global account. This account must have Read permissions to each Active Directory forest where you want to discover network infrastructure. This account must have Full Control permissions to the System Management container and all its child objects in each Active Directory forest where you want to publish site data.

AMT Provisioning and Discovery Account

The AMT Provisioning and Discovery Account is functionally equivalent to the AMT Remote Admin Account and resides in the Management Engine BIOS extension (MEBx) of Intel AMTbased computers. This account is used by the server that runs the out of band service point role to manage some network interface features of AMT, by using the out of band management feature. If you specify an AMT Provisioning and Discovery Account in Configuration Manager, it must match the AMT Remote Admin Account name and password that is specified in the BIOS extensions in the AMT-based computers. Note For more information about whether to specify an AMT Provisioning and Discovery Account, see Step 5: Configuring the Out of Band Management Component in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide.

970

The account is stored in the Management Engine BIOS extensions of the AMT-based computer and does not correspond to any account in Windows.

AMT Provisioning Removal Account

The AMT Provisioning Removal Account can remove AMT provisioning information if you have to recover the site. You might also be able to use it when a Configuration Manager client was reassigned and the AMT provisioning information was not removed from the computer in the old site. To successfully remove the AMT provisioning information by using the AMT Provisioning Removal Account, all the following must be true: The AMT Provisioning Removal Account is configured in the out of band management component properties. The account that is configured for the AMT Provisioning Removal Account was configured as an AMT User Account in the out of band management component properties when the AMTbased computer was provisioned or updated. The account that is configured for the AMT Provisioning Removal Account must be a member of the local Administrators group on the out of band service point computer. The AMT auditing log is not enabled.

Because this is a Windows user account, specify an account with a strong password that does not expire.

AMT Remote Admin Account

The AMT Remote Admin Account is the account in the Management Engine BIOS extension (MEBx) of Intel AMT-based computers that is used by the server running the out of band service point role to manage some network interface features of AMT in Configuration Manager, by using the out of band management feature. Configuration Manager automatically sets the remote admin account password for computers that it provisions for AMT, and this is then used for subsequent authenticated access to the AMT firmware. This account is functionally equivalent to the Configuration Manager AMT Provisioning and Discovery Account. The account is stored in the Management Engine BIOS extensions of the AMT-based computer and does not correspond to any account in Windows.

AMT User Accounts

AMT User Accounts control which Windows users or groups can run management functions in the Out of Band Management console. The configuration of the AMT User Accounts creates the equivalent of an access control list (ACL) in the AMT firmware. When the logged on user attempts to run the Out of Band Management console, AMT uses Kerberos to authenticate the account and then authorizes or denies access to run the AMT management functions.
971

Configure the AMT User Accounts before you provision the AMT-based computers. If you configure AMT User Accounts after computers are provisioned for AMT, you must manually update the AMT memory for these computers so that they are reconfigured with the new settings. Because the AMT User Accounts use Kerberos authentication, the user accounts and security groups must exist in an Active Directory domain.

Asset Intelligence Synchronization Point Proxy Server Account

The Asset Intelligence Synchronization Point Proxy Server Account is used by the Asset Intelligence synchronization point to access the Internet via a proxy server or firewall that requires authenticated access. Security Specify an account that has the least possible permissions for the required proxy server or firewall.

Capture Operating System Image Account

The Capture Operating System Image Account is used by Configuration Manager to access the folder where captured images are stored when you deploy operating systems. This account is required if you add the step Capture Operating System Image to a task sequence. The account must have Read and Write permissions on the network share where the captured image is stored. If the password the account is changed in Windows, you must update the task sequence with the new password. The Configuration Manager client will receive the new password when it next downloads client policy. If you use this account, you can create one domain user account with minimal permissions to access the required network resources and use it for all task sequence accounts. Security Do not assign this account interactive logon permissions. Do not use the Network Access account for this account.

Client Push Installation Account

The Client Push Installation Account is used to connect to computers and install the Configuration Manager client software if you deploy clients by using client push installation. If this account is not specified, the site server account is used to try to install the client software. This account must be a member of the local Administrators group on the computers where the Configuration Manager client software is to be installed. This account does not require Domain Admin rights. You can specify one or more Client Push Installation Accounts, which Configuration Manager tries in turn until one succeeds.
972

Tip To more effectively coordinate account updates in large Active Directory deployments, create a new account with a different name, and then add the new account to the list of Client Push Installation Accounts in Configuration Manager. Allow sufficient time for Active Directory Domain Services to replicate the new account, and then remove the old account from Configuration Manager and Active Directory Domain Services. Security Do not grant this account the right to log on locally.

Enrollment Point Connection Account

The Enrollment Point Connection Account connects the enrollment point to the Configuration Manager site database. By default, the computer account of the enrollment point is used, but you can configure a user account instead. You must specify a user account whenever the enrollment point is in an untrusted domain from the site server. This account requires Read and Write access to the site database.

Exchange Server Connection Account

The Exchange Server Connection Account connects the site server to the specified Exchange Server computer to find and manage mobile devices that connect to Exchange Server. This account requires Exchange PowerShell cmdlets that provide the required permissions to the Exchange Server computer. For more information about the cmdlets, see How to Manage Mobile Devices by Using the Exchange Server Connector in Configuration Manager.

Exchange Server Connector Proxy Server Account

The Exchange Server Connector Proxy Server Account is used by the Exchange Server connector to access the Internet via a proxy server or firewall that requires authenticated access. Security Specify an account that has the least possible permissions for the required proxy server or firewall.

Endpoint Protection SMTP Server Connection Account

For Configuration Manager with no service pack: The Endpoint Protection SMTP Server Connection Account is used by the site server to send email alerts for Endpoint Protection when the SMTP server requires authenticated access. Security Specify an account that has the least possible permissions to send emails.

973

Health State Reference Publishing Account

The Health State Reference Publishing Account is used to publish the Network Access Protection (NAP) health state reference for Configuration Manager to Active Directory Domain Services. If you do not configure an account, Configuration Manager attempts to use the site server computer account to publish the health state references. This account requires Read, Write and Create permissions to the Active Directory forest that stores the health state reference. Create the account in the forest that is designated to store the health state references. Assign the least possible permissions to this account and do not use the same account that is specified for the Health State Reference Querying Account, which requires only Read permissions.

Health State Reference Querying Account

The Health State Reference Querying Account is used to retrieve the Network Access Protection (NAP) health state reference for Configuration Manager from Active Directory Domain Services. If you do not configure an account, Configuration Manager attempts to use the site server computer account to retrieve the health state references. This account requires Read permissions to the Configuration Manager Systems Management container in the Global Catalog. Create the account in the forest that is designated to store the health state references. Do not use the same account for the Health State Reference Publishing Account, which requires more privileges. Security Do not grant this account interactive logon rights.

Management Point Database Connection Account

The Management Point Database Connection Account is used to connect the management point to the Configuration Manager site database so that it can send and retrieve information for clients. By default, the computer account of the management point is used, but you can configure a user account instead. You must specify a user account whenever the management point is in an untrusted domain from the site server. Create the account as a low-rights, local account on the computer that runs Microsoft SQL Server. Security Do not grant this account interactive logon rights.

974

MEBx Account
The MEBx Account is the account in the Management Engine BIOS extension (MEBx) on Intel AMT-based computers and it is used for initial authenticated access to the AMT firmware on AMT-based computers. The MEBx Account is named admin, and by default, the password is admin. Your manufacturer might provide a customized password, or you might have specified your choice of password in AMT. If the MEBx password is set to a value that is not admin, you must configure an AMT Provisioning and Discovery Account. For more information, see Step 5: Configuring the Out of Band Management Component in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic. The account is stored in the Management Engine BIOS extensions of the AMT-based computer. This account does not correspond to any account in Windows. If the default MEBx password has not been changed before Configuration Manager provisions the computer for AMT, during the AMT provisioning process, Configuration Manager sets the password that you configure.

Multicast Connection Account

The Multicast Connection Account is used by distribution points that are configured for multicast to read information from the site database. By default, the computer account of the distribution point is used, but you can configure a user account instead. You must specify a user account whenever the site database is in an untrusted forest. For example, if your data center has a perimeter network in a forest other than the site server and site database, you can use this account to read the multicast information from the site database. If you create this account, create it as a low-rights, local account on the computer that runs Microsoft SQL Server. Security Do not grant this account interactive logon rights.

Network Access Account

The Network Access Account is used by client computers when they cannot use their local computer account to access content on distribution points. For example, this applies to workgroup clients and computers from untrusted domains. This account might also be used during operating system deployment when the computer installing the operating system does not yet have a computer account on the domain. Note The Network Access Account is never used as the security context to run programs, install software updates, or run task sequences; only for accessing resources on the network.

975

Grant this account the minimum appropriate permissions on the content that the client requires to access the software. The account must have the Access this computer from the network right on the distribution point or other server that holds the package content. Because you can create only one Network Access Account per site, this account must function for all packages and task sequences for which it is required. Warning When Configuration Manager tries to use the computername$ account to download the content and it fails, it automatically tries the Network Access Account again, even if it has previously tried and failed. Create the account in any domain that will provide the necessary access to resources. The Network Access Account must always include a domain name. Pass-through security is not supported for this account. If you have distribution points in multiple domains, create the account in a trusted domain. Tip To avoid account lockouts, do not change the password on an existing Network Access Account. Instead, create a new account and configure the new account in Configuration Manager. When sufficient time has passed for all clients to have received the new account details, remove the old account from the network shared folders and delete the account. Security Do not grant this account interactive logon rights Do not grant this account the right to join computers to the domain. If you must join computers to the domain during a task sequence, use the Task Sequence Editor Domain Joining Account.

Package Access Account

Package Access Accounts enable you to set NTFS permissions to specify the users and user groups that can access a package folder on distribution points. By default, Configuration Manager grants access only to the generic access accounts Users and Administrators, but you can control access for client computers by using additional Windows accounts or groups. Mobile devices always retrieve package content anonymously, so the Package Access Accounts are not used by mobile device. By default, when Configuration Manager creates the package share on a distribution point, it grants Read access to the local Users group and Full Control to the local Administrators group. The actual permissions required will depend on the package. If you have clients in workgroups or in untrusted forests, those clients use the Network Access Account to access the package content. Make sure that the Network Access Account has permissions to the package by using the defined Package Access Accounts.

976

Use accounts in a domain that can access the distribution points. If you create or modify the account after the package is created, you must redistribute the package. Updating the package does not change the NTFS permissions on the package. You do not have to add the Network Access Account as a Package Access Account, because membership of the Users group adds it automatically. Restricting the Package Access Account to only the Network Access Account does not prevent clients from accessing the package.

Reporting Services Point Account

The Reporting Services Point Account is used by SQL Server Reporting Services to retrieve the data for Configuration Manager reports from the site database. The Windows user account and password that you specify are encrypted and stored in the SQL Server Reporting Services database.

Remote Tools Permitted Viewer Accounts

The accounts that you specify as Permitted Viewers for remote control are a list of users who are allowed to use remote tools functionality on clients.

Site System Installation Account

The Site System Installation Account is used by the site server to install, reinstall, uninstall, and configure site systems. If you configure the site system to require the site server to initiate connections to this site system, Configuration Manager also uses this account to pull data from the site system computer after the site system and any site system roles are installed. Each site system can have a different Site System Installation Account, but you can configure only one Site System Installation Account to manage all site system roles on that site system. This account requires local administrative permissions on the site systems that they will install and configure. Additionally, this account must have Access this computer from the network in the security policy on the site systems that they will install and configure. Tip If you have many domain controllers and these accounts will be used across domains, verify that the accounts have replicated before you configure the site system. When you specify a local account on each site system to be managed, this configuration is more secure than using domain accounts, because it limits the damage that attackers can do if the account is compromised. However, domain accounts are easier to manage, so consider the trade-off between security and effective administration.

SMTP Server Connection Account

For Configuration Manager SP1 only: The SMTP Server Connection Account is used by the site server to send email alerts when the SMTP server requires authenticated access. Security
977

Specify an account that has the least possible permissions to send emails.

Software Update Point Connection Account

The Software Update Point Connection Account is used by the site server for the following two software updates services: WSUS Configuration Manager, which configures settings such as product definitions, classifications, and upstream settings. WSUS Synchronization Manager, which requests synchronization to an upstream WSUS server or Microsoft Update.

The Site System Installation Account can install components for software updates, but cannot perform software updates-specific functions on the software update point. If you cannot use the site server computer account for this functionality because the software update point is in an untrusted forest, you must specify this account in addition to the Site System Installation Account. This account must be a local administrator on the computer where WSUS is installed, and be part of the local WSUS Administrators group.

Software Update Point Proxy Server Account

The Software Update Point Proxy Server Account is used by the software update point to access the Internet via a proxy server or firewall that requires authenticated access. Security Specify an account that has the least possible permissions for the required proxy server or firewall.

Source Site Account

The Source Site Account is used by the migration process to access the SMS Provider of the source site. This account requires Read permissions to site objects in the source site to gather data for migration jobs. If you upgrade Configuration Manager 2007 distribution points or secondary sites that have colocated distribution points to System Center 2012 Configuration Manager distribution points, this account must also have Delete permissions to the Site class to successfully remove the distribution point from the Configuration Manager 2007 site during the upgrade. Note Both the Source Site Account and Source Site Database Account are identified as Migration Manager in the Accounts node of the Administration workspace in the Configuration Manager console.

978

Source Site Database Account

The Source Site Database Account is used by the migration process to access the SQL Server database for the source site. To gather data from the SQL Server database of the source site, the Source Site Database Account must have the Read and Execute permissions to the source site SQL Server database. Note If you use the System Center 2012 Configuration Manager computer account, ensure that all the following are true for this account: It is a member of the security group Distributed COM Users in the domain where the Configuration Manager 2007 site resides. It is a member of the SMS Admins security group. It has the Read permission to all Configuration Manager 2007 objects. Note Both the Source Site Account and Source Site Database Account are identified as Migration Manager in the Accounts node of the Administration workspace in the Configuration Manager console.

Task Sequence Editor Domain Joining Account

The Task Sequence Editor Domain Joining Account is used in a task sequence to join a newly imaged computer to a domain. This account is required if you add the step Join Domain or Workgroup to a task sequence, and then select Join a domain. This account can also be configured if you add the step Apply Network Settings to a task sequence, but it is not required. This account requires the Domain Join right in the domain that the computer will be joining. Tip If you require this account for your task sequences, you can create one domain user account with minimal permissions to access the required network resources and use it for all task sequence accounts. Security Do not assign this account interactive logon permissions. Do not use the Network Access Account for this account.

Task Sequence Editor Network Folder Connection Account

The Task Sequence Editor Network Folder Connection Account is used by a task sequence to connect to a shared folder on the network. This account is required if you add the step Connect to Network Folder to a task sequence. This account requires permissions to access the specified shared folder and must be a user domain account.
979

Tip If you require this account for your task sequences, you can create one domain user account with minimal permissions to access the required network resources and use it for all task sequence accounts. Security Do not assign this account interactive logon permissions. Do not use the Network Access Account for this account.

Task Sequence Run As Account

The Task Sequence Run As Account is used to run command lines in task sequences and use credentials other than the local system account. This account is required if you add the step Run Command Line to a task sequence but do not want the task sequence to run with Local System account permissions on the managed computer. Configure the account to have the minimum permissions required to run the command line that specified in the task sequence. The account requires interactive login rights, and it usually requires the ability to install software and access network resources. Security Do not use the Network Access account for this account. Never make the account a domain administrator. Never configure roaming profiles for this account. When the task sequence runs, it will download the roaming profile for the account, which leaves the profile vulnerable to access on the local computer. Limit the scope of the account. For example, create different Task Sequence Run As Accounts for each task sequence so that if one account is compromised, only the client computers to which that account has access are compromised. If the command line requires administrative access on the computer, consider creating a local administrator account solely for the Task Sequence Run As Account on all computers that will run the task sequence, and delete the account as soon as it is no longer needed.

See Also
Technical Reference for Site Administration in Configuration Manager

980

Technical Reference for Cryptographic Controls Used in Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. System Center 2012 Configuration Manager uses signing and encryption to help protect the management of the devices in the Configuration Manager hierarchy. Signing ensures that if data has been altered in transit, the data will be discarded. Encryption prevents an attacker from reading the data by using a network protocol analyzer. The primary hashing algorithm that Configuration Manager uses for signing is SHA-256. When two Configuration Manager sites communicate with each other, they sign their communications by using SHA-256 and you can require that all clients use SHA-256. The primary encryption algorithm implemented in Configuration Manager is 3DES. This is used for storing data in the Configuration Manager database and for when clients communicate by using HTTP. When you use client communication over HTTPS, you can configure your public key infrastructure (PKI) to use RSA certificates with the maximum hashing algorithms and key lengths that are documented in PKI Certificate Requirements for Configuration Manager. For most cryptographic operations, Configuration Manager uses the SHA-2, 3DES, and RSA algorithms from the Windows CryptoAPI library rsaenh.dll. Use the following sections for more information. Cryptographic Controls for Configuration Manager Operations Certificates Used by Configuration Manager Cryptographic Controls for Server Communication Cryptographic Controls for Clients That Use HTTPS Communication to Site Systems Cryptographic Controls for Clients That Use HTTP Communication to Site Systems

Cryptographic Controls for Configuration Manager Operations

Information in Configuration Manager can be signed and encrypted, regardless of whether you use PKI certificates with Configuration Manager.

Policy Signing and Encryption

Client policy assignments are signed by the self-signed site server signing certificate to help prevent the security risk of a compromised management point sending policies that have been tampered with. This safeguard is particularly relevant if you are using Internet-based client

981

management because this environment requires a management point that is exposed to Internet communication. Policy is encrypted by using 3DES when it contains sensitive data. Policy that contains sensitive data is sent to authorized clients only. Policy that does not have sensitive data is not encrypted.

Policy Hashing
When Configuration Manager clients request policy, they first get a policy assignment so that they know which policies apply to them, and then request only those policy bodies. Each policy assignment contains the calculated hash for the corresponding policy body. The client retrieves the applicable policy bodies and then calculates the hash on that body. If the hash on the downloaded policy body does not match the hash in the policy assignment, the client discards the policy body. The hashing algorithm for policy is SHA-256.

Content Hashing
The distribution manager service on the site server hashes the content files for all packages. The policy provider includes the hash in the software distribution policy. When the Configuration Manager client downloads the content, the client regenerates the hash locally and compares it to the one supplied in the policy. If the hashes match, the content has not been altered and the client installs it. If a single byte of the content has been altered, the hashes will not match and the software will not be installed. This check helps to ensure that the correct software is installed because the actual content is crosschecked with the policy. The default hashing algorithm for content is SHA-256. To change this default, see the documentation for the Configuration Manager Software Development Kit (SDK). Not all devices can support content hashing. The exceptions include the following: Windows clients when they stream App-V content. Windows Phone clients: However, these clients verify the signature of an application that is signed by a trusted source. Windows RT clients: However, these clients verify the signature of an application that is signed by a trusted source and also use package full name (PFN) validation. iOS: However, these devices verify the signature of an application that is signed by any developer certificate from a trusted source. Nokia clients: However, these clients verify the signature of an application that uses a selfsigned certificate. Or, the signature of a certificate from a trusted source and the certificate can sign Nokia Symbian Installation Source (SIS) applications. Android. In addition, these devices do not use signature validation for application installation. Clients that run on versions of Linux and UNIX that do not support SHA-256. For more information, see the About Linux and UNIX Operating Systems That do not Support SHA-256 section in the Planning for Client Deployment for Linux and UNIX Servers topic.

982

Inventory Signing and Encryption

Inventory that clients send to management points is always signed by devices, regardless of whether they communicate with management points over HTTP or HTTPS. If they use HTTP, you can choose to encrypt this data, which is a security best practice.

State Migration Encryption

Data stored on state migration points for operating system deployment is always encrypted by the User State Migration Tool (USMT) by using 3DES.

Encryption for Multicast Packages to Deploy Operating Systems

For every operating system deployment package, you can enable encryption when the package is transferred to computers by using multicast. The encryption uses Advanced Encryption Standard (AES). If you enable encryption, no additional certificate configuration is required. The multicast-enabled distribution point automatically generates symmetric keys for encrypting the package. Each package has a different encryption key. The key is stored on the multicastenabled distribution point by using standard Windows APIs. When the client connects to the multicast session, the key exchange occurs over a channel encrypted with either the PKI-issued client authentication certificate (when the client uses HTTPS) or the self-signed certificate (when the client uses HTTP). The client stores the key in memory only for the duration of the multicast session.

Encryption for Media to Deploy Operating Systems

When you use media to deploy operating systems and specify a password to protect the media, the environment variables are encrypted by using Advanced Encryption Standard (AES). Other data on the media, including packages and content for applications, is not encrypted.

Encryption for Content that is Hosted on Cloud-Based Distribution Points

When you use cloud-based distribution points in Configuration Manager SP1, the content that you upload to these distribution points is encrypted by using Advanced Encryption Standard (AES) with a 256-bit key size. The content is re-encrypted whenever you update it. When clients download the content, it is encrypted and protected by the HTTPS connection.

Signing in Software Updates

All software updates must be signed by a trusted publisher to protect against tampering. On client computers, the Windows Update Agent (WUA) scans for the updates from the catalog, but will not install the update if it cannot locate the digital certificate in the Trusted Publishers store on the local computer. If a self-signed certificate was used for publishing the updates catalog, such as WSUS Publishers Self-signed, the certificate must also be in the Trusted Root Certification Authorities certificate store on the local computer to verify the validity of the certificate. WUA also
983

checks whether the Allow signed content from intranet Microsoft update service location Group Policy setting is enabled on the local computer. This policy setting must be enabled for WUA to scan for the updates that were created and published with Updates Publisher. When software updates are published in System Center Updates Publisher, a digital certificate signs the software updates when they are published to an update server. You can either specify a PKI certificate or configure Updates Publisher to generate a self-signed certificate to sign the software update.

Signed Configuration Data for Compliance Settings

When you import configuration data, Configuration Manager verifies the file's digital signature. If the files have not been signed, or if the digital signature verification check fails, you will be warned and prompted whether to continue with the import. Continue to import the configuration data only if you explicitly trust the publisher and the integrity of the files.

Encryption and Hashing for Client Notification

This section applies to Configuration Manager SP1 only. If you use client notification, all communication uses TLS and the highest encryption that the server and client operating systems can negotiate. For example, a client computer running Windows 7 and a management point running Windows Server 2008 R2 can support 128-bit AES encryption, whereas a client computer running Vista to the same management point but will negotiate down to 3DES encryption. The same negotiation occurs for hashing the packets that are transferred during client notification, which uses SHA-1 or SHA-2.

Certificates Used by Configuration Manager

For a list of the public key infrastructure (PKI) certificates that can be used by Configuration Manager, any special requirements or limitations, and how the certificates are used, see PKI Certificate Requirements for Configuration Manager. This list includes the supported hash algorithms and key lengths. Most certificates support SHA-256 and 2048 bits key length. Note All certificates that Configuration Manager uses must contain only single-byte characters in the subject name or subject alternative name. PKI certificates are required for the following scenarios: When you manage Configuration Manager clients on the Internet. When you manage Configuration Manager clients on mobile devices. When you manage Mac computers. When you use cloud-based distribution points. When you manage Intel AMT-based computers out of band.

984

For most other Configuration Manager communications that require certificates for authentication, signing, or encryption, Configuration Manager automatically uses PKI certificates if they are available. If they are not available, Configuration Manager generates self-signed certificates. Configuration Manager does not use PKI certificates when it manages mobile devices by using the Exchange Server connector.

Mobile Device Management and PKI Certificates

If the mobile device has not been locked by the mobile operator, you can use Configuration Manager or Windows Intune to request and install a client certificate. This certificate provides mutual authentication between the client on the mobile device and Configuration Manager site systems or Windows Intune services. If your mobile device is locked, you cannot use Configuration Manager or Windows Intune to deploy certificates. For more information, see How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager. If you enable hardware inventory for mobile devices, Configuration Manager or Windows Intune also inventories the certificates that are installed on the mobile device.

Out of Band Management and PKI Certificates

Out of band management for Intel AMT-based computers uses at least two types of PKI-issued certificates: an AMT provisioning certificate and a web server certificate. The out of band service point uses an AMT provisioning certificate to prepare computers for out of band management. The AMT-based computers that will be provisioned must trust the certificate presented by the out of band management point. By default, AMT-based computers are configured by the computer manufacturer to use external certification authorities (CAs), such as VeriSign, Go Daddy, Comodo, and Starfield. If you purchase a provisioning certificate from one of the external CAs and configure Configuration Manager to use this provisioning certificate, AMT-based computers will trust the CA of the provisioning certificate and provisioning can succeed. However, it is a security best practice to use your own internal CA to issue the AMT provisioning certificate. For more information, see Security Best Practices for Out of Band Management. The AMT-based computers run a web server component within their firmware and that web server component encrypts the communication channel with the out of band service point by using Transport Layer Security (TLS). There is no user interface into the AMT BIOS to manually configure a certificate, so you must have a Microsoft enterprise certification authority that automatically approves certificate requests from requesting AMT-based computers. The request uses PKCS#10 for the request format, which in turn, uses PKCS#7 for transmitting the certificate information to the AMT-based computer. Although the AMT-based computer is authenticated to the computer managing it, there is no corresponding client PKI certificate on the computer managing it. Instead, these communications use either Kerberos or HTTP Digest authentication. When HTTP Digest is used, it is encrypted by using TLS.

985

An additional type of certificate might be required for managing AMT-based computers out of band: an optional client certificate for 802.1X authenticated wired networks and wireless networks. The client certificate might be required by the AMT-based computer for authentication to the RADIUS server. When the RADIUS server is configured for EAP-TLS authentication, a client certificate is always required. When the RADIUS server is configured for EAPTTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2, the RADIUS configuration specifies whether a client certificate is required or not. This certificate is requested by the AMT-based computer by using the same processes as the web server certificate request.

Operating System Deployment and PKI Certificates

When you use Configuration Manager to deploy operating systems and a management point requires HTTPS client connections, the client computer must also have a certificate to communicate with the management point, even though it is in a transitional phase such as booting from task sequence media or a PXE-enabled distribution point. To support this scenario, you must create a PKI client authentication certificate and export it with the private key and then import it to the site server properties and also add the management points trusted root CA certificate. If you create bootable media, you import the client authentication certificate when you create the bootable media. Configure a password on the bootable media to help protect the private key and other sensitive data configured in the task sequence. Every computer that boots from the bootable media will present the same certificate to the management point as required for client functions such as requesting client policy. If you use PXE boot, you import the client authentication certificate to the PXE-enabled distribution point and it uses the same certificate for every client that boots from that PXE-enabled distribution point. As a security best practice, require users who connect their computers to a PXE service to supply a password to help protect the private key and other sensitive data in the task sequences. If either of these client authentication certificates is compromised, block the certificates in the Certificates node in the Administration workspace, Security node. To manage these certificates, you must have the Manage operating system deployment certificate right. After the operating system is deployed and the Configuration Manager is installed, the client will require its own PKI client authentication certificate for HTTPS client communication.

ISV Proxy Solutions and PKI Certificates

Independent Software Vendors (ISVs) can create applications that extend Configuration Manager. For example, an ISV could create extensions to support non-Windows client platforms such as Macintosh or UNIX computers. However, if the site systems require HTTPS client connections, these clients must also use PKI certificates for communication with the site. Configuration Manager includes the ability to assign a certificate to the ISV proxy that enables communications between the ISV proxy clients and the management point. If you use extensions that require ISV proxy certificates, consult the documentation for that product. For more
986

information about how to create ISV proxy certificates, see the Configuration Manager Software Developer Kit (SDK). If the ISV certificate is compromised, block the certificate in the Certificates node in the Administration workspace, Security node.

Asset Intelligence and Certificates

Configuration Manager installs with an X.509 certificate that the Asset Intelligence synchronization point uses to connect to Microsoft. Configuration Manager uses this certificate to request a client authentication certificate from the Microsoft certificate service. The client authentication certificate is installed on the Asset Intelligence synchronization point site system server and it is used to authenticate the server to Microsoft. Configuration Manager uses the client authentication certificate to download the Asset Intelligence catalog and to upload software titles. This certificate has a key length of 1024 bits.

Cloud-Based Distribution Points and Certificates

Cloud-based distribution points in Configuration Manager SP1 require a management certificate (self-signed or PKI) that you upload to Windows Azure. This management certificate requires server authentication capability and a certificate key length of 2048 bits. In addition, you must configure a service certificate for each cloud-based distribution point, which cannot be self-signed but also has server authentication capability and a minimum certificate key length of 2048 bits. Note The self-signed management certificate is for testing purposes only and not for use on production networks. Clients do not require a client PKI certificate to use cloud-based distribution points; they authenticate to the management by using either a self-signed certificate or a client PKI certificate. The management point then issues a Configuration Manager access token to the client, which the client presents to the cloud-based distribution point. The token is valid for 8 hours.

The Windows Intune Connector and Certificates

When Windows Intune enrolls mobile devices, you can manage these mobile devices in Configuration Manager SP1 by creating a Windows Intune connector. The connector uses a PKI certificate with client authentication capability to authenticate Configuration Manager to Windows Intune and to transfer all information between them by using SSL. The certificate key size is 2048 bits and uses the SHA-1 hash algorithm. When Windows Intune enrolls mobile devices, it installs a PKI certificate onto the mobile device. This certificate has client authentication capability, uses a key size of 2048 bits, and uses the SHA-1 hash algorithm. These PKI certificates are automatically requested, generated, and installed by Windows Intune.
987

CRL Checking for PKI Certificates

A PKI certificate revocation list (CRL) increases administrative and processing overhead but it is more secure. However, if CRL checking is enabled but the CRL is inaccessible, the PKI connection fails. For more information, see the Planning for PKI Certificate Revocation section in the Planning for Security in Configuration Manager topic. Certificate revocation list (CRL) checking is enabled by default in IIS, so if you are using a CRL with your PKI deployment, there is nothing additional to configure on most Configuration Manager site systems that run IIS. The exception is for software updates, which requires a manual step to enable CRL checking to verify the signatures on software update files. CRL checking is enabled by default for client computers when they use HTTPS client connections. CRL checking is not enabled by default when you run the Out of Band Management console to connect to AMT-based computer, and you can enable this option. You cannot disable CRL checking for clients on Mac computers in Configuration Manager SP1. CRL checking is not supported for the following connections in Configuration Manager: Server-to-server connections. Mobile devices that are enrolled by Configuration Manager. Mobile devices that are enrolled by Windows Intune.

Cryptographic Controls for Server Communication

Configuration Manager uses the following cryptographic controls for server communication.

Server Communication Within a Site

Each site system server uses a certificate to transfer data to other site systems in the same Configuration Manager site. Some site system roles also use certificates for authentication. For example, if you install the enrollment proxy point on one server and the enrollment point on another server, they can authenticate one another by using this identity certificate. When Configuration Manager uses a certificate for this communication, if there is a PKI certificate available that has server authentication capability, Configuration Manager automatically uses it; if not, Configuration Manager generates a self-signed certificate. This self-signed certificate has server authentication capability, uses SHA-256, and has a key length of 2048 bits. Configuration Manager copies the certificate to the Trusted People store on other site system servers that might need to trust the site system. Site systems can then trust one another by using these certificates and PeerTrust. In addition to this certificate for each site system server, Configuration Manager generates a selfsigned certificate for most site system roles. When there is more than one instance of the site system role in the same site, they share the same certificate. For example, you might have multiple management points or multiple enrollment points in the same site. This self-signed certificate also uses SHA-256 and has a key length of 2048 bits. It is also copied to the Trusted
988

People Store on site system servers that might need to trust it. The following site system roles generate this certificate: Application Catalog web service point Application Catalog website point Asset Intelligence synchronization point Endpoint Protection point Enrollment point Fallback status point Management point Multicast-enabled distribution point Out of band service point Reporting services point Software update point State migration point System Health Validator point Windows Intune connector

These certificates are managed automatically by Configuration Manager, and where necessary, automatically generated. Configuration Manager also uses a client authentication certificate to send status messages from the distribution point to the management point. When the management point is configured for HTTPS client connections only, you must use a PKI certificate. If the management point accepts HTTP connections, you can use a PKI certificate or select the option to use a self-signed certificate that has client authentication capability, uses SHA-256, and has a key length of 2048 bits.

Server Communication Between Sites

Configuration Manager transfers data between sites by using database replication and file-based replication. For more information, see Technical Reference for Site Communications in Configuration Manager. Configuration Manager automatically configures the database replication between sites and uses PKI certificates that have server authentication capability if these are available; if not, Configuration Manager creates self-signed certificates for server authentication. In both cases, authentication between sites is established by using certificates in the Trusted People Store that uses PeerTrust. This certificate store is used to ensure that only the SQL Server computers that are used by the Configuration Manager hierarchy participate in site-to-site replication. Whereas primary sites and the central administration site can replicate configuration changes to all sites in the hierarchy, secondary sites can replicate configuration changes only to their parent site. Site servers establish site-to-site communication by using a secure key exchange that happens automatically. The sending site server generates a hash and signs it with its private key. The receiving site server checks the signature by using the public key and compares the hash with a
989

locally generated value. If they match, the receiving site accepts the replicated data. If the values do not match, Configuration Manager rejects the replication data. Database replication in Configuration Manager uses the SQL Server Service Broker to transfer data between sites by using the following mechanisms: SQL Server to SQL Server connection: This uses Windows credentials for server authentication and self-signed certificates with 1024 bits to sign and encrypt the data by using Advanced Encryption Standard (AES). If PKI certificates with server authentication capability are available, these will be used. The certificate must be located in the Personal store for the Computer certificate store. SQL Service Broker: This uses self-signed certificates with 2048 bits for authentication and to sign and encrypt the data by using Advanced Encryption Standard (AES). The certificate must be located in the SQL Server master database.

File-based replication uses the Server Message Block (SMB) protocol, and uses SHA-256 to sign this data that is not encrypted but does not contain any sensitive data. If you want to encrypt this data, you can use IPsec and must implement this independently from Configuration Manager.

Cryptographic Controls for Clients That Use HTTPS Communication to Site Systems
When site system roles accept client connections, you can configure them to accept HTTPS and HTTP connections, or only HTTPS connections. Site system roles that accept connections from the Internet only accept client connections over HTTPS. Client connections over HTTPS offer a higher level of security by integrating with a public key infrastructure (PKI) to help protect client-to-server communication. However, configuring HTTPS client connections without a thorough understanding of PKI planning, deployment, and operations could still leave you vulnerable. For example, if you do not secure your root CA, attackers could compromise the trust of your entire PKI infrastructure. Failing to deploy and manage the PKI certificates by using controlled and secured processes might result in unmanaged clients that cannot receive critical software updates or packages. Important The PKI certificates that are used for client communication protect the communication only between the client and some site systems. They do not protect the communication channel between the site server and site systems or between site servers.

Communication That Is Unencrypted When Clients Use HTTPS Communication

When clients communicate with site systems by using HTTPS, communications are usually encrypted over SSL. However, in the following situations, clients communicate with site systems without using encryption: Client fails to make an HTTPS connection on the intranet and fall back to using HTTP when site systems allow this configuration
990

Communication to the following site system roles: Client sends state messages to the fallback status point Client sends PXE requests to a PXE-enabled distribution point Client sends notification data to a management point

Reporting services points are configured to use HTTP or HTTPS independently from the client communication mode.

Cryptographic Controls for Clients That Use HTTP Communication to Site Systems
When clients use HTTP communication to site system roles, they can use PKI certificates for client authentication, or self-signed certificates that Configuration Manager generates. When Configuration Manager generates self-signed certificates, they have client authentication capability, use SHA-256, and have a key length of 2048 bits.

Operating System Deployment and Self-signed Certificates

When you use Configuration Manager to deploy operating systems with self-signed certificates, a client computer must also have a certificate to communicate with the management point, even if the computer is in a transitional phase such as booting from task sequence media or a PXEenabled distribution point. To support this scenario for HTTP client connections, Configuration Manager generates self-signed certificates that have client authentication capability, use SHA256, and 2048 bits. If the self-signed certificates are compromised, to prevent attackers from using them to impersonate trusted clients, block the certificates in the Certificates node in the Administration workspace, Security node.

Client and Server Authentication

When clients connect over HTTP, they authenticate the management points by using either Active Directory Domain Services or by using the Configuration Manager trusted root key. Clients do not authenticate other site system roles, such as state migration points or software update points. When a management point first authenticates a client by using the self-signed client certificate, this mechanism provides minimal security because any computer can generate a self-signed certificate. In this scenario, the client identity process must be augmented by approval. Only trusted computers must be approved, either automatically by Configuration Manager, or manually, by an administrative user. For more information, see the approval section in Planning for Client Communication to Site Systems.

See Also
Technical Reference for Site Administration in Configuration Manager
991

Technical Reference for Language Packs in Configuration Manager

This topic provides technical details about language support in System Center 2012 Configuration Manager.

Supported Operating System Languages

You can install support for the following display languages by installing server language packs or client language packs at a central administration site and at primary sites. Use the following table to map a locale ID to a language that you want to support on servers or clients. For more information about locale IDs, see Locale IDs Assigned by Microsoft in the MSDN online library.

Server Languages
Server language Locale ID (LCID) Three letter code Configuration Manager version

English (default)

0409

ENU

Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with SP1 Configuration Manager with SP1 Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1
992

Chinese (Traditional, Hong Kong SAR) Chinese (Simplified)

0c04

ZHH

0804

CHS

Chinese (Traditional, Taiwan) Czech Dutch - Netherlands French

0404

CHT

0405 0413 040c

CSY NLD FRA

Server language

Locale ID (LCID)

Three letter code

Configuration Manager version

German

0407

DEU

Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with SP1 Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with SP1 Configuration Manager with SP1 Configuration Manager with SP1 Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with SP1 Configuration Manager with SP1 Configuration Manager with SP1

Hungarian Italian - Italy Japanese

040e 0410 0411

HUN ITA JPN

Korean Polish Portuguese - Brazil Portuguese - Portugal Russian

0412 0415 0416 0816 0419

KOR PLK PTB PTG RUS

Spanish Spain Swedish Turkish

0c0a 041d 041f

ESN SVE TRK

Client Languages

993

Client language

Locale ID (LCID)

Three letter code

Configuration Manager version

English (default)

0409

ENG

Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager
994

Chinese (Traditional, Hong Kong SAR) Chinese -Simplified

0c04

ZHH

0804

CHS

Chinese (Traditional, Taiwan)

0404

CHT

Czech

0405

CSY

Danish

0406

DAN

Dutch - Netherlands

0413

NLD

Finnish

040b

FIN

French

040c

FRA

German

0407

DEU

Client language

Locale ID (LCID)

Three letter code

Configuration Manager version

with SP1 Greek 0408 ELL Hungarian 040e HUN Italian - Italy 0410 ITA Japanese 0411 JPN Korean 0412 KOR Norwegian 0414 NOR Polish 0415 PLK Portuguese (Brazil) 0416 PTB Portuguese (Portugal) 0816 PTG Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1
995

Client language

Locale ID (LCID)

Three letter code

Configuration Manager version

Russian

0419

RUS

Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1 Configuration Manager with no service pack Configuration Manager with SP1

Spanish - Spain

0c0a

ESN

Swedish

041d

SVE

Turkish

041f

TRK

Mobile Device Client Languages

When you add support for mobile device languages, all mobile device client languages are included. You cannot select individual language packs for mobile device support. For information about supported languages for the mobile device client, see the Mobile Device Requirements section in the Supported Configurations for Configuration Manager topic.

How to Identify Installed Language Packs

You can identify the language packs that are installed on a computer that runs the Configuration Manager client by viewing the locale ID (LCID) of the installed language packs in the computers registry. This information is available in the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCMSetup\InstalledLangs You can use hardware inventory to collect this information, and then build a custom report to view the language details. For information about collecting custom hardware inventory, see How to Extend Hardware Inventory in Configuration Manager. For information on creating reports, see the Manage Configuration Manager Reports section in the Operations and Maintenance for Reporting in Configuration Manager topic.

See Also
Technical Reference for Site Administration in Configuration Manager
996

Technical Reference for Unicode and ASCII Support in Configuration Manager

System Center 2012 Configuration Manager creates most objects by using Unicode characters. However, several objects support ASCII characters only or they have other limitations. The following sections list the objects that must use characters from the ASCII character set only, or that have additional limitations. Objects That Use ASCII Characters Additional Limitations Configuration Manager Objects that Are Not Localized

Objects That Use ASCII Characters

Configuration Manager supports the ASCII character set only when you create the following objects: Site code All site system server computer names The following Configuration Manager accounts: Note These accounts support ASCII characters and RUS characters on a site that runs in the Russian language. Client Push Installation Account Health State Reference Publishing Account Health State Reference Querying Account Management Point Database Connect Account Network Access Account Package Access Account Standard Sender Account Site System Installation Account Software Update Point Connection Account Software Update Point Proxy Server Account Note The accounts that you specify for role-based administration support Unicode. The Reporting Services Point Account supports Unicode, with the exception of RUS characters. FQDN for site servers and site systems Installation path for Configuration Manager SQL Server instance names
997

The path for the following site system roles: Application Catalog web service point Application Catalog website point Enrollment point Enrollment proxy point Reporting services point State migration point The folder that stores client state migration data The folder that contains the Configuration Manager reports The folder that stores the Configuration Manager Backup The folder that stores the installation source files for site setup. The folder that stores the prerequisite downloads for use by Setup IIS website Virtual application installation path Virtual application name The FQDN of the AMT-based computer The computer name of the AMT-based computer The domain NetBIOS name The wireless profile name and SSID The trusted root certification authority name The name of the certification authority (CA) and template names The file name and path for the IDE redirection image file The contents of the AMT data storage

The path for the following folders:

The path for the following objects:

The following objects for AMT and out of band management:

Boot media .ISO file names

Additional Limitations
The following are additional limitations for supported character sets and language versions: Configuration Manager does not support changing the locale of the site server computer. An enterprise certification authority (CA) does not support client computer names that use double-byte character sets (DBCS). The client computer names that you can use are restricted by the PKI limitation of the IA5 character set. In addition, Configuration Manager does not support CA names that use DBCS.

998

Configuration Manager Objects that Are Not Localized

The Configuration Manager database supports Unicode for most objects that it stores, and when possible, it displays this information in the operating system language that matches the locale of a computer. For the client interface or Configuration Manager console to display information in the computers operating system language, the computers locale must match a client or server language that you install at a site. However, several Configuration Manager objects do not support Unicode, and they are stored in the database by using ASCII, or they have additional language limitations. This information is always displayed by using the ASCII character set or in the language that was in use when the object was created.

Technical Reference for the Hierarchy Maintenance Tool (Preinst.exe) in Configuration Manager
The Hierarchy Maintenance tool (Preinst.exe) passes commands to the Configuration Manager Hierarchy Manager while the Hierarchy Manager service is running. The Hierarchy Maintenance tool is automatically installed when you install a Configuration Manager site. You can find Preinst.exe in the \\<SiteServerName>\SMS_<SiteCode\bin\X64\00000409 shared folder on the site server. You might use the Hierarchy Maintenance tool in the following scenarios: When secure key exchange is required, there are situations in which you must manually perform the initial public key exchange between sites. For more information, see Manually Exchange Public Keys Between Sites in this topic. To remove active jobs that are for a destination site that is no longer available. To delete a site server from the Configuration Manager console when you are unable to uninstall the site by using Setup. For example, if you physically remove a Configuration Manager site without first running Setup to uninstall the site, the site information will still exist in the parent sites database, and the parent site will continue to attempt to communicate with the child site. To resolve this issue, you must run the Hierarchy Maintenance tool and manually delete the child site from the parent sites database. To stop all Configuration Manager services at a site without having to stop services individually. When you are recovering a site, you can use the CHILDKEYS option to distribute the public keys from multiple child sites to the recovering site.

To run the Hierarchy Maintenance tool, the current user must have administrative privileges on the local computer. Also, the user must explicitly have the Site - Administer security right; it is not sufficient that the user inherits this right by being a member of a group that has that permission.
999

Hierarchy Maintenance Tool Command-Line Options

When you use the Hierarchy Maintenance Tool, you must run it locally on the central administration site, primary site, or secondary site server. When you run the Hierarchy Maintenance tool, you must use the following syntax: preinst.exe /<option>. The following table describes the available command-line options.
Command-Line Parameter Description

/DELJOB <SiteCode>

Use this option at a site to delete all jobs or commands from the current site to the specified destination site. Use this option at a parent site to delete the data for child sites from the site database of the parent site. Typically, you use this option if a site server computer is decommissioned before you uninstall the site from it. Note The /DELSITE option does not uninstall the site on the computer specified by the ChildSiteCodeToRemove parameter. This option only removes the site information from the Configuration Manager site database.

/DELSITE <ChildSiteCodeToRemove>

/DUMP <SiteCode>

Use this option on the local site server to write site control images to the root folder of the drive on which the site is installed. You can write a specific site control image to the folder or write all site control files in the hierarchy. /DUMP <SiteCode> writes the site control image only for the specified site. /DUMP writes the site control files for all sites.

An image is a binary representation of the site control file, which is stored in the Configuration Manager site database. The dumped site control file image is a sum of the base image plus the pending delta images. After dumping a site control file image with the Hierarchy Maintenance tool, the file name is in
1000

Command-Line Parameter

Description

the format sitectrl_<SiteCode>.ct0. /STOPSITE Use this option on the local site server to initiate a shutdown cycle for the Configuration Manager Site Component Manager service, which partially resets the site. When this shutdown cycle is run, some Configuration Manager services on a site server and its remote site systems are stopped. These services are flagged for reinstallation. As a result of this shutdown cycle, some passwords are automatically changed when the services are reinstalled. Note If you want to see a record of shutdown, reinstallation, and password changes for Site Component Manager, enable logging for this component before using this command-line option. After the shutdown cycle is started, it proceeds automatically, skipping any non-responding components or computers. However, if the Site Component Manager service cannot access a remote site system during the shutdown cycle, the components that are installed on the remote site system are reinstalled when the Site Component Manager service is restarted. When it is restarted, the Site Component Manager service repeatedly attempts reinstallation of all services that are flagged for reinstallation until it is successful. You can restart the Site Component Manager service using Service Manager. After it is restarted, all affected services are uninstalled, reinstalled, and restarted. After you use the /STOPSITE option to initiate the shutdown cycle, you cannot avoid the reinstallation cycles after the Site Component Manager service is restarted. /KEYFORPARENT Use this option on a site to distribute the site's
1001

Command-Line Parameter

Description

public key to a parent site. The /KEYFORPARENT option places the public key of the site in the file <SiteCode>.CT4 at the root of the program files drive. After you run preinst.exe with this option, manually copy the <SiteCode>.CT4 file to the parent site's \Inboxes\hman.box folder (not hman.box\pubkey). /KEYFORCHILD Use this option on a site to distribute the site's public key to a child site. The /KEYFORCHILD option places the public key of the site in the file <SiteCode>.CT5 at the root of the program files drive. After you run preinst.exe with this option, manually copy the <SiteCode>.CT5 file to the child site's \Inboxes\hman.box folder (not hman.box\pubkey).

/CHILDKEYS

You can use this option on the child sites of a site that you are recovering. Use this option to distribute public keys from multiple child sites to the recovering site. The /CHILDKEYS option places the key from the site where you run the option, and all of that sites child sites public keys into the file <SiteCode>.CT6. After you run preinst.exe with this option, manually copy the <SiteCode>.CT6 file to the recovering site's \Inboxes\hman.box folder (not hman.box\pubkey).

/PARENTKEYS

You can use this option on the parent site of a site that you are recovering. Use this option to distribute public keys from all parent sites to the recovering site. The /PARENTKEYS option places the key from the site where you run the option, and the keys from each parent site above that site into the file <SiteCode>.CT7. After you run preinst.exe with this option,
1002

Command-Line Parameter

Description

manually copy the <SiteCode>.CT7 file to the recovering site's \Inboxes\hman.box folder (not hman.box\pubkey).

Manually Exchange Public Keys Between Sites

By default, the Require secure key exchange option is enabled for Configuration Manager sites. When secure key exchange is required, there are two situations in which you must manually perform the initial key exchange between sites: If the Active Directory schema has not been extended for Configuration Manager Configuration Manager sites are not publishing site data to Active Directory

You can use the Hierarchy Maintenance tool to export the public keys for each site. Once they have been exported, you must manually exchange the keys between the sites. Note After the public keys are manually exchanged, you can review the hman.log log file, which records site configuration changes and site information publication to Active Directory Domain Services, on the parent site server to ensure that the primary site has processed the new public key. To manually transfer the child site public key to the parent site 1. While logged on to the child site, open a command prompt and navigate to the location of Preinst.exe. 2. Type the following to export the child sites public key: Preinst /keyforparent 3. The /keyforparent option places the public key of the child site in the <site code>.CT4 file located at the root of the system drive. 4. Move the <site code>.CT4 file to the parent site's <install directory>\inboxes\hman.box folder. To manually transfer the parent site public key to the child site 1. While logged on to the parent site, open a command prompt and navigate to the location of Preinst.exe. 2. Type the following to export the parent sites public key: Preinst /keyforchild. 3. The /keyforchild option places the public key of the parent site in the <site code>.CT5 file located at the root of the system drive. 4. Move the <site code>.CT5 file to the <install directory>\inboxes\hman.box directory on the child site.

1003

Technical Reference for the Prerequisite Checker in Configuration Manager

The Prerequisite Checker (prereqchk.exe) is a standalone application that verifies server readiness for a site server or specific site system roles. Before site installation, Setup runs the Prerequisite Checker. You might choose to manually run the Prerequisite Checker on potential site servers or site systems to verify server readiness. This allows you to remediate any issues that you find before you run Setup. The Prerequisite Checker notifies you of any warnings or errors encountered that would cause Setup to fail. Tests that result in a warning do not prevent you from successfully installing Configuration Manager. However, resolving the condition that generated the warnings now might prevent issues later and helps to ensure optimum site performance. Tests that result in an error prevent you from completing the setup process and you must resolve the condition that generated the error. Note The Configuration Manager Setup prerequisite check rules verify that software and settings required for setup are installed. In some cases, the required software itself might require additional software updates not verified by Configuration Manager Setup. Before you start Setup, verify that the operating system running on the computer, and additional installed software that Configuration Manager Setup relies on, have been updated with all relevant software updates. Tip When the prerequisite check runs, it logs its results in the ConfigMgrPrereq.log file on the system drive of computer. The log file can contain additional information that does not display in user interface. The following sections provide technical details about available prerequisite checks. Prerequisite Checks for Security Rights Prerequisite Checks for Configuration Manager Dependencies Prerequisite Checks for System Requirements Prerequisite Checks for Upgrade

For more information about the Prerequisite Checker, see the Prerequisite Checker section in the Install Sites and Create a Hierarchy for Configuration Manager topic.

Prerequisite Checks for Security Rights

The following table provides a list of the prerequisite checks that Prerequisite Checker performs for security rights.

1004

Prerequisite check name

Severity

Version of Configuration Manager

Applicability

Description

Administrator rights on central administration site

Error

Configuration Manager with no service pack Configuration Manager SP1

Primary site

Verifies the user account that runs Configuration Manager Setup has local Administrator rights on the central administration site computer. Verifies that the user running Setup has local Administrator rights on the standalone primary site that will be expanded.

Administrative rights on expand primary site

Error

Configuration Manager SP1

Central administration site

Administrative rights on site system

Error

Configuration Manager with no service pack Configuration Manager SP1

Central administration site

Verifies the user account that runs Configuration Primary site Manager Setup has Secondary site local Administrator rights on the site server computer. Central administration site Verifies that the computer account of the central administration site has local Administrator rights on the standalone primary site that will be expanded. Verifies the user account that runs
1005

CAS Machine administrative rights on expand primary site

Error

Configuration Manager SP1

Connection to SQL Server on

Error

Configuration Manager with no service

Primary site

Prerequisite check name

Severity

Version of Configuration Manager

Applicability

Description

central administration site

pack Configuration Manager SP1

Configuration Manager Setup on the primary site to join an existing hierarchy has the sysadmin role on the instance of the SQL Server for the central administration site. SQL Server Verifies that the site Secondary site server computer account has administrative rights on the SQL Server and management point computers. Management point Verifies that a valid Service Principal Secondary site Name (SPN) is registered in Active Directory Domain Services for the account configured to run the SQL Server service for the SQL Server instance used to host the Configuration Manager site database. A valid SPN must be registered in Active Directory Domain Services to support Kerberos
1006

Site server computer account administrative rights

Error

Configuration Manager with no service pack Configuration Manager SP1

Site System to SQL Server Communication

Warning

Configuration Manager with no service pack Configuration Manager SP1

Prerequisite check name

Severity

Version of Configuration Manager

Applicability

Description

authentication. SQL Server security mode Warning Configuration Manager SP1 SQL Server Verifies that SQL Server is configured for Windows authentication security. Verifies the user account that runs Configuration Manager Setup has the sysadmin role on the SQL Server instance selected for site database installation. This check also fails when Setup is unable to access the instance for the SQL Server to verify permissions. Verifies that the user account running Configuration Manager Setup has the sysadmin role on the SQL Server role instance selected as the reference site database. SQL Server sysadmin role permissions are required in order to modify the site
1007

SQL Server sysadmin rights

Error

Configuration Manager with no service pack Configuration Manager SP1

SQL Server

SQL Server sysadmin rights for reference site

Error

Configuration Manager SP1

SQL Server

Prerequisite check name

Severity

Version of Configuration Manager

Applicability

Description

database.

Prerequisite Checks for Configuration Manager Dependencies

The following table provides a list of the prerequisite checks that Prerequisite Checker performs for Configuration Manager dependencies.
Prerequisite check name Severit y Version of Configuration Manager Applicability Description

Active migration mappings on the target primary site Administrativ e rights on distribution point

Error

Confi guration Manager SP1

Central administr ation site

Verifies that there are no active migration mappings to primary sites.

Warni ng

Confi guration Manager SP1 Confi guration Manager SP1 Confi guration Manager SP1

Distri bution point

Verifies that the user running Setup has local Administrator rights on the distribution point computer.

Administrativ Warni e rights on ng management point Administrativ e share (Site system) Warni ng

Verifies that the computer account of Mana site server has Administrator rights on gement the management point and distribution point point computer. Verifies that the required administrative Mana shares are present on the site system gement computer. point Central administr ation site Primary site Verifies that current applications are compliant with the application schema.

Application Compatibility

Warni ng

Confi guration Manager SP1

1008

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

BITS enabled

Error

Confi guration Manager with no service pack Confi guration Manager SP1

Verifies that Background Intelligent Mana Transfer Service (BITS) is installed on gement the management point site system point computer. When this check fails, BITS is not installed, IIS 6 WMI compatibility component for IIS7 is not installed on the computer or the remote IIS host, or Setup was unable to verify remote IIS settings because IIS common components were not installed on the site server computer. Verifies that Background Intelligent Mana Transfer Service (BITS) is installed in gement Internet Information Services (IIS). point Verifies that the SQL Server installation uses a case-insensitive collation, such as SQL_Latin1_General_CP1_CI_AS.

BITS installed

Warni ng

Confi guration Manager SP1 Confi guration Manager with no service pack Confi guration Manager SP1

Caseinsensitive collation on SQL Server

Error

SQL Server

Check existing stand-alone primary site for version and sitecode

Error

Confi guration Manager SP1

Central administr ation site

Verify that the primary site you plan to expand is a standalone primary site, and has the same version of Configuration Manager, but a different sitecode than the central administration site to be installed.

Client Error version on management point

Confi guration Manager

Verifies that you are installing the Mana management point on a computer that gement does not have a different version of the point Configuration Manager client installed.
1009

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

computer

with no service pack Confi guration Manager SP1

Configuration Warni for ng SQL Server memory usage

Confi guration Manager with no service pack Confi guration Manager SP1

SQL Server

Checks whether SQL Server is configured for unlimited memory usage. You should configure SQL Server memory to have a maximum limit.

Dedicated SQL Server instance

Error

Confi guration Manager with no service pack

Central administr ation site

Confi guration Manager SP1 Existing Error Configuration Manager server components on secondary site server Confi guration Manager with no service pack

Checks whether a dedicated instance of the SQL Server is configured to host the Configuration Manager site Primary database. If another site uses the site instance, you must select a different instance for the new site to use. Seco Alternatively, you can uninstall the other ndary site site or move its database to a different instance for the SQL Server.

Verifies that a site server or site system Seco role is not already installed on the ndary site computer selected for secondary site installation.

1010

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

Existing Error Configuration Manager server components on server

Confi guration Manager with no service pack

Central administr ation site Primary site Seco ndary site

Verifies that a site server or site system role is not already installed on the computer selected for site installation.

Confi guration Manager SP1 Firewall exception for SQL Server Error Confi guration Manager with no service pack Confi guration Manager SP1 Firewall exception for SQL Server (stand-alone primary site) Warni ng Confi guration Manager with no service pack Confi guration Manager SP1 Firewall exception for SQL Server Warni ng Confi guration Manager

Central administr ation site

Checks whether the Windows Firewall is disabled or if a relevant Windows Firewall exception exists for Primary SQL Server. You must allow site sqlservr.exe or the required TCP ports to be accessed remotely. By default, Seco SQL Server listens on TCP port 1433 ndary site and the SQL Broker Service uses TCP port 4022. Mana gement point Primary site (standalone only) Checks whether the Windows Firewall is disabled or if a relevant Windows Firewall exception exists for SQL Server. You must allow sqlservr.exe or the required TCP ports to be accessed remotely. By default, SQL Server listens on TCP port 1433 and the SQL Broker Service uses TCP port 4022.

Checks whether the Windows Firewall Mana is disabled or if a relevant Windows gement Firewall exception exists for point
1011

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

for management point IIS HTTPS Warni Configuration ng

SP1

SQL Server.

Confi guration Manager with no service pack Confi guration Manager SP1

Verifies Internet Information Services Mana (IIS) website bindings for HTTPS gement communication protocol. When you point select to install site roles that require HTTPS, you must configure IIS site Distri bindings on the specified server with a bution valid PKI certificate. point

IIS service running

Error

Confi guration Manager with no service pack Confi guration Manager SP1

Verifies Internet Information Services Mana (IIS) is installed and running on the gement computer to install the management point point or distribution point. Distri bution point

Match Collation of expand primary site

Error

Confi guration Manager SP1

Central administr ation site

Verify that the site database for the stand-alone primary site that you will expand has same collation as the site database at the central administration site.

Microsoft Error Remote Differential Compression (RDC) library registered

Confi guration Manager with no service

Central administr ation site Primary site

Verifies that the Microsoft Remote Differential Compression (RDC) library is registered on the Configuration Manager site server.

1012

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

pack Confi guration Manager SP1 Microsoft Windows Installer Error Confi guration Manager with no service pack Confi guration Manager SP1 Microsoft XML Core Services 6.0 (MSXML60) Warni ng Confi guration Manager with no service pack Confi guration Manager SP1

Seco ndary site

Central administr ation site Primary site Seco ndary site

Verifies the Windows Installer version. When this check fails, Setup was not able to verify the version or the installed version does not meet the minimum requirement of Windows Installer version 4.5.

Central administr ation site Primary site Seco ndary site Confi guration Manager console Mana gement point

Verifies that Microsoft Core XML Services (MSXML) 6.0, or a later version, is installed on the computer.

Distri bution point

1013

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

Minimum Error .NET Framework version for Configuration Manager console

Confi guration Manager with no service pack Confi guration Manager SP1

Confi guration Manager console

Checks whether Microsoft .NET Framework version 4.0 is installed on the Configuration Manager console computer. You can download Microsoft .NET Framework version 4.0 from http://go.microsoft.com/fwlink/p/?LinkId =189149..

Minimum Error .NET Framework version for Configuration Manager site server

Confi guration Manager with no service pack Confi guration Manager SP1

Central administr ation site

Checks whether Microsoft .NET Framework version 3.5 is installed on the Configuration Manager site server. Primary For Windows Server 2008, you can site download the Microsoft .NET Framework version 3.5 from Seco http://go.microsoft.com/fwlink/p/?LinkId ndary site =185604. For Windows Server 2008 R2, you can enable the Microsoft .NET Framework version 3.5 as a feature within Server Manager. Primary site Verifies that the collation of the site database matches the collation of the parent site's database. All sites in a Seco hierarchy must use the same database ndary site collation.

Parent/child database collation

Error

Confi guration Manager with no service pack Confi guration Manager SP1

PowerShell 2 Warni .0 on site ng server

Confi guration Manager

Primary site

Verifies that Windows PowerShell version 2.0 or later is installed on the site server for the Configuration Manager Exchange Connector. For
1014

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

with no service pack Confi guration Manager SP1 Primary FQDN Error Confi guration Manager with no service pack Confi guration Manager console Mana gement point Distri bution point Primary FQDN Error Confi guration Manager with no service pack Confi guration Manager SP1 Remote Connection to WMI on Secondary Site Warni ng Confi guration Manager with no service pack Central administr ation site Primary site Seco ndary site SQL Server

more information about PowerShell 2.0, see http://go.microsoft.com/fwlink/p/?LinkId =226450 in the Microsoft Knowledge Base.

Verifies that the NetBIOS name of the computer matches the local hostname (first label of the FQDN) of the computer.

Verifies that the NetBIOS name of the computer matches the local hostname (first label of the FQDN) of the computer.

Checks whether Setup is able to Seco establish a remote connection to WMI ndary site on the secondary site server.

1015

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

Confi guration Manager SP1 Required SQL Server Collation Error Confi guration Manager with no service pack Confi guration Manager SP1 Central administr ation site Verifies that the instance for SQL Server and the Configuration Manager site database, if installed, is configured Primary to use the site SQL_Latin1_General_CP1_CI_AS collation, unless you are using a Seco Chinese operating system and require ndary site GB18030 support. For information about changing your SQL Server instance and database collations, see http://go.microsoft.com/fwlink/p/?LinkID =234541 in the SQL Server 2008 R2 Books Online. For information about enabling GB18030 support, see Technical Reference for International Support in Configuration Manager. Setup Source Folder Error Confi guration Manager with no service pack Confi guration Manager SP1 Setup Source Version Error Confi guration Manager Verifies that the computer account for Seco the secondary site has Read NTFS file ndary site system permissions and Read share permissions to the Setup source folder and share. Note The secondary site computer account must be an administrator on the computer if you use administrative shares (for example, C$ and D$). Verifies that the Configuration Manager Seco version in the source folder that you ndary site specified for the secondary site
1016

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

with no service pack Confi guration Manager SP1 Site code in use Error Confi guration Manager with no service pack Confi guration Manager SP1 SMS Provide Error r machine has same domain as site server SQL Server Edition Error Confi guration Manager SP1 Confi guration Manager SP1 Error Confi guration Manager SP1 Error Confi guration Manager SQL Server SMS Provider Primary site

installation must match the Configuration Manager version of the primary site.

Checks that the site code that you specified is not already in use in the Configuration Manager hierarchy. You must specify a unique site code for this site. For more information about site naming, see the Configuration Manager Site Naming section in Install Sites and Create a Hierarchy for Configuration Manager topic.

Checks if a computer that runs an instance of the SMS Provider has same domain as the site server.

Checks that the edition of SQL Server at the site is not SQL Server Express.

SQL Server Express on Secondary Site SQL Server on Secondary Site

Checks that SQL Server Express can Seco successfully install on the site server ndary site computer for a secondary site.

Checks that an instance of SQL Server Seco is not already installed on the ndary site secondary site server and that it does not use the instance name
1017

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

with no service pack

CONFIGMGRSEC. It also verifies that another instance for SQL Server does not use the specified TCP port. Note This check applies only when you select to have Setup install SQL Server Express.

SQL Server on the Secondary Site Computer

Error

Confi guration Manager with no service pack Confi guration Manager SP1

Checks that SQL Server is installed on Seco the secondary site computer. It is not ndary site supported to install SQL Server on remote site system. Warning This check applies only when you select to have Setup use an existing instance of SQL Server.

SQL Server process memory allocation

Warni ng

Confi guration Manager with no service pack Confi guration Manager SP1

SQL Server

Verifies that SQL Server reserves a minimum of 8 GB of memory for the central administration site and primary site, and a minimum of 4 GB of memory for the secondary site. For more information about how to set a fixed amount of memory by using SQL Server Management Studio, see http://go.microsoft.com/fwlink/p/?LinkId =233759" \t "_blank" How to: Set a Fixed Amount of Memory (SQL Server Management Studio). Note This check is not applicable to SQL Server Express on a secondary site, which is limited to 1 GB of reserved memory

SQL Server

Error

Confi

Central administr

Verifies that the logon account for the

1018

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

service running account

guration Manager with no service pack Confi guration Manager SP1

ation site Seco ndary site Primary site

SQL Server service is not a local user account or LOCAL SERVICE. You must configure the SQL Server service to use a valid domain account, NETWORK SERVICE, or LOCAL SYSTEM.

SQL Server TCP Port

Error

Confi guration Manager SP1

SQL Server

Checks that TCP is enabled for the SQL Server and is set to use a static port.

SQL Server version

Error

Confi guration Manager with no service pack Confi guration Manager SP1

SQL Server

Verifies that a supported version of SQL Server is installed on the specified site database server. For more information, see SQL Server Requirements section in the Supported Configurations for Configuration Manager topic.

Unsupported Error site system role 'Asset Intelligence synchronizati on point' on the expanded primary site Unsupported site system role Error

Confi guration Manager SP1

Central administr ation site

Checks that the Asset Intelligence synchronization point site system role is not on installed on the stand-alone primary site that you are expanding.

Confi guration

Central administr ation site

Checks that the Endpoint Protection point site system role is not installed on the stand-alone primary site that you
1019

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

'Endpoint Protection point' on the expanded primary site User State Migration Tool (USMT) installed Error

Manager SP1

are expanding.

Confi guration Manager SP1

Central administr ation site Primary site (standalone only) SQL Server

Checks whether the User State Migration Tool (USMT) component of the Assessment and Deployment Kit (ADK) is installed.

Validate FQDN of SQL Server Computer

Error

Confi guration Manager with no service pack Confi guration Manager SP1

Checks that the FQDN that you specified for the SQL Server computer is valid.

Verify Central Administratio n Site Version Verify site server permissions to publish to Active Direct ory.

Error

Confi guration Manager SP1

Primary site

Checks that the central administration site has the same version of Configuration Manager.

Warni ng

Confi guration Manager with no service pack Confi

Central administr ation site

Verifies that the computer account for the site server has Full Control permissions to the System Primary Management container in the site Active Directory domain. For more information about your options to Seco configure required permissions, see ndary site Prepare the Windows Environment for
1020

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

guration Manager SP1

Configuration Manager. Note You can ignore this warning if you have manually verified the permissions. SMS Provider Checks that the language version for Windows AIK is the same as the operating system language of the Configuration Manager site server. For more information about Windows AIK installation, see http://go.microsoft.com/fwlink/p/?LinkId =206077. Checks whether the Windows Deployment Tools component of the Assessment and Deployment Kit (ADK) is installed. Checks that computers that run an instance of the SMS Provider are not part of a Windows Cluster.

Windows Automated Installation Kit (Windows AI K) language

Warni ng

Confi guration Manager with no service pack

Windows Deployment Tools installed Windows Failover Cluster

Error

Confi guration Manager SP1

SMS Provider

Error

Confi guration Manager SP1

SMS Provider

Windows Failover Cluster

Error

Confi guration Manager SP1

Checks that computers that have a Mana management point or distribution point gement are not part of a Windows Cluster. point Distri bution point

Windows Preinstallatio n Environment installed Windows

Error

Confi guration Manager SP1

SMS Provider

Checks whether the Windows Preinstallation Environment component of the Assessment and Deployment Kit (ADK) is installed.

Warni

Primary

Verifies that WinRM v1.1 is installed on

1021

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

Remote ng Management (WinRM) v1. 1

Confi guration Manager with no service pack Confi guration Manager SP1

site Confi guration Manager console

the primary site server or Configuration Manager console computer to run the out of band management console. For more information about how to download WinRM 1.1, see http://go.microsoft.com/fwlink/p/?LinkId =247166 in the Microsoft Knowledge Base.

Windows Server 2003based Schannel hotfix

Warni ng

Confi guration Manager with no service pack Confi guration Manager SP1

Primary site

Verifies that a specific Schannel hotfix for Windows Server 2003 is installed on the site server for the out of band service point. For more information about the hotfix, see http://go.microsoft.com/fwlink/p/?LinkId =247168 in the Microsoft Knowledge Base.

WSUS on site server

Warni ng

Confi guration Manager with no service pack Confi guration Manager SP1

Central administr ation site Primary site

Verifies that Windows Server Update Services (WSUS) version 3.0 Service Pack 2 is installed on the site server. When you use a software update point on a different computer than the site server, you must install the WSUS Administration Console on the site server. For more information about WSUS, see http://go.microsoft.com/fwlink/p/?LinkID =79477 web page. For information about how to configure WSUS for use with a software update point on a computer that runs Windows Server 2012, see the Step 2: Install the WSUS Server Role from the Windows
1022

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

Server Update Services web page.

Prerequisite Checks for System Requirements

The following table lists the prerequisite checks that Prerequisite Checker performs for system requirements.
Prerequisite check name Severity Version of Configuration Manager Applicability Description

Active Directory Domain Functional Level Check

Warning

Configuration Manager with no service pack Configuration Manager SP1

Central administration site Primary site

Verifies that the Active Directory domain functional level is a minimum of Windows Server 2003. The domain functional level must be a minimum of Windows Server 2003 if you configure discovery to filter and remove stale computer records. For more information about Active Directory domain functional levels, see What are Active Directory Functional Levels. Verifies that the Server Service is started.

Check Server Service is running

Error

Configuration Manager with no service pack

Central administration site Primary site Secondary site Management

1023

Prerequisite check name

Severity

Version of Configuration Manager

Applicability

Description

point Check Server Service is running Error Configuration Manager SP1 Central administration site Primary site Secondary site Management point Verifies that the Server Service is started. Verifies that Configuration Manager the computer is a member of a Windows domain. Verifies that the Server Service is started.

Check Server Service is running Domain membership Warning Configuration Manager SP1

Error

Configuration Manager with no service pack

Central administration site Primary site Secondary site Configuration Manager console SMS Provider SQL Server Management point Distribution point Central administration site Primary site Secondary site SMS Provider SQL Server Management point Distribution point

Domain membership Error Configuration Manager SP1

Domain membership Warning Configuration Manager SP1

Verifies that Configuration Manager the computer is a member of a Windows domain.

Verifies that Configuration Manager the computer is a member of a Windows domain.

1024

Prerequisite check name

Severity

Version of Configuration Manager

Applicability

Description

FAT Drive on Site Server

Warning

Configuration Manager with no service pack Configuration Manager SP1

Primary site

Checks whether the disk drive is formatted with the FAT file system. Install site server components on disk drives formatted with the NTFS file system for better security. Checks that the SMS Provider site system computer has at least 1 GB of free disk space to install the Windows Automated Installation Kit. The site server computer must have at least 5 GB of free disk space to install the site server. You must have an additional 1 GB of free space if you install the SMS Provider site system role on the same computer. Checks whether another program requires the server to be restarted before you run Setup.

Free disk space for Windows Automated Installation Kit (Windows AIK)

Error

Configuration Manager with no service pack

SMS Provider

Free disk space on site server

Error

Configuration Manager with no service pack Configuration Manager SP1

Central administration site Primary site Secondary site

Pending system restart

Error

Configuration Manager with no service pack Configuration Manager SP1

Central administration site Primary site Secondary site Configuration Manager console

1025

Prerequisite check name

Severity

Version of Configuration Manager

Applicability

Description

Read-Only Domain Controller Error Configuration Manager SP1

SMS Provider SQL Server Management point Distribution point Central administration site Primary site Secondary site Site database servers and secondary site servers are not supported on a read-only domain controller (RODC). For more information, see You may encounter problems when installing SQL Server on a domain controller in the Microsoft Knowledge Base. Determines whether the Active Directory Domain Services schema has been extended, and if so, the version of the schema extensions that were used. Configuration Manager Active Directory schema extensions are not required for site server installation, but are recommended to
1026

Schema extensions

Warning

Configuration Manager with no service pack Configuration Manager SP1

Central administration site Primary site

Prerequisite check name

Severity

Version of Configuration Manager

Applicability

Description

fully support the use of all Configuration Manager features. For more information about the advantages of extending the schema, see Determine Whether to Extend the Active Directory Schema for Configuration Manager. Site Server FQDN Length Error Configuration Manager SP1 Central administration site Primary site Secondary site Configuration Manager console Verifies that the Configuration Manager consoles can be installed on computers that run a supported operating system version. For more information, see the Configuration Manager Console Requirements section in the Supported Configurations for Configuration Manager topic. Verifies that a supported operating system is running
1027

Unsupported Configuration Manager console operating system Error Configuration Manager with no service pack Configuration Manager SP1

Checks the length of the FQDN of the site server computer.

Unsupported site server operating

Error

Configuration Manager with no service

Central administration site

Prerequisite check name

Severity

Version of Configuration Manager

Applicability

Description

system version for Setup

pack Configuration Manager SP1

Primary site Secondary site Configuration Manager console Management point Distribution point SMS Provider

WIM filter driver Error Configuration Manager with no service pack

on the server. For more information, see the Supported Configurations for Configuration Manager topic.

Checks whether the WIM filter driver is currently running on the SMS Provider computer, which prevents Setup from installing the Windows Automated Installation Kit.

Prerequisite Checks for Upgrade

The following table lists the prerequisite checks that Prerequisite Checker performs when you upgrade Configuration Manager to a new service pack version.
Prerequisite check name Severity Versions of Configuration Manager Applicability Description

Backlogged inboxes

Warning

Configur ation Manager SP 1 Configur ation Manager SP

Primary site

Verifies that the site server is processing messages in critical inboxes in a timely fashion, and that inboxes do not contain files older than one day. Verifies that all distribution points in the site have the latest version of software distribution packages.

Distribution Warning point package version

Primary site

1028

Prerequisite check name

Severity

Versions of Configuration Manager

Applicability

Description

1 Migration active source hierarchy Error Configur ation Manager SP 1 Warning Configur ation Manager SP 1 Error Configur ation Manager SP 1 Central administrat ion site Primary site Primary site Verifies that the Share Name in Package does not have the unsupported character: #. Verifies that no active source hierarchy is currently configured for migration.

Share Name in Package

Software update points in NLB Configuration

Central administrat ion site Primary site Secondary site SQL Server

Verifies that software updates management does not use any virtual locations for active software update points.

SQL instance hosting an active site Database SQL Server database collation

Error

Configur ation Manager SP 1

Checks that the site database being tested for database upgrade is not an active site database. Verifies that the SQL Server database collation settings are the same for the tempdb database and the site database. Checks if the version of SQL Server Express on the secondary site is at least SQL Server 2008 R2 Service Pack 1 (version 10.51.2500.0). If Configuration Manager did not install SQL Server Express when the secondary site installed, then Setup skips this check.

Error

Configur ation Manager SP 1

Primary site

SQL Server Express version on secondary site

Warning

Configur ation Manager SP 1

Secondary Site

1029

Prerequisite check name

Severity

Versions of Configuration Manager

Applicability

Description

SQL Server Native Client

Error

Configur ation Manager SP 1

SQL S erver

Verifies that the SQL Server Native Client 2012 is installed.

Unsupported ConfigMgr database version

Error

Configur ation Manager SP 1 Configur ation Manager SP 1

SQL S erver

Verifies that the site database version to be upgraded is at least System Center 2012 Configuration Manager SP1 RC1. Verifies that the built-in collections have not been modified.

Verify that the Warning built-in collections have not been modified

Central administrat ion site Primary site

See Also
Technical Reference for Site Administration in Configuration Manager

Technical Reference for International Support in Configuration Manager

The following sections provide technical details to help you configure System Center 2012 Configuration Manager to be compliant for specific international requirements.

GB18030 Requirements
Configuration Manager meets the standards that are defined in GB18030 so that you can use Configuration Manager in China. A Configuration Manager deployment must have the following configurations to meet the GB18030 requirements: Each site server computer and SQL Server computer that you use with Configuration Manager must use a Chinese operating system. Each site database and each instance of SQL Server in the hierarchy must use the same collation, and must be one of the following:
1030

Chinese_Simplified_Pinyin_100_CI_AI Chinese_Simplified_Stroke_Order_100_CI_AI Note These database collations are an exception to the requirements noted in the SQL Server Requirements section in the Supported Configurations for Configuration Manager topic.

You must place a file with the name GB18030.SMS in the root folder of the system volume of each site server computer in the hierarchy. This file does not contain any data and can be an empty text file that is named to meet this requirement.

See Also
Technical Reference for Site Administration in Configuration Manager

Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority
This step-by-step example deployment, which uses a Windows Server 2008 certification authority (CA), contains procedures to guide you through the process of creating and deploying the public key infrastructure (PKI) certificates that Microsoft System Center 2012 Configuration Manager uses. These procedures use an enterprise certification authority (CA) and certificate templates. The steps are appropriate for a test network only, as a proof of concept. Because there is no single method of deployment for the required certificates, you must consult your particular PKI deployment documentation for the required procedures and best practices to deploy the required certificates for a production environment. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

In This Section
The following sections include example step-by-step instructions to create and deploy the following certificates that can be used with System Center 2012 Configuration Manager: Test Network Requirements Overview of the Certificates Deploying the Web Server Certificate for Site Systems that Run IIS Deploying the Service Certificate for Cloud-Based Distribution Points Deploying the Client Certificate for Windows Computers Deploying the Client Certificate for Distribution Points
1031

Deploying the Enrollment Certificate for Mobile Devices Deploying the Certificates for AMT Deploying the Client Certificate for Mac Computers

Test Network Requirements

The step-by-step instructions have the following requirements: The test network is running Active Directory Domain Services with Windows Server 2008, and it is installed as a single domain, single forest. You have a member server running Windows Server 2008 Enterprise Edition, which has installed on it the Active Directory Certificate Services role, and it is configured as an enterprise root certification authority (CA). You have one computer that has Windows Server 2008 (Standard Edition or Enterprise Edition) installed on it and that is designated as a member server, and Internet Information Services (IIS) is installed on it. This computer will be the Configuration Manager site system server that you will configure with an intranet FQDN (to support client connections on the intranet) and an Internet FQDN if you must support mobile devices that are enrolled by Configuration Manager and clients on the Internet. You have one Windows Vista client with the latest service pack installed, and this computer is configured with a computer name that comprises ASCII characters and is joined to the domain. This computer will be a Configuration Manager client computer. You can log in with a root domain administrator account or an enterprise domain administrator account and use this account for all procedures in this example deployment.

Overview of the Certificates

The following table lists the types of PKI certificates that might be required for System Center 2012 Configuration Manager and describes how they are used.
Certificate Requirement Certificate Description

Web server certificate for site systems that run IIS

This certificate is used to encrypt data and authenticate the server to clients. It must be installed externally from Configuration Manager on site systems servers that run IIS and that are configured in Configuration Manager to use HTTPS. For Configuration Manager SP1 only: This certificate might also be required on management points when client notification traffic falls back to using HTTPS. For the steps to configure and install this certificate, see Deploying the Web Server
1032

Certificate Requirement

Certificate Description

Certificate for Site Systems that Run IIS in this this topic. Service certificate for clients to connect to cloud-based distribution points For Configuration Manager SP1 only: This certificate is used to encrypt data and authenticate the cloud-based distribution point service to clients. It must be requested, installed, and exported externally from Configuration Manager so that it can be imported when you create a cloud-based distribution point. For the steps to configure and install this certificate, see Deploying the Service Certificate for Cloud-Based Distribution Points in this this topic. Note This certificate is used in conjunction with the Windows Azure management certificate. For more information about the management certificate, see How to Create a Management Certificate and How to Add a Management Certificate to a Windows Azure Subscription in the Windows Azure Platform section of the MSDN Library. Client certificate for Windows computers This certificate is used to authenticate Configuration Manager client computers to site systems that are configured to use HTTPS. It can also be used for management points and state migration points to monitor their operational status when they are configured to use HTTPS. It must be installed externally from Configuration Manager on computers. For the steps to configure and install this certificate, see Deploying the Client Certificate for Windows Computers in this topic. Client certificate for distribution points This certificate has two purposes: The certificate is used to authenticate the distribution point to an HTTPS-enabled management point before the distribution
1033

Certificate Requirement

Certificate Description

point sends status messages. When the Enable PXE support for clients distribution point option is selected, the certificate is sent to computers that PXE boot so that they can connect to a HTTPS-enabled management point during the deployment of the operating system.

For the steps to configure and install this certificate, see Deploying the Client Certificate for Distribution Points in this topic. Enrollment certificate for mobile devices This certificate is used to authenticate Configuration Manager mobile device clients to site systems that are configured to use HTTPS. It must be installed as part of mobile device enrollment in Configuration Manager and you select the configured certificate template as a mobile device client setting. For the steps to configure this certificate, see Deploying the Enrollment Certificate for Mobile Devices in this topic. Certificates for Intel AMT There are three certificates that relate to out of band management for Intel AMT-based computers: An AMT provisioning certificate; an AMT web server certificate; and optionally, a client authentication certificate for 802.1X wired or wireless networks. The AMT provisioning certificate must be installed externally from Configuration Manager on the out of band service point computer, and then you select the installed certificate in the out of band service point properties. The AMT web server certificate and the client authentication certificate are installed during AMT provisioning and management, and you select the configured certificate templates in the out of band management component properties. For the steps to configure these certificates, see Deploying the Certificates for AMT in this topic.
1034

Certificate Requirement

Certificate Description

Client certificate for Mac computers

For Configuration Manager SP1 only: This certificate is used to authenticate Configuration Manager SP1 Mac computers to management points and distribution points that are configured to support HTTPS. You can request and install this certificate from a Mac computer when you use Configuration Manager enrollment and select the configured certificate template as a mobile device client setting. For the steps to configure this certificate, see Deploying the Client Certificate for Mac Computers in this topic.

Deploying the Web Server Certificate for Site Systems that Run IIS
This certificate deployment has the following procedures: Creating and Issuing the Web Server Certificate Template on the Certification Authority Requesting the Web Server Certificate Configuring IIS to Use the Web Server Certificate

Creating and Issuing the Web Server Certificate Template on the Certification Authority
This procedure creates a certificate template for Configuration Manager site systems and adds it to the certification authority. To create and issue the web server certificate template on the certification authority 1. Create a security group named ConfigMgr IIS Servers that contains the member servers to install System Center 2012 Configuration Manager site systems that will run IIS. 2. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console. 3. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template. 4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
1035

Important Do not select Windows 2008 Server, Enterprise Edition. 5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the web certificates that will be used on Configuration Manager site systems, such as ConfigMgr Web Server Certificate. 6. Click the Subject Name tab, and make sure that Supply in the request is selected. 7. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins. 8. Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK. 9. Select the Enroll permission for this group, and do not clear the Read permission. 10. Click OK, and close the Certificate Templates Console. 11. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 12. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Web Server Certificate, and then click OK. 13. If you do not need to create and issue any more certificate, close Certification Authority.

Requesting the Web Server Certificate

This procedure allows you to specify the intranet and Internet FQDN values that will be configured in the site system server properties, and then installs the web server certificate on to the member server that runs IIS. To request the web server certificate 1. Restart the member server that runs IIS, to ensure that the computer can access the certificate template that you created, by using the Read and Enroll permissions that you configured. 2. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in. 3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. 4. In the Certificate snap-in dialog box, select Computer account, and then click Next. 5. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish. 6. In the Add or Remove Snap-ins dialog box, click OK. 7. In the console, expand Certificates (Local Computer), and then click Personal. 8. Right-click Certificates, click All Tasks, and then click Request New Certificate. 9. On the Before You Begin page, click Next. 10. If you see the Select Certificate Enrollment Policy page, click Next. 11. On the Request Certificates page, identify the ConfigMgr Web Server Certificate from
1036

the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings. 12. In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. This means that the Value box for the Subject name section remains blank. Instead, from the Alternative name section, click the Type drop-down list, and then select DNS. 13. In the Value box, specify the FQDN values that you will specify in the Configuration Manager site system properties, and then click OK to close the Certificate Properties dialog box. Examples: If the site system will only accept client connections from the intranet, and the intranet FQDN of the site system server is server1.internal.contoso.com: Type server1.internal.contoso.com, and then click Add. If the site system will accept client connections from the intranet and the Internet, and the intranet FQDN of the site system server is server1.internal.contoso.com and the Internet FQDN of the site system server is server.contoso.com: i. ii. Type server1.internal.contoso.com, and then click Add. Type server.contoso.com, and then click Add. Note It does not matter in which order you specify the FQDNs for Configuration Manager. However, check that all devices that will use the certificate, such as mobile devices and proxy web servers, can use a certificate SAN and multiple values in the SAN. If devices have limited support for SAN values in certificates, you might have to change the order of the FQDNs or use the Subject value instead. 14. On the Request Certificates page, select ConfigMgr Web Server Certificate from the list of displayed certificates, and then click Enroll. 15. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish. 16. Close Certificates (Local Computer).

Configuring IIS to Use the Web Server Certificate

This procedure binds the installed certificate to the IIS Default Web Site. To configure IIS to use the web server certificate 1. On the member server that has IIS installed, click Start, click Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. Expand Sites, right-click Default Web Site, and then select Edit Bindings. 3. Click the https entry, and then click Edit. 4. In the Edit Site Binding dialog box, select the certificate that you requested by using the
1037

ConfigMgr Web Server Certificates template, and then click OK. Note If you are not sure which is the correct certificate, select one, and then click View. This allows you to compare the selected certificate details with the certificates that are displayed with the Certificates snap-in. For example, the Certificates snap-in displays the certificate template that was used to request the certificate. You can then compare the certificate thumbprint of the certificate that was requested with the ConfigMgr Web Server Certificates template with the certificate thumbprint of the certificate currently selected in the Edit Site Binding dialog box. 5. Click OK in the Edit Site Binding dialog box, and then click Close. 6. Close Internet Information Services (IIS) Manager. The member server is now provisioned with a Configuration Manager web server certificate. Important When you install the Configuration Manager site system server on this computer, make sure that you specify the same FQDNs in the site system properties as you specified when you requested the certificate.

Deploying the Service Certificate for Cloud-Based Distribution Points

Note The service certificate for cloud-based distribution points applies to Configuration Manager SP1 only. This certificate deployment has the following procedures: Creating and Issuing a Custom Web Server Certificate Template on the Certification Authority Requesting the Custom Web Server Certificate Exporting the Custom Web Server Certificate for Cloud-Based Distribution Points

Creating and Issuing a Custom Web Server Certificate Template on the Certification Authority
This procedure creates a custom certificate template that is based on the Web Server certificate template. The certificate is for Configuration Manager cloud-based distribution points and the private key must be exportable. After the certificate template is created, it is added to the certification authority. Note This procedure uses a different certificate template from the web server certificate template that you created for site systems that run IIS, because although both certificates
1038

require server authentication capability, the certificate for cloud-based distribution points requires you to enter a custom-defined value for the Subject Name and the private key must be exported. As a security best practice, do not configure certificate templates to allow the private key to be exported unless this configuration is required. The cloudbased distribution point requires this configuration because you must import the certificate as a file, rather than select it from the certificate store. By creating a new certificate template for this certificate, you can restrict which computers request a certificate that allows the private key to be exported. On a production network, you might also consider adding the following modifications for this certificate: Require approval to install the certificate, for additional security. Increase the certificate validity period. Because you must export and import the certificate each time before it expires, increasing the validity period reduces how often you must repeat this procedure. However, when you increase the validity period, it decreases the security of the certificate because it provides more time for an attacker to decrypt the private key and steal the certificate. Use a custom value in the certificate Subject Alternative Name (SAN) to help identify this certificate from standard web server certificates that you use with IIS. To create and issue the custom Web Server certificate template on the certification authority 1. Create a security group named ConfigMgr Site Servers that contains the member servers to install System Center 2012 Configuration Manager SP1 primary site servers that will manage cloud-based distribution points. 2. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console. 3. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template. 4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. Important Do not select Windows 2008 Server, Enterprise Edition. 5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the web server certificate for cloud-based distribution points, such as ConfigMgr Cloud-Based Distribution Point Certificate. 6. Click the Request Handling tab, and select Allow private key to be exported. 7. Click the Security tab, and remove the Enroll permission from the Enterprise Admins security group. 8. Click Add, enter ConfigMgr Site Servers in the text box, and then click OK. 9. Select the Enroll permission for this group, and do not clear the Read permission. 10. Click OK and close Certificate Templates Console.
1039

11. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 12. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Cloud-Based Distribution Point Certificate, and then click OK. 13. If you do not have to create and issue any more certificates, close Certification Authority.

Requesting the Custom Web Server Certificate

This procedure requests and then installs the custom web server certificate on to the member server that will run the site server. To request the custom web server certificate 1. Restarted the member server after you created and configured the ConfigMgr Site Servers security group to ensure that the computer can access the certificate template that you created, by using the Read and Enroll permissions that you configured. 2. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in. 3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. 4. In the Certificate snap-in dialog box, select Computer account, and then click Next. 5. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish. 6. In the Add or Remove Snap-ins dialog box, click OK. 7. In the console, expand Certificates (Local Computer), and then click Personal. 8. Right-click Certificates, click All Tasks, and then click Request New Certificate. 9. On the Before You Begin page, click Next. 10. If you see the Select Certificate Enrollment Policy page, click Next. 11. On the Request Certificates page, identify the ConfigMgr Cloud-Based Distribution Point Certificate from the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings. 12. In the Certificate Properties dialog box, in the Subject tab, for the Subject name, select Common name as the Type. 13. In the Value box, specify your choice of service name and your domain name by using an FQDN format. For example: clouddp1.contoso.com. Note It does not matter what service name you specify, as long as it is unique in your namespace. You will use DNS to create an alias (CNAME record) to map this service name to an automatically generated identifier (GUID) and an IP address from Windows Azure.
1040

14. Click Add, and click OK to close the Certificate Properties dialog box. 15. On the Request Certificates page, select ConfigMgr Cloud-Based Distribution Point Certificate from the list of displayed certificates, and then click Enroll. 16. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish. 17. Close Certificates (Local Computer).

Exporting the Custom Web Server Certificate for Cloud-Based Distribution Points
This procedure exports the custom web server certificate to a file, so that it can be imported when you create the cloud-based distribution point. To export the custom web server certificate for cloud-based distribution points 1. In the Certificates (Local Computer) console, right-click the certificate that you have just installed, select All Tasks, and then click Export. 2. In the Certificates Export Wizard, click Next. 3. On the Export Private Key page, select Yes, export the private key, and then click Next. Note If this option is not available, the certificate has been created without the option to export the private key. In this scenario, you cannot export the certificate in the required format. You must reconfigure the certificate template to allow the private key to be exported, and then request the certificate again. 4. On the Export File Format page, ensure that the option Personal Information Exchange - PKCS #12 (.PFX) is selected. 5. On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next. 6. On the File to Export page, specify the name of the file that you want to export, and then click Next. 7. To close the wizard, click Finish in the Certificate Export Wizard page, and click OK in the confirmation dialog box. 8. Close Certificates (Local Computer). 9. Store the file securely and ensure that you can access it from the Configuration Manager console. The certificate is now ready to be imported when you create a cloud-based distribution point.

1041

Deploying the Client Certificate for Windows Computers

This certificate deployment has the following procedures: Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority Configuring Autoenrollment of the Workstation Authentication Template by Using Group Policy Automatically Enrolling the Workstation Authentication Certificate and Verifying Its Installation on Computers

Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority
This procedure creates a certificate template for System Center 2012 Configuration Manager client computers and adds it to the certification authority. To create and issue the Workstation Authentication certificate template on the certification authority 1. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console. 2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template. 3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. Important Do not select Windows 2008 Server, Enterprise Edition. 4. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used on Configuration Manager client computers, such as ConfigMgr Client Certificate. 5. Click the Security tab, select the Domain Computers group, and select the additional permissions of Read and Autoenroll. Do not clear Enroll. 6. Click OK and close Certificate Templates Console. 7. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 8. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Client Certificate, and then click OK. 9. If you do not need to create and issue any more certificate, close Certification Authority.

1042

Configuring Autoenrollment of the Workstation Authentication Template by Using Group Policy

This procedure configures Group Policy to autoenroll the client certificate on computers. To configure autoenrollment of the workstation authentication template by using Group Policy 1. On the domain controller, click Start, click Administrative Tools, and then click Group Policy Management. 2. Navigate to your domain, right-click the domain, and then select Create a GPO in this domain, and Link it here. Note This step uses the best practice of creating a new Group Policy for custom settings rather than editing the Default Domain Policy that is installed with Active Directory Domain Services. By assigning this Group Policy at the domain level, you will apply it to all computers in the domain. However, on a production environment, you can restrict the autoenrollment so that it enrolls on only selected computers by assigning the Group Policy at an organizational unit level, or you can filter the domain Group Policy with a security group so that it applies only to the computers in the group. If you restrict autoenrollment, remember to include the server that is configured as the management point. 3. In the New GPO dialog box, enter a name for the new Group Policy, such as Autoenroll Certificates, and click OK. 4. In the results pane, on the Linked Group Policy Objects tab, right-click the new Group Policy, and then click Edit. 5. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies. 6. Right-click the object type named Certificate Services Client Auto-enrollment, and then click Properties. 7. From the Configuration Model drop-down list, select Enabled, select Renew expired certificates, update pending certificates, and remove revoked certificates , select Update certificates that use certificate templates, and then click OK. 8. Close Group Policy Management.

Automatically Enrolling the Workstation Authentication Certificate and Verifying Its Installation on Computers
This procedure installs the client certificate on computers and verifies the installation. To automatically enroll the workstation authentication certificate and verify its installation on the client computer
1043

1. Restart the workstation computer, and wait a few minutes before logging on. Note Restarting a computer is the most reliable method of ensuring success with certificate autoenrollment. 2. Log on with an account that has administrative privileges. 3. In the search box, type mmc.exe., and then press Enter. 4. In the empty management console, click File, and then click Add/Remove Snap-in. 5. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. 6. In the Certificate snap-in dialog box, select Computer account, and then click Next. 7. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. 8. In the Add or Remove Snap-ins dialog box, click OK. 9. In the console, expand Certificates (Local Computer), expand Personal, and then click Certificates. 10. In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that ConfigMgr Client Certificate is displayed in the Certificate Template column. 11. Close Certificates (Local Computer). 12. Repeat steps 1 through 11 for the member server to verify that the server that will be configured as the management point also has a client certificate. The computer is now provisioned with a Configuration Manager client certificate.

Deploying the Client Certificate for Distribution Points

Note This certificate can also be used for media images that do not use PXE boot, because the certificate requirements are the same. This certificate deployment has the following procedures: Creating and Issuing a Custom Workstation Authentication Certificate Template on the Certification Authority Requesting the Custom Workstation Authentication Certificate Exporting the Client Certificate for Distribution Points

1044

Creating and Issuing a Custom Workstation Authentication Certificate Template on the Certification Authority
This procedure creates a custom certificate template for Configuration Manager distribution points that allows the private key to be exported, and adds the certificate template to the certification authority. Note This procedure uses a different certificate template from the certificate template that you created for client computers, because although both certificates require client authentication capability, the certificate for distribution points requires that the private key is exported. As a security best practice, do not configure certificate templates to allow the private key to be exported unless this configuration is required. The distribution point requires this configuration because you must import the certificate as a file, rather than select it from the certificate store. By creating a new certificate template for this certificate, you can restrict which computers request a certificate that allows the private key to be exported. In our example deployment, this will be the security group that you previously created for Configuration Manager site system servers that run IIS. On a production network that distributes the IIS site system roles, consider creating a new security group for the servers that run distribution points so that you can restrict the certificate to just these site system servers. You might also consider adding the following modifications for this certificate: Require approval to install the certificate, for additional security. Increase the certificate validity period. Because you must export and import the certificate each time before it expires, increasing the validity period reduces how often you must repeat this procedure. However, when you increase the validity period, it decreases the security of the certificate because it provides more time for an attacker to decrypt the private key and steal the certificate. Use a custom value in the certificate Subject field or Subject Alternative Name (SAN) to help identify this certificate from standard client certificates. This can be particularly helpful if you will use the same certificate for multiple distribution points. To create and issue the custom Workstation Authentication certificate template on the certification authority 1. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console. 2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template. 3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. Important Do not select Windows 2008 Server, Enterprise Edition.
1045

4. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client authentication certificate for distribution points, such as ConfigMgr Client Distribution Point Certificate. 5. Click the Request Handling tab, and select Allow private key to be exported. 6. Click the Security tab, and remove the Enroll permission from the Enterprise Admins security group. 7. Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK. 8. Select the Enroll permission for this group, and do not clear the Read permission. 9. Click OK and close Certificate Templates Console. 10. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 11. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Client Distribution Point Certificate, and then click OK. 12. If you do not have to create and issue any more certificates, close Certification Authority.

Requesting the Custom Workstation Authentication Certificate

This procedure requests and then installs the custom client certificate on to the member server that runs IIS and that will be configured as a distribution point. To request the custom Workstation Authentication certificate 1. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in. 2. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. 3. In the Certificate snap-in dialog box, select Computer account, and then click Next. 4. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish. 5. In the Add or Remove Snap-ins dialog box, click OK. 6. In the console, expand Certificates (Local Computer), and then click Personal. 7. Right-click Certificates, click All Tasks, and then click Request New Certificate. 8. On the Before You Begin page, click Next. 9. If you see the Select Certificate Enrollment Policy page, click Next. 10. On the Request Certificates page, select the ConfigMgr Client Distribution Point Certificate from the list of displayed certificates, and then click Enroll. 11. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish. 12. In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that ConfigMgr Client Distribution Point Certificate is displayed in the Certificate Template column.
1046

13. Do not close Certificates (Local Computer).

Exporting the Client Certificate for Distribution Points

This procedure exports the custom Workstation Authentication certificate to a file, so that it can be imported in the distribution point properties. To export the client certificate for distribution points 1. In the Certificates (Local Computer) console, right-click the certificate that you have just installed, select All Tasks, and then click Export. 2. In the Certificates Export Wizard, click Next. 3. On the Export Private Key page, select Yes, export the private key, and then click Next. Note If this option is not available, the certificate has been created without the option to export the private key. In this scenario, you cannot export the certificate in the required format. You must reconfigure the certificate template to allow the private key to be exported, and then request the certificate again. 4. On the Export File Format page, ensure that the option Personal Information Exchange - PKCS #12 (.PFX) is selected. 5. On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next. 6. On the File to Export page, specify the name of the file that you want to export, and then click Next. 7. To close the wizard, click Finish in the Certificate Export Wizard page, and click OK in the confirmation dialog box. 8. Close Certificates (Local Computer). 9. Store the file securely and ensure that you can access it from the Configuration Manager console. The certificate is now ready to be imported when you configure the distribution point. Tip You can use the same certificate file when you configure media images for an operating system deployment that does not use PXE boot, and the task sequence to install the image must contact a management point that requires HTTPS client connections.

Deploying the Enrollment Certificate for Mobile Devices

This certificate deployment has a single procedure to create and issue the enrollment certificate template on the certification authority.
1047

Creating and Issuing the Enrollment Certificate Template on the Certification Authority
This procedure creates an enrollment certificate template for System Center 2012 Configuration Manager mobile devices and adds it to the certification authority. To create and issue the enrollment certificate template on the certification authority 1. Create a security group that contains users who will enroll mobile devices in System Center 2012 Configuration Manager. 2. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console. 3. In the results pane, right-click the entry that displays Authenticated Session in the column Template Display Name, and then click Duplicate Template. 4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. Important Do not select Windows 2008 Server, Enterprise Edition. 5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the enrollment certificates for the mobile devices to be managed by Configuration Manager, such as ConfigMgr Mobile Device Enrollment Certificate. 6. Click the Subject Name tab, make sure that Build from this Active Directory information is selected, select Common name for the Subject name format: and clear User principal name (UPN) from Include this information in alternate subject name. 7. Click the Security tab, select the security group that contains users who have mobile devices to enroll, and select the additional permission of Enroll. Do not clear Read. 8. Click OK and close Certificate Templates Console. 9. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 10. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Mobile Device Enrollment Certificate, and then click OK. 11. If you do not need to create and issue any more certificate, close the Certification Authority console. The mobile device enrollment certificate template is now ready to be selected when you configure a mobile device enrollment profile in the client settings.

Deploying the Certificates for AMT

This certificate deployment has the following procedures: Creating, Issuing, and Installing the AMT provisioning certificate Creating and Issuing the Web Server Certificate for AMT-Based Computers
1048

Creating and Issuing the Client Authentication Certificates for 802.1X AMT-Based Computers

Creating, Issuing, and Installing the AMT Provisioning Certificate

Create the provisioning certificate with your internal CA when the AMT-based computers are configured with the certificate thumbprint of your internal root CA. When this is not the case and you must use an external certification authority, use the instructions from the company issuing the AMT provisioning certificate, which will often involve requesting the certificate from the companys public Web site. You might also find detailed instructions for your chosen external CA on the Intel vPro Expert Center: Microsoft vPro Manageability Web site (http://go.microsoft.com/fwlink/?LinkId=132001). Important External CAs might not support the Intel AMT provisioning object identifier. When this is the case, use the alternative method of supplying the OU attribute of Intel(R) Client Setup Certificate. When you request an AMT provisioning certificate from an external CA, install the certificate into the Computer Personal certificate store on the member server that will host the out of band service point. To request and issue the AMT provisioning certificate 1. Create a security group that contains the computer accounts of site system servers that will run the out of band service point. 2. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates console. 3. In the results pane, right-click the entry that displays Web Server in the Template Display Name column, and then click Duplicate Template. 4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. Important Do not select Windows 2008 Server, Enterprise Edition. 5. In the Properties of New Template dialog box, on the General tab, enter a template name for the AMT provisioning certificate template, such as ConfigMgr AMT Provisioning. 6. Click the Subject Name tab, select Build from this Active Directory information, and then select Common name. 7. Click the Extensions tab, make sure Application Policies is selected, and then click Edit. 8. In the Edit Application Policies Extension dialog box, click Add. 9. In the Add Application Policy dialog box, click New. 10. In the New Application Policy dialog box, type AMT Provisioning in the Name field,
1049

and then type the following number for the Object identifier: 2.16.840.1.113741.1.2.3. 11. Click OK, and then click OK in the Add Application Policy dialog box. 12. Click OK in the Edit Application Policies Extension dialog box. 13. In the Properties of New Template dialog box, you should now see the following listed as the Application Policies description: Server Authentication and AMT Provisioning. 14. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins. 15. Click Add, enter the name of a security group that contains the computer account for the out of band service point site system role, and then click OK. 16. Select the Enroll permission for this group, and do not clear the Read permission.. 17. Click OK, and close the Certificate Templates console. 18. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 19. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr AMT Provisioning, and then click OK. Note If you cannot complete steps 18 or 19, check that you are using the Enterprise Edition of Windows Server 2008. Although you can configure templates with Windows Server Standard Edition and Certificate Services, you cannot deploy certificates using modified certificate templates unless you are using the Enterprise Edition of Windows Server 2008. 20. Do not close Certification Authority. The AMT provisioning certificate from your internal CA is now ready to be installed on the band service point computer. To install the AMT provisioning certificate 1. Restart the member server that runs IIS, to ensure it can access the certificate template with the configured permission. 2. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in. 3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. 4. In the Certificate snap-in dialog box, select Computer account, and then click Next. 5. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish. 6. In the Add or Remove Snap-ins dialog box, click OK. 7. In the console, expand Certificates (Local Computer), and then click Personal. 8. Right-click Certificates, click All Tasks, and then click Request New Certificate. 9. On the Before You Begin page, click Next.

1050

10. If you see the Select Certificate Enrollment Policy page, click Next. 11. On the Request Certificates page, select AMT Provisioning from the list of displayed certificates, and then click Enroll. 12. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish. 13. Close Certificates (Local Computer). The AMT provisioning certificate from your internal CA is now installed and is ready to be selected in the out of band service point properties.

Creating and Issuing the Web Server Certificate for AMT-Based Computers
Use the following procedure to prepare the web server certificates for AMT-based computers. To create and issue the Web server certificate template 1. Create an empty security group to contain the AMT computer accounts that System Center 2012 Configuration Manager creates during AMT provisioning. 2. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates console. 3. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template. 4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. Important Do not select Windows 2008 Server, Enterprise Edition. 5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the web certificates that will be used for out of band management on AMT computers, such as ConfigMgr AMT Web Server Certificate. 6. Click the Subject Name tab, click Build from this Active Directory information, select Common name for the Subject name format, and then clear User principal name (UPN) for the alternative subject name. 7. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins. 8. Click Add and enter the name of the security group that you created for AMT provisioning. Then click OK. 9. Select the following Allow permissions for this security group: Read and Enroll. 10. Click OK, and close the Certificate Templates console. 11. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 12. In the Enable Certificate Templates dialog box, select the new template that you have
1051

just created, ConfigMgr AMT Web Server Certificate, and then click OK. 13. If you do not have to create and issue any more certificates, close Certification Authority. The AMT Web server template is now ready to provision AMT-based computers with web server certificates. Select this certificate template in the out of band management component properties.

Creating and Issuing the Client Authentication Certificates for 802.1X AMT-Based Computers
Use the following procedure if AMT-based computers will use client certificates for 802.1X authenticated wired or wireless networks. To create and issue the client authentication certificate template on the CA 1. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates console. 2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template. Important Do not select Windows 2008 Server, Enterprise Edition. 3. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used for out of band management on AMT computers, such as ConfigMgr AMT 802.1X Client Authentication Certificate. 4. Click the Subject Name tab, click Build from this Active Directory information and select Common name for the Subject name format. Clear DNS name for the alternative subject name, and then select User principal name (UPN). 5. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins. 6. Click Add and enter the name of the security group that you will specify in the out of band management component properties, to contain the computer accounts of the AMT-based computers. Then click OK. 7. Select the following Allow permissions for this security group: Read and Enroll. 8. Click OK, and close the Certificate Templates management console, certtmpl [Certificate Templates]. 9. In the Certification Authority management console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 10. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr AMT 802.1X Client Authentication Certificate, and then click OK. 11. If you do not need to create and issue any more certificate, close Certification Authority.
1052

The client authentication certificate template is now ready to issue certificates to AMT-based computers that can be used for 802.1X client authentication. Select this certificate template in the out of band management component properties.

Deploying the Client Certificate for Mac Computers

Note The client certificate for Mac computers applies to Configuration Manager SP1 only. This certificate deployment has a single procedure to create and issue the enrollment certificate template on the certification authority.

Creating and Issuing a Mac Client Certificate Template on the Certification Authority
This procedure creates a custom certificate template for Configuration Manager Mac computers and adds the certificate template to the certification authority. Note This procedure uses a different certificate template from the certificate template that you might have created for Windows client computers or for distribution points. By creating a new certificate template for this certificate, you can restrict the certificate request to authorized users. To create and issue the Mac client certificate template on the certification authority 1. Create a security group that contains user accounts for administrative users who will enroll the certificate on the Mac computer by using Configuration Manager. Make sure that this group does not contain user accounts for users who can enroll mobile devices in Configuration Manager. 2. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console. 3. In the results pane, right-click the entry that displays Authenticated Session in the column Template Display Name, and then click Duplicate Template. 4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. Important Do not select Windows 2008 Server, Enterprise Edition. 5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the Mac client certificate, such as ConfigMgr Mac Client Certificate. 6. Click the Subject Name tab, make sure that Build from this Active Directory
1053

information is selected, select Common name for the Subject name format: and clear User principal name (UPN) from Include this information in alternate subject name. 7. Click the Security tab, and remove the Enroll permission from the Domain Admins and Enterprise Admins security groups. 8. Click Add, specify the security group that you created in step one, and then click OK. 9. Select the Enroll permission for this group, and do not clear the Read permission. 10. Click OK and close Certificate Templates Console. 11. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 12. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Mac Client Certificate, and then click OK. 13. If you do not have to create and issue any more certificates, close Certification Authority. The Mac client certificate template is now ready to be selected when you configure client settings for enrollment.

See Also
Technical Reference for Site Administration in Configuration Manager

Migrating Hierarchies in System Center 2012 Configuration Manager

The Migrating Hierarchies in System Center 2012 Configuration Manager guide provides documentation to help you migrate hierarchies within your Microsoft System Center 2012 Configuration Manager environment. You can migrate the following hierarchies. With System Center 2012 Configuration Manager, you can migrate an existing Configuration Manager 2007 SP2 infrastructure to System Center 2012 Configuration Manager For System Center 2012 Configuration Manager SP1 only, you can migrate an existing Configuration Manager 2007 SP2 infrastructure or an existing System Center 2012 Configuration Manager SP1 infrastructure to System Center 2012 Configuration Manager SP1.

However, before you migrate any data, you must first install and configure the appropriate System Center 2012 Configuration Manager hierarchy. This hierarchy is the destination hierarchy where the data is migrated to. Read the Site Administration for System Center 2012 Configuration Manager guide and Whats New in Configuration Manager before you read this guide.

1054

Migration Topics
Use the following topics to help you migrate Configuration Manager 2007 and System Center 2012 Configuration Manager SP1 hierarchies to System Center 2012 Configuration Manager: Introduction to Migration in System Center 2012 Configuration Manager Planning for Migration to System Center 2012 Configuration Manager Configuring Source Hierarchies and Source Sites for Migration to System Center 2012 Configuration Manager Operations for Migrating to System Center 2012 Configuration Manager Security and Privacy for Migration to System Center 2012 Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Documentation Library for System Center 2012 Configuration Manager

Introduction to Migration in System Center 2012 Configuration Manager

With System Center 2012 Configuration Manager, you can migrate data from a supported Configuration Manager hierarchy to your Microsoft System Center 2012 Configuration Manager environment. When you migrate data from a source hierarchy, you access data from the site databases that you identify in the source infrastructure and then transfer that data to your current environment. Migration does not change the data in the source hierarchy, but instead discovers the data and stores a copy in the database of the destination hierarchy. Consider the following when you plan your migration strategy. With System Center 2012 Configuration Manager, you can migrate an existing Configuration Manager 2007 SP2 infrastructure to System Center 2012 Configuration Manager. In System Center 2012 Configuration Manager SP1 only, you can migrate an existing Configuration Manager 2007 SP2 infrastructure or an existing System Center 2012 Configuration Manager SP1 infrastructure to System Center 2012 Configuration Manager SP1. You can migrate some or all of the supported data from a source site. You can migrate the data from a single source site to several different sites in the destination hierarchy. You can move data from multiple source sites to a single site in the destination hierarchy. Migration Scenarios The Migration Workflow
1055

Use the following sections to help you plan and implement your migration:

Migration Concepts in System Center 2012 Configuration Manager Whats New in Configuration Manager SP1

Migration Scenarios
Configuration Manager supports the following migration scenarios.

Migration from Configuration Manager 2007 Hierarchies

When you use migration to migrate data from Configuration Manager 2007 to a System Center 2012 Configuration Manager or System Center 2012 Configuration Manager SP1 hierarchy, you can maintain your investment in your existing site infrastructure and gain the following benefits:
Benefit More information

Site database improvements

The System Center 2012 Configuration Manager database supports full Unicode. Replication in System Center 2012 Configuration Manager is based on Microsoft SQL Server. This improves the performance of site-to-site data transfer. Users are the focus of management tasks in System Center 2012 Configuration Manager. For example, you can distribute software to a user even if you do not know the device name for that user. Additionally, System Center 2012 Configuration Manager gives users much more control over what software is installed on their devices and when that software is installed. The new central administration site type in System Center 2012 Configuration Manager, in addition to changes to the behavior of primary and secondary sites let you build a simpler site hierarchy that uses less network bandwidth and requires fewer servers. This central security model in System Center 2012 Configuration Manager offers hierarchy-wide security and management that corresponds to your administrative and business requirements.
1056

Database replication between sites

User-centric management

Hierarchy simplification

Role-based administration

Note Because of the design changes that were introduced in System Center 2012 Configuration Manager, you cannot upgrade an existing Configuration Manager 2007 infrastructure to System Center 2012 Configuration Manager

Migration from System Center 2012 Configuration Manager SP1 Hierarchies

With Configuration Manager SP1, you can migrate data from one Configuration Manager SP1 hierarchy to another. This includes migrating data from multiple source hierarchies into a single destination hierarchy, such as when your company acquires additional resources that are already managed by Configuration Manager. Additionally, you can migrate data from a Configuration Manager SP1 test environment to your Configuration Manager SP1 production environment. This allows you to maintain your investment in the Configuration Manager test environment. Note The expansion of a hierarchy that contains a stand-alone site into a hierarchy that contains a central administration site is not categorized as a migration. For information about hierarchy expansion, see the Planning to Expand a Stand-Alone Primary Site section in the Planning for Sites and Hierarchies in Configuration Manager topic.

The Migration Workflow

The following steps describe the basic migration workflow. Specify a supported source hierarchy. Configure data gathering. Data gathering enables Configuration Manager to collect information about data that can migrate from the source hierarchy. Configuration Manager automatically repeats the process to collect data on a simple schedule until you stop the data gathering process. By default, the data gathering process repeats every four hours so that Configuration Manager can identify changes to data in the source hierarchy that you might want to migrate. Data gathering is also necessary to share distribution points from the source hierarchy to the destination hierarchy. Create migration jobs to migrate data between the source and destination hierarchy. You can stop the data gathering process at any time by using the Stop Gathering Data command. When you stop data gathering, Configuration Manager no longer identifies changes to data in the source hierarchy, and can no longer share distribution points between the source and destination hierarchies. Typically, you use this action when you no longer plan to migrate data or share distribution points from the source hierarchy. Optionally, after data gathering has stopped at all sites for the source hierarchy, you can clean up the migration data by using the Clean Up Migration Data command. This command deletes the historical data about migration from a source hierarchy from the database of the destination hierarchy.
1057

After you migrate data from a Configuration Manager source hierarchy that you will no longer use to manage your environment, you can plan to decommission that source hierarchy and infrastructure.

Migration Concepts in System Center 2012 Configuration Manager

Use the following information about the concepts and terms that you encounter when you migrate from a source hierarchy to System Center 2012 Configuration Manager.
Concept or term More information

Source hierarchy

A Configuration Manager 2007 SP2 or Configuration Manager SP1 hierarchy that contains data that you want to migrate. You specify a source hierarchy when you specify the top-level site of a source hierarchy. After you specify a source hierarchy, System Center 2012 Configuration Manager gathers data from the database of the designated source site to identify the data that you can migrate. For more information, see the Migration Source Hierarchies section in the Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager topic.

Source sites

The sites in the source hierarchy that have data that you can migrate to System Center 2012 Configuration Manager. For more information, see the Migration Source Sites section in the Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager topic.

Data gathering

The ongoing process of identifying the information in a source hierarchy that you can migrate to System Center 2012 Configuration Manager. Configuration Manager checks the source hierarchy on a schedule to identify any changes to information in the source hierarchy that you previously migrated
1058

Concept or term

More information

and that you might want to update in System Center 2012 Configuration Manager. For more information, see the Migration Data Gathering section in the Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager topic. Migration jobs The process of configuring the specific objects to migrate, and then managing the migration of those objects to System Center 2012 Configuration Manager. For more information, see Planning a Migration Job Strategy in System Center 2012 Configuration Manager. Client migration The process of transferring information that clients use from the source database to System Center 2012 Configuration Manager, and then upgrading the client software on devices to the System Center 2012 Configuration Manager client software. For more information, see Planning a Client Migration Strategy in System Center 2012 Configuration Manager. Shared distribution points The distribution points from the source hierarchy that are shared with the destination hierarchy during the migration period. During the migration period, clients assigned to sites in the destination hierarchy can obtain content from shared distribution points. For more information, see the Share Distribution Points Between Source and Destination Hierarchies section in the About Shared Distribution Points in System Center 2012 Configuration Manager Migration topic Monitoring migration The process of monitoring migration activities. You monitor the migration progress and success from the Migration node in the Administration workspace. For more information, see Planning to Monitor
1059

Concept or term

More information

Migration Activity in System Center 2012 Configuration Manager. Stop gathering data The process of stopping data gathering from source sites. When you no longer have data to migrate from a source hierarchy, or if you want to temporarily suspend migration-related activities, you can configure System Center 2012 Configuration Manager to stop gathering data from that hierarchy. For more information, see the Migration Data Gathering section in the Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager topic. Clean up migration data The process of finishing migration from a source hierarchy by removing information about the migration from the System Center 2012 Configuration Manager database. For more information, see Planning to Complete Migration in System Center 2012 Configuration Manager.

Whats New in Configuration Manager SP1

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new for migration in Configuration Manager SP1: You can merge hierarchies from other organizations that also use Configuration Manager SP1 into your Configuration Manager SP1 hierarchy. You can migrate data from your Configuration Manager SP1 test environment into your Configuration Manager SP1 production environment. Some UI labels and descriptions are updated to reflect the change in functionality that lets you migration from one Configuration Manager SP1 hierarchy to another.

See Also
Migrating Hierarchies in System Center 2012 Configuration Manager

1060

Planning for Migration to System Center 2012 Configuration Manager

Before you migrate data to a Microsoft System Center 2012 Configuration Manager hierarchy, make sure that you are familiar with the changes to System Center 2012 Configuration Manager sites and hierarchies. For more information about sites and hierarchies, see Planning for Sites and Hierarchies in Configuration Manager. You must first install a System Center 2012 Configuration Manager hierarchy to be the destination hierarchy before you can migrate data from a supported source hierarchy. After you install the destination hierarchy, configure the management features and functions that you want to use in your destination hierarchy before you start to migrate data. Additionally, you might have to plan for overlap between the existing source hierarchy and your new destination hierarchy. As an example, consider when the source site or hierarchy is configured to use the same network locations or boundaries as your destination hierarchy. With this configuration, you then install new clients to your destination hierarchy and use automatic site assignment. In this scenario, because a newly installed Configuration Manager client can select a site to join from either hierarchy, the client could incorrectly assign to your destination hierarchy. Therefore, plan to assign each new client in the destination hierarchy to a specific site in that hierarchy instead of using automatic-site assignment. For more information about site assignments, see the Client Site Assignment Considerations section in the Supported Configurations for Configuration Manager topic. For more information about client site assignment for Configuration Manager 2007, see About Client Site Assignment in Configuration Manager in the Configuration Manager 2007 documentation library.

Planning Topics
Use the following topics to help you plan how to migrate an existing Configuration Manager 2007 or System Center 2012 Configuration Manager SP1 hierarchy to System Center 2012 Configuration Manager. Prerequisites for Migration in System Center 2012 Configuration Manager Administrator Checklists for Migration Planning in System Center 2012 Configuration Manager Determine Whether to Migrate Configuration Manager 2007 to System Center 2012 Configuration Manager Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager Planning a Migration Job Strategy in System Center 2012 Configuration Manager Planning a Client Migration Strategy in System Center 2012 Configuration Manager Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager

1061

Planning for the Migration of Configuration Manager Objects to System Center 2012 Configuration Manager Planning to Monitor Migration Activity in System Center 2012 Configuration Manager Planning to Complete Migration in System Center 2012 Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Migrating Hierarchies in System Center 2012 Configuration Manager

Prerequisites for Migration in System Center 2012 Configuration Manager

To migrate from a supported source hierarchy, you must have access to each applicable Configuration Manager source site, and permissions within the System Center 2012 Configuration Manager destination site to configure and run migration operations. Use the information in the following sections to help you understand the versions of Configuration Manager that are supported for migration, and the required configurations. Versions of Configuration Manager That Are Supported for Migration Source Site Languages That Are Supported for Migration Required Configurations for Migration

Versions of Configuration Manager That Are Supported for Migration

The following table lists the versions of Configuration Manager 2007 and System Center 2012 Configuration Manager that are supported for migration to a destination hierarchy of each version of System Center 2012 Configuration Manager.
Destination hierarchy Source hierarchy

System Center 2012 Configuration Manager System Center 2012 Configuration Manager SP1

Configuration Manager 2007 SP2 Configuration Manager 2007 SP2 System Center 2012 Configuration Manager SP1

1062

Source Site Languages That Are Supported for Migration

When you migrate data between Configuration Manager hierarchies, the data is stored in the destination hierarchy in the language neutral format for System Center 2012 Configuration Manager. Because Configuration Manager 2007 does not store data in a language neutral format, the migration process must convert objects to this format during migration. Therefore, only Configuration Manager 2007 source sites that are installed with the following languages are supported for migration: English French German Japanese Korean Russian Simplified Chinese Traditional Chinese

When you migrate data from a System Center 2012 Configuration Manager hierarchy, there are no source site language limitations. Objects in the source site database are already in a language neutral format.

Required Configurations for Migration

The following table lists the required configurations for using migration and migration operations.
Migration operation Details

To configure, run, and monitor migration in the Configuration Manager console

In the destination site, your account must be assigned the role-based administration security role of Infrastructure Administrator. This security role grants permissions to manage all migration operations, which includes the creation of migration jobs, clean up, monitoring, and the action to share and upgrade distribution points. To enable the destination site to gather data, you must configure the following two source site access accounts for use with each source site: Source Site Account: This account is
1063

Data Gathering

Migration operation

Details

used to access the SMS Provider of the source site. For a Configuration Manager 2007 SP2 source site, this account requires Read permission to all source site objects. For a System Center 2012 Configuration Manager source site, this account requires Read permission to all source site objects, You grant this permission to the account by using role-based administration. For information about how to use rolebased administration, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic.

Source Site Database Account: This account is used to access the SQL Server database of the source site and requires Read and Execute permissions to the source site database.

You can configure these accounts when you configure a new source hierarchy, data gathering for an additional source site, or when you reconfigure the credentials for a source site. These accounts can use a domain user account, or you can specify the computer account of the top-level site of the destination hierarchy. Security If you use the Configuration Manager computer account for either access account, ensure that this account is a member of the security group Distributed COM Users in the domain where the source site resides. When gathering data, the following network protocols and ports are used: NetBIOS/SMB 445 (TCP) RPC (WMI) - 135 (TCP)
1064

Migration operation

Details

Migrate Software Updates

SQL Server - 1433 (TCP)

Before you migrate software updates, you must configure the destination hierarchy with a software update point. For more information, see Planning to Migrate Software Updates To successfully share any distribution points from a source site, at least one primary site or the central administration site in the destination hierarchy must use the same port numbers for client requests as the source site. For each source site, only the distribution points that are installed on site system servers that are configured with a FQDN are shared. In addition, to share a distribution point from a System Center 2012 Configuration Manager source site, the Source Site Account (which accesses the SMS Provider for the source site server), must have Modify permissions to the Site object on the source site. You grant this permission to the account by using role-based administration. For information about how to use role-based administration, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic.

Share distribution points

Upgrade or reassign distribution points

The Source Site Access Account configured to gather data from the SMS Provider of the source site must have the following permissions: To upgrade a Configuration Manager 2007 distribution point, the account requires Read, Execute, and Delete permissions to the Site class on the Configuration Manager 2007 site server to successfully remove the distribution point from the Configuration Manager 2007 source site To reassign a System Center 2012 Configuration Manager distribution point, the account must have Modify permission
1065

Migration operation

Details

to the Site object on the source site. You grant this permission to the account by using role-based administration. For information about how to use role-based administration, see the Planning for RoleBased Administration section in the Planning for Security in Configuration Manager topic.

See Also
Planning for Migration to System Center 2012 Configuration Manager

Administrator Checklists for Migration Planning in System Center 2012 Configuration Manager
Use the following administrator checklists to help you plan your migration strategy to Microsoft System Center 2012 Configuration Manager: Administrator Checklist for Migration Planning Administrator Checklist for Hierarchy Migration Administrator Checklist for Migration

Administrator Checklist for Migration Planning

Use the following checklist for pre-migration planning steps:
Action More information

Assess the current environment.

Identify existing business requirements that are met by the source hierarchy and develop plans to continue to meet those requirements in the destination hierarchy. For more information, see Fundamentals of Configuration Manager and Whats New in Configuration Manager.

Review the functionality and changes that are available with the version of System Center 2012 Configuration Manager that you use, and use this information to help

1066

Action

More information

you design your destination hierarchy. Determine the administrative security model to use for role-based administration. For more information, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic. Review your existing domain structure and network topology and consider how this influences your hierarchy design and migration tasks. Decide upon the placement of a central administration site, primary sites, secondary sites, and content distribution options. Identify the computers that sites and site system servers will use in the destination hierarchy, and ensure that they have sufficient capacity to meet existing and future operational requirements. Plan to use the available migration jobs to migrate different objects, which include site boundaries, collections, advertisements, and deployments. For more information, see Types of Migration in System Center 2012 Configuration Manager. System Center 2012 Configuration Manager migrates only the objects that you select. Any objects that are not migrated and that are required in the destination hierarchy must be re-created in the destination hierarchy. Objects that can migrate are displayed when you configure migration jobs. Plan your client migration strategy. Plan to migrate clients by using a controlled approach that limits the network bandwidth and server processing requirements when you migrate clients to the destination hierarchy. For more information about planning a client migration strategy, see Planning a Client Migration Strategy in System Center 2012 Configuration Manager.
1067

Assess your network and Active Directory topology.

Finalize your destination hierarchy design.

Map your hierarchy to the computers that you will use for sites and site servers in the destination hierarchy.

Plan your object migration strategy.

Action

More information

Plan for inventory and compliance data.

System Center 2012 Configuration Manager does not support migrating hardware inventory, software inventory, or desired configuration management compliance data for software updates or clients. Instead, after the client migrates to its new site in the destination hierarchy and receives policy for these configurations, the client submits this information to its assigned site. This action populates the destination site database with current inventory and compliance data.

Plan for the completion of migration from the source hierarchy.

Decide when objects and clients will be migrated. After migration completes, you can plan to decommission the site servers in the source hierarchy.

Administrator Checklist for Hierarchy Migration

Use the following checklist to help you plan a destination hierarchy before you start migration.
Action More information

Identify the computers to use in the destination hierarchy.

System Center 2012 Configuration Manager does not support an in-place upgrade of Configuration Manager 2007 infrastructure. Therefore, if you migrate from Configuration Manager 2007, you must use a side-by-side deployment and install System Center 2012 Configuration Manager on new computers. Similarly, when you migrate from another System Center 2012 Configuration Manager hierarchy, you must install a new destination hierarchy that is a side-by-side deployment to your source hierarchy.

Create your destination hierarchy.

To prepare for migration, install and configure a System Center 2012 Configuration Manager destination hierarchy that includes a primary site. For example: Install a central administration site and then
1068

Action

More information

install at least one child primary If you want to migrate information that is related to software updates, configure a software update point in the destination hierarchy and synchronize software updates. Install a stand-alone primary if you do not plan to use a central administration site.

You must configure and synchronize software updates in the destination hierarchy before you can migrate software updates information from the source hierarchy. For more information, see Configuring Software Updates in Configuration Manager

Install and configure additional site system roles in the destination hierarchy. Verify operational functionality in the destination hierarchy.

Configure additional site system roles and site systems that you will require. Check the following: If the destination hierarchy includes multiple sites, confirm that database replication is working between sites. Database replication is not applicable to stand-alone primary sites. Verify that all installed site system roles are operational. Verify that System Center 2012 Configuration Manager clients you install to the destination hierarchy can communicate successfully with their assigned site.

Note For more information about how to plan a System Center 2012 Configuration Manager hierarchy, see Planning for Sites and Hierarchies in Configuration Manager.

Administrator Checklist for Migration

Use the following checklist to migrate data from the source hierarchy to the destination hierarchy.
Action More information

Enable migration in the destination hierarchy.

Configure a source hierarchy by specifying the top-level site of the source hierarchy. For more information about specifying the source site, see Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager.
1069

Action

More information

When the source hierarchy runs Configuration Manager 2007 SP2, select and configure additional sites in the source hierarchy.

For each additional site in the Configuration Manager 2007 SP2 source hierarchy that you want to collect data from, you must configure credentials for data gathering. When you configure each source site, the data gathering process begins immediately and continues throughout the migration period until you stop data gathering for that site. Data gathering ensures that you can migrate objects from the source hierarchy that are updated or new since a previous data gathering process. Note When the source hierarchy runs System Center 2012 Configuration Manager, you do not need to configure additional source sites.

Configure distribution point sharing.

You can share distribution points between the two hierarchies to make content for objects that you migrate available to clients in the destination hierarchy. This ensures that the same content remains available for clients in both hierarchies and that you can maintain this content until you stop gathering data and complete the migration. For information about shared distribution points, see the Shared Distribution Points Between Source and Destination Hierarchies section in the Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager topic.

Create and run migration jobs to migrate Create migration jobs to migrate objects objects associated with the clients in the source between hierarchies. The required hierarchy. configurations for each migration job can vary depending on what data the job migrates. For example, when you migrate content, regardless of the migration job you use, you must assign a site in the destination hierarchy to own management of that content. The
1070

Action

More information

assigned site will access the original source file location for the content and is responsible for distributing that content to distribution points in the destination hierarchy. For more information, see the Create and Edit Migration Jobs for System Center 2012 Configuration Manager section in the Operations for Migrating to System Center 2012 Configuration Manager topic. Migrate clients to the destination hierarchy. The process of migrating clients depends on your migration scenario: When you migrate clients that have a client version that is not the same as the destination hierarchy, the client software must upgrade. Upgrade requires the removal of the current Configuration Manager client, followed by the installation of the new client version that matches the destination site. When you migrate clients that have a client version that matches the version of the destination hierarchy, the client does not upgrade or reinstall. Instead, the client reassigns to a primary site in the destination hierarchy.

When you migrate a client to the destination hierarchy, the client is associated with its data that you previously migrated to that destination hierarchy. For more information, see Planning a Client Migration Strategy in System Center 2012 Configuration Manager. Upgrade shared distribution points. When you no longer have to support clients in your source hierarchy, you can upgrade shared distribution points. When you upgrade a distribution point, the site system role transfers to a primary site in the destination hierarchy and is removed from the source site in the source hierarchy. When you upgrade a shared distribution point, you do not have to redeploy the content that is on the distribution point
1071

Action

More information

computer to new distribution points in the destination hierarchy. You can also upgrade a distribution point that is co-located on a secondary site server. This removes the secondary site and leaves only the System Center 2012 Configuration Manager distribution point. For information about shared distribution points, see the Shared Distribution Points Between Source and Destination Hierarchies section in the Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager topic. Complete migration. After you have migrated data and clients from all sites in the source hierarchy, and you have upgraded applicable distribution points, you can complete migration. To complete migration you stop gathering data for each source site in the source hierarchy. You can then remove migration information that you do not need and decommission your source hierarchy infrastructure. For more information, see Planning to Complete Migration in System Center 2012 Configuration Manager.

See Also
Planning for Migration to System Center 2012 Configuration Manager

Determine Whether to Migrate Configuration Manager 2007 to System Center 2012 Configuration Manager
In Microsoft System Center 2012 Configuration Manager, the built-in migration functionality replaces in-place upgrades of existing Configuration Manager infrastructure by providing a process that transfers data from active Configuration Manager 2007 sites. The functionality provided by migration helps you maintain investments that you have made in configurations and
1072

deployments while you can take full advantage of core changes in the product introduced in System Center 2012 Configuration Manager. These changes include a simplified Configuration Manager hierarchy that uses fewer sites and resources, and the improved processing by use of native 64-bit code that runs on 64-bit hardware. Migration can transfer most data from Configuration Manager 2007. If you do not migrate Configuration Manager 2007 to System Center 2012 Configuration Manager, or if you migrate data and want to maintain objects that migration does not migrate, you must re-create nonmigrated objects in the new System Center 2012 Configuration Manager hierarchy. Use the following sections to help you plan for data you can or cannot migrate to System Center 2012 Configuration Manager: Data That You Can Migrate to Configuration Manager 2012 Data That You Cannot Migrate to Configuration Manager 2012

Data That You Can Migrate to Configuration Manager 2012

Migration can migrate most objects from Configuration Manager 2007 to System Center 2012 Configuration Manager. The migrated instances of some objects must be modified to conform to the System Center 2012 Configuration Manager schema and object format. These modifications do not affect the data in the Configuration Manager 2007 database. You can migrate the following types of objects: Collections Advertisements Boundaries Software distribution packages Virtual application packages Software Updates: Deployments Deployment packages Templates Software update lists Boot images Driver packages Drivers Images Packages Task sequences

Operating System Deployment:

Desired Configuration Management:

1073

Configuration baselines Configuration items

Asset Intelligence customizations Software metering rules

Data That You Cannot Migrate to Configuration Manager 2012

Migration cannot successfully convert some Configuration Manager 2007 objects and data to the System Center 2012 Configuration Manager database schema during migration. These objects and data must be recreated in the System Center 2012 Configuration Manager database. You cannot migrate the following types of objects: Queries Security rights and instances for the site and objects Configuration Manager 2007 reports from SQL Server Reporting Services Configuration Manager 2007 web reports Client inventory and history data AMT client provisioning information Files in the client cache

See Also
Planning for Migration to System Center 2012 Configuration Manager

Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager

Before you configure a migration job in your System Center 2012 Configuration Manager environment, you must configure a source hierarchy and gather data from at least one source site in that hierarchy. Use the following sections to help you plan for configuring source hierarchies, configuring source sites, and determining the way in which Configuration Manager gathers information from the source sites in the source hierarchy. Migration Source Hierarchies Migration Source Sites Migration Data Gathering

1074

Migration Source Hierarchies

A source hierarchy is a Configuration Manager 2007 or System Center 2012 Configuration Manager hierarchy that contains data that you want to migrate. When you configure a source hierarchy, you specify the top-level site of the source hierarchy. This site is also called a source site. Additional sites that you can migrate data from in the source hierarchy are also called source sites. When you configure a migration job, you configure it to migrate data from a specific source site in the source hierarchy. When you configure a new source hierarchy, that hierarchy automatically becomes the current source hierarchy. To configure a source hierarchy you must specify the top-level site of the source hierarchy, and you must specify the credentials for Configuration Manager to connect to the SMS Provider and site database in the source site. Configuration Manager uses these credentials to retrieve information about the objects and distribution points from the source site. As part of the data gathering process, child sites in the source hierarchy are identified, which you can then configure as additional source sites. Although you can configure multiple source hierarchies, migration can be active for only one source hierarchy at a time. If you configure an additional source hierarchy before you complete migration from the current source hierarchy, Configuration Manager cancels any active migration jobs and postpones any scheduled migration jobs for the current source hierarchy. The newly configured source hierarchy then becomes the current source hierarchy, and you can configure connection credentials, source sites, and migration jobs for the new source hierarchy. The original source hierarchy is now inactive. If you restore an inactive source hierarchy, and you have not previously used the Cleanup Migration Data action, you can view the previously configured migration jobs for that source hierarchy. However, before you can continue migration from that hierarchy, you must reconfigure the credentials to connect to applicable source sites in the hierarchy, and then reschedule any migration jobs that did not finish. Caution If you migrate data from more than a single source hierarchy, each additional source hierarchy must contain a unique set of site codes. For more information about configuring a source hierarchy, see the Configuring a Source Hierarchy for Migration section of the Configuring Source Hierarchies and Source Sites for Migration to System Center 2012 Configuration Manager topic.

Migration Source Sites

Source sites are the sites in the source hierarchy that have the data that you want to migrate. The top-level site of the source hierarchy is always the first source site. When migration collects data from the first source site of a new source hierarchy, it discovers information about additional sites in that hierarchy. After data gathering completes for the initial source site, the actions you take next depend on the product version of the source hierarchy.
1075

Configuration Manager 2007 SP2 Source Sites

After data is gathered from the initial source site of the Configuration Manager 2007 SP2 hierarchy, you do not have to configure additional source sites before you create migration jobs. However, before you can migrate data from additional sites, you must configure additional sites as source sites, and Configuration Manager must successfully gather data from those sites. To gather data from additional sites, you individually configure each site as a source site. This requires you to specify the credentials for Configuration Manager to connect to the SMS Provider and site database of each site. After you configure the credentials for a source site, the data gathering process for that site begins. When you configure additional source sites in a Configuration Manager 2007 SP2 source hierarchy, you must configure source sites from the top down, which means you configure the bottom-tier sites last. You can configure source sites in a branch of the hierarchy at any time, but you must configure a site as a source site before you configure any of its child sites as source sites. Note Only primary sites in a Configuration Manager 2007 SP2 hierarchy are supported for migration.

System Center 2012 Configuration Manager SP1 Source Sites

After data is gathered from the initial source site of the System Center 2012 Configuration Manager SP1 hierarchy, you do not have to configure additional source sites to migrate data from the source hierarchy. This is because System Center 2012 Configuration Manager hierarchies use a shared database and the shared database allows you to identify and then migrate all available objects from the initial source site. However, when you configure the access accounts to gather data from a System Center 2012 Configuration Manager source hierarchy, you might need to grant the Source Site SMS Provider Account access to multiple computers in the source hierarchy. This is because System Center 2012 Configuration Manager sites support multiple instances of the SMS Provider, each on a different computer. When data gathering begins, the top-level site of the destination hierarchy contacts the top-level site in the source hierarchy to identify the location of the SMS Provider for that site. Only the first instance of the SMS provider is identified. If the data gathering process cannot access the SMS Provider at the location it identifies, the process fails and does not try to connect to additional computers that run an instance of SMS Provider for that site.

Migration Data Gathering

Immediately after you specify a source hierarchy, configure credentials for an additional source site in a source hierarchy, or share the distribution points for a source site, Configuration Manager starts to gather data from the source site.

1076

The data gathering process then repeats itself on a simple schedule to maintain synchronization with any changes to data in the source site. By default, the process repeats every four hours. You can modify the schedule for this cycle by editing the Properties of the source site. The initial data gathering process must review all objects in the Configuration Manager database and can take time to finish. Subsequent data gathering processes identify only changes to the data and require less time to finish. To gather data, the top-level site in the destination hierarchy connects to the SMS Provider and the site database of the source site to retrieve a list of objects and distribution points. These connections use the source site access accounts. For information about required configurations for gathering data, see Prerequisites for Migration in System Center 2012 Configuration Manager. You can start and stop the data gathering process by using the Gather Data Now, and Stop Gathering Data actions in the Configuration Manager console. After you use the Stop Gathering Data option for a source site for any reason, you must reconfigure credentials for the site before you can gather data from that site again. Until you reconfigure the source site, Configuration Manager cannot identify new objects or changes to previously migrated objects at that site. Note Before you expand a stand-alone primary site into a hierarchy with a central administration site, you must stop all Data Gathering. You can reconfigure Data Gathering after the site expansion completes.

Gather Data Now

After the initial data gathering process runs for a site, this process repeats itself to identify objects that have updated since the last data gathering cycle. You can also use the Gather Data Now action in the Configuration Manager console to immediately start the process and to reset the start time of the next cycle. After a data gathering process successfully finishes for a source site, you can share the distribution points from the source site and configure migration jobs to migrate data from the site. Data gathering is a repeating process for migration and continues until you change the source hierarchy, or use the Stop Gathering Data action to end the data gathering process for that site.

Stop Gathering Data

You can use the Stop Gathering Data action to end the data gathering process for a source site when you no longer want Configuration Manager to identify new or changed objects from that site. This action also prevents Configuration Manager from offering clients in the destination hierarchy any shared distribution points from the source as content locations for the content that you have migrated. To stop gathering data from each source site, you must perform the Stop Gathering Data action on the bottom-tier source sites, and then repeat the process at each parent site. The top-level site of the source hierarchy must be the last site on which you stop gathering data. You must stop
1077

data gathering at each child site before performing this action at a parent site. Typically, you only stop gathering data when you are ready to complete the migration process. After you stop gathering data for a source site, information previously gathered about object and collections from that site remain available to use when you configure new migration jobs. However, you do not see any new objects or collections, or see changes that were made to existing objects. If you reconfigure the source site and begin gathering data again, you will see information and status about previously migrated objects.

See Also
Planning for Migration to System Center 2012 Configuration Manager

Planning a Migration Job Strategy in System Center 2012 Configuration Manager

Use migration jobs to configure the specific data that you want to migrate to your System Center 2012 Configuration Manager environment. Migration jobs identify the objects that you plan to migrate, and they run at the top-level site in your destination hierarchy. You can configure one or more migration jobs per source site. This allows you to migrate all objects at one time or limited subsets of data with each job. You can create migration jobs after Configuration Manager has successfully gathered data from one or more sites from the source hierarchy. You can migrate data in any sequence from the source sites that have gathered data. With a Configuration Manager 2007 source site, you can migrate data only from the site where an object was created. With System Center 2012 Configuration Manager source sites, all data that you can migrate is available at the top-level site of the source hierarchy. Before you migrate clients, ensure that the objects that clients use have migrated and that these objects are available in the destination hierarchy. For example, when you migrate from a Configuration Manager 2007 SP2 source hierarchy, you might have an advertisement for content that is deployed to a custom collection that contains a client. In this case you should migrate the collection, the advertisement, and the associated content before you migrate the client. This is because, when the content, collection and advertisement are not migrated before the client migrates, this data cannot be associated with the client in the destination hierarchy. If a client is not associated with the data related to a previously run advertisement and content, the client can be offered the content for installation in the destination hierarchy, which might be unnecessary. When the client migrates after the data has migrated, the client is associated with this content and advertisement, and unless the advertisement is recurring, is not offered this content for the migrated advertisement again. Some objects require more than the migration of data from the source hierarchy to the destination hierarchy. For example, to successfully migrate software updates for your clients to your destination hierarchy, in the destination hierarchy you must deploy an active software update
1078

point, configure the catalog of products, and synchronize the software update point with a Windows Server Update Services (WSUS). Use the following sections to help you plan your migration jobs. Types of Migration Jobs General Planning for All Migration Jobs Planning for Collection Migration Jobs Planning for Object Migration Jobs Planning for Previously Migrated Object Migration Jobs

Types of Migration Jobs

System Center 2012 Configuration Manager supports the following types of migration jobs. Each job type is designed to help define the objects that you can include in that job.
Migration job type Source hierarchy More information

Collection migration

Supported for migration from the following source hierarchies: Configuration Manager 2007 SP2

Migrate objects that are related to collections you select. By Default, collection migration includes all objects that are associated with members of the collection. You can exclude specific object instances when you use a collection migration job. Migrate individual objects that you select. You select only the specific data that you want to migrate.

Object migration

Supported for migration from the following source hierarchies: Configuration Manager 2007 SP2 System Center 2012 Configuration Manager SP1

Previously migrated object migration

Supported for migration from the following source hierarchies: Configuration Manager 2007 SP2 System Center 2012 Configuration Manager SP1

Migrate objects that you previously migrated, when those objects have updated in the source hierarchy after they were last migrated.

1079

Objects That You Can Migrate

Not every object can migrate by a specific type of migration job. The following table identifies the type of objects that you can migrate with each type of migration job. Note Collection migration jobs are available only when you migrate objects from a Configuration Manager 2007 SP2 source hierarchy.
Object type Collection migration Object migration and previously migrated object migration

Advertisements (Available to migrate from supported Configuration Manager 2007 source sites) Asset Intelligence catalog Asset Intelligence hardware requirements Asset Intelligence software list Boundaries Configuration baselines Configuration items Maintenance windows Operating system deployment boot images Operating system deployment driver packages Operating system deployment drivers Operating system deployment images Operating system deployment packages Software distribution packages

Yes

No

No No

Yes Yes

No

Yes

No Yes Yes Yes Yes

Yes Yes Yes No Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

1080

Object type

Collection migration

Object migration and previously migrated object migration

Software metering rules Software update deployment packages Software update deployment templates Software update deployments Software update lists Task sequences Virtual application packages

No Yes

Yes Yes

Yes

Yes

Yes

No

No Yes Yes

Yes Yes Yes Important Although you can migrate a virtual application package by using object migration, the packages cannot be migrated by using the migration job type of Previously Migrated Object Migration. Instead, you must delete the migrated virtual application package from System Center 2012 Configuration Manager and then create a new migration job to migrate the virtual application.

General Planning for All Migration Jobs

Use the Create Migration Job Wizard to create a migration job to migrate objects to your destination hierarchy. The type of the migration job that you create determines which objects are available to migrate. You can create and use multiple migration jobs to migrate data from the same source site, or from multiple source sites. The use of one type of migration job does not block the use of a different type of migration job. After a migration job runs successfully, its status is listed as Completed and it cannot be run again. However, you can create a new migration job to migrate any of the objects that were migrated by the original job, and the new migration job can include additional objects as well.
1081

When you create additional migration jobs the objects that have been previously migrated display with the state of Migrated. You can select these objects to migrate them again; however, unless the object has been updated in the source hierarchy, migrating these objects again is not necessary. If the object has been updated in the source hierarchy after it was originally migrated, you can identify that object when you use the migration job type of Objects modified after migration. You can delete a migration job before it runs. However, after a migration job completes, it remains visible in the Configuration Manager console and cannot be deleted. Each migration job that has completed or has not yet run remains visible in the Configuration Manager console until you complete the migration process and clean up migration data. Note After you have completed migration by using the Clean Up Migration Data action, you can reconfigure the same hierarchy as the current source hierarchy to restore visibility to the objects you previously migrated. You can view the objects contained in any migration job in the System Center 2012 Configuration Manager console by selecting the migration job, and then clicking the Objects in Job tab. Use the information in the following sections to help you plan for all migration jobs.

Data Selection
When you create a collection migration job, you must select one or more collections. After you select the collections the Create Migration Job Wizard displays the objects that are associated with the collections. By default, all objects associated with the selected collections are migrated, but you can clear the objects that you do not want to migrate with that job. When you clear an object that has dependent objects, those dependent objects are also cleared. All cleared objects are added to an exclusion list. Objects on an exclusion list are removed from automatic selection for future migration jobs. You must manually edit the exclusion list to remove objects that you want to have automatically selected for migration in migration jobs you create in the future.

Site Ownership for Migrated Content

When you migrate content for deployments, you must assign the content object to a site in the destination hierarchy. This site then becomes the owner for that content in the destination hierarchy. Although the top-level site of your destination hierarchy is the site that actually migrates the metadata for content, it is the assigned site that accesses the original source files for the content across the network. To minimize the network bandwidth that is used during migration, consider transferring ownership of content to the closest available site. Because information about the content is shared globally in System Center 2012 Configuration Manager, it will be available at every site. Although information about content is shared to all sites by using database replication, any content that you assign to a System Center 2012 Configuration Manager primary site and then
1082

deploy to distribution points at other primary sites, transfers by using file-based replication. This transfer is routed through the central administration site and then to the additional primary site. By centralizing packages that you plan to distribute to multiple primary sites before or during migration when you assign a site as the content owner, you can reduce data transfers across low bandwidth networks.

Configure Role-based Administration Security Scopes for Migrated Data

When you migrate data to a destination hierarchy, you must assign one or more role-based administration security scopes to the objects whose data is migrated. This ensures that only the appropriate administrative users have access to this data after it is migrated. The security scopes that you specify are defined by the migration job and are applied to each object that is migrated by that job. If you require different security scopes to be applied to different sets of objects, and you want to assign those scopes during migration, you must migrate the different sets of objects by using different migration jobs. Before you configure a migration job, review how role-based administration works in System Center 2012 Configuration Manager, and if necessary, configure one or more security scopes for the data that you migrate to control who will have access to the migrated objects in the destination hierarchy. For more information about security scopes and role-based administration, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic.

Review Migration Actions

When you configure a migration job, the Create Migration Job Wizard displays a list of actions that you must take to ensure a successful migration and a list of actions that Configuration Manager takes during the migration of the selected data. Review this information carefully to verify the expected outcome.

Scheduling Migration Jobs

By default, a migration job runs immediately after it is created. However, you can specify when the migration job runs when you create the job or later by editing the properties of the job. You can schedule the migration job to run at the following times. Run the job now Run the job at a specific start time Not run the job

Specify Conflict Resolution for Migrated Data

By default, migration jobs do not overwrite data in the destination database, unless you configure the migration job to skip or overwrite data that has previously been migrated to the destination database.
1083

Planning for Collection Migration Jobs

Collection migration jobs are available only when you migrate data from a source hierarchy that runs a supported version of Configuration Manager 2007. You must specify one or more collections to migrate when you migrate by collection. For each collection that you specify, the migration job automatically selects all related objects for migration. For example, if you select a specific collection of users, the collection members are then identified, and you can migrate the deployments associated with that collection. Optionally, you can select other deployment objects to migrate that are associated with those members. All these selected items are added to the list of objects that can be migrated. When you migrate a collection, Configuration Manager also migrates collection settings including maintenance windows and collection variables, but cannot migrate collection settings for AMT client provisioning. Use the information in the following sections to understand additional configurations that can apply to collection-based migration jobs.

Excluding Objects from Collection Migration Jobs

You can exclude specific objects from a collection migration job. When you exclude a specific object from a collection migration job, that object is added to a global exclusion list that contains all the objects that you have excluded from migration jobs created for any source site in the current source hierarchy. Objects on the exclusion list are still available for migration in future jobs but are not automatically included when you create a new collection-based migration job. You can edit the exclusion list to remove objects that you have previously excluded. After you remove an object from the exclusion list, it is then automatically selected when an associated collection is specified during the creation of a new migration job.

Unsupported Collections
System Center 2012 Configuration Manager can migrate any of the default user collections, device collections, and most custom collections from the Configuration Manager 2007 source hierarchy. However, System Center 2012 Configuration Manager cannot migrate collections that contain users and devices in the same collection. The following collections cannot be migrated: A collection that contains users and devices. A collection that contains a reference to a collection of a different resource type. For example, a device-based collection that has either a subcollection or a link to a user-based collection. In this example only the top-level collection migrates. A collection that contains a rule to include unknown computers. The collection migrates, but the rule to include unknown computers does not migrate.

1084

Empty Collections
An empty collection is a collection that has no resources associated with it. When System Center 2012 Configuration Manager migrates an empty collection, it converts the collection to an organizational folder that contains no users or devices. This folder is created with the name of the empty collection under the User Collections or Device Collections node in the Assets and Compliance workspace in the Configuration Manager console.

Linked Collections and Subcollections

When you migrate collections that are linked to other collections or that have subcollections, System Center 2012 Configuration Manager creates a folder under the User Collections or Device Collections node in addition to the linked collections and subcollections.

Collection Dependencies and Include Objects

When you specify a collection to migrate in the Create Migration Job Wizard, any dependent collections are automatically selected to be included with the job. This behavior ensures that all necessary resources are available after migration. For example: You select a collection for devices that run Windows 7 and that is named Win_7. This collection is limited to a collection that contains all your client operating systems and that is named All_Clients. The collection All_Clients will be automatically selected for migration.

Collection Limiting
Because System Center 2012 Configuration Manager collections are global data and are evaluated at each site in the hierarchy, plan how to limit the scope of a collection after it is migrated. During migration, you can identify a System Center 2012 Configuration Manager collection to limit the scope of the collection that you are migrating so that the migrated collection does not include unanticipated members. For example, in Configuration Manager 2007, collections are evaluated at the site that creates them, and at child sites. An advertisement might be deployed to only a child site, and this would limit the scope for that advertisement to that child site. In comparison, System Center 2012 Configuration Manager evaluates collections at every site, and associated advertisements would then be evaluated for each site. Collection limiting lets you refine the collection members based on another collection to avoid the addition of unexpected collection members.

Site Code Replacement

When you migrate a collection that contains criteria that identifies a Configuration Manager 2007 site, you must specify a specific System Center 2012 Configuration Manager site. This ensures that the migrated collection remains functional in your System Center 2012 Configuration Manager environment and does not increase in scope.

1085

Specify Behavior for Migrated Advertisements

By default, collection-based migration jobs disable advertisements that migrate to System Center 2012 Configuration Manager and any programs that are associated with the advertisement. When you create a collection-based migration job that contains advertisements, you see the Enable programs for deployment in Configuration Manager 2012 after an advertisement is migrated option on the Settings page of the Create Migration Job Wizard. If you select this option, programs that are associated with the advertisements are enabled after they have migrated. As a best practice, do not select this option and instead, enable the programs after they have migrated when you can verify the clients that will receive them. Note You see the Enable programs for deployment in Configuration Manager 2012 after an advertisement is migrated option only when you create a collection-based migration job, and the migration job contains advertisements. To enable a program after migration, clear the option Disable this program on computers where it is advertised on the Advanced tab of the program properties.

Planning for Object Migration Jobs

Unlike collection migration, you must select each object and object instance that you want to migrate. You can select the individual objects, such as advertisements from a Configuration Manager 2007 hierarchy or a publication from a System Center 2012 Configuration Manager hierarchy, to add to the list of objects to migrate for a specific migration job. Any objects that you do not add to the migration list are not migrated to the destination site by the object migration job. Object-based migration jobs do not have any additional configurations to plan for beyond those applicable to all migration jobs.

Planning for Previously Migrated Object Migration Jobs

When an object that you have already migrated to the destination hierarchy is updated in the source hierarchy, you can migrate that object again by using the Objects modified after migration job type. For example, when you rename, or update the source files for a package in the source hierarchy, the package version increments in the source hierarchy. After the package version increments, the package can be identified for migration by this job type. This job type is similar to the object migration type except that when you select objects to migrate, you can only select from objects that have been updated after they were migrated by a previous migration job. When you select this job type, the conflict resolution behavior on the Settings page of the New Migration Job Wizard is configured to overwrite previously migrated objects, and this setting cannot be changed.

1086

Note This migration job can identify objects that are automatically updated by the source hierarchy and objects that an administrative user updates.

See Also
Planning for Migration to System Center 2012 Configuration Manager

Planning a Client Migration Strategy in System Center 2012 Configuration Manager

To migrate clients from the source hierarchy to a Microsoft System Center 2012 Configuration Manager destination hierarchy, you must perform two tasks. You must migrate the objects that are associated with the client and you must reassign the clients from the source hierarchy to the destination hierarchy. For best results, migrate the objects first so that they are available when the clients are migrated. The objects associated with the client are migrated by using migration jobs. For information about how to migrate the objects that are associated with the client, see Planning a Migration Job Strategy in System Center 2012 Configuration Manager. Use the following sections to plan how you migrate clients to the destination hierarchy. Planning How to Migrate Clients to the Destination Hierarchy Planning How to Handle Data Maintained on Clients During Migration Planning for Handling Inventory and Compliance Data During Migration

Planning How to Migrate Clients to the Destination Hierarchy

When you migrate clients from a source hierarchy, the client software is updated based on the version of the source hierarchy: Configuration Manager 2007 source hierarchy: When you migrate clients from a source hierarchy that runs a supported version of Configuration Manager 2007, the client software upgrades to the client version for the destination hierarchy. System Center 2012 Configuration Manager SP1 source hierarchy: When you migrate clients from a System Center 2012 Configuration Manager SP1 hierarchy to another System Center 2012 Configuration Manager SP1 hierarchy, the client software does not change or upgrade. Instead, the client reassigns from the source hierarchy to a site in the destination hierarchy. Note It is not supported to migrate from a source hierarchy that runs System Center 2012 Configuration Manager with no service pack, to a destination hierarchy that runs
1087

System Center 2012 Configuration Manager SP1. Instead, upgrade all sites and clients in the source hierarchy to System Center 2012 Configuration Manager SP1. After the source hierarchy upgrades, you can migrate between the hierarchies. Use the following information to help you plan the client migration: To upgrade or reassign clients from the source site to the destination site, use any client deployment method that is supported for deploying clients in the destination hierarchy. Typical client deployment methods include client push installation, software distribution, Group Policy, and software update-based client installation. For more information, see Determine the Client Installation Method to Use for Windows Computers in Configuration Manager. Ensure the device that runs the client software is a supported operating system version and meets the minimum hardware requirements for the destination hierarchy. Before you migrate a client, run a migration job to migrate the information the client will use in the destination hierarchy. Clients that upgrade retain their run history for deployments to prevent deployments from rerunning unnecessarily in the destination hierarchy: For Configuration Manager 2007 clients, advertisement run history is retained. For System Center 2012 Configuration Manager clients, deployment run history is retained.

You can migrate clients from sites in the source hierarchy in any order that you choose. However, consider migrating limited numbers of clients in phases, rather than large numbers of clients at a single time. A phased migration reduces the network bandwidth requirements and server processing when each newly upgraded client submits its initial full inventory and compliance data to its assigned site. When you migrate Configuration Manager 2007 clients, the existing client software is uninstalled from the client computer, and the new client software is installed. System Center 2012 Configuration Manager cannot migrate a Configuration Manager 2007 client that has the App-V client installed, unless the App-V client version is 4.6 SP1 or later.

You can monitor the client migration process in the Migration node of the Administration workspace in the Configuration Manager console. After you migrate the client to the destination hierarchy, you can no longer manage that device by using your source hierarchy and should consider removing the client from the source hierarchy. Although this is not a requirement when you migrate hierarchies, it can help prevent identification of a migrated client in a source hierarchy report, or an incorrect count of resources between the two hierarchies during the migration. For example, when a migrated client remains in the source site database, you might run a software updates report that incorrectly identifies the computer as an unmanaged resource when it is now managed by the destination hierarchy.

1088

Planning How to Handle Data Maintained on Clients During Migration

When you migrate a client from its source hierarchy to the destination hierarchy, some information is retained on the device, while other information is not available on the device after migration. The following information is retained on the client device: The unique identifier (GUID), which associates a client with its information in the Configuration Manager database. The advertisement or deployment history, which prevents clients from unnecessarily rerunning advertisements or deployments in the destination hierarchy. The files in the client cache. If the client requires these files to install software, the client downloads them again from the destination hierarchy. Information from the source hierarchy about any advertisements or deployments that have not yet run. If you want the client to run the advertisements or deployments after it migrates, you must redeploy them to the client in the destination hierarchy. Information about inventory. The client resends this information to its assigned site in the destination hierarchy after the client migrates, and the new client data has been generated. Compliance data. The client resends this information to its assigned site in the destination hierarchy after the client migrates, and the new client data has been generated.

The following information is not retained on the client device:

When a client migrates, information that is stored in the Configuration Manager client registry and file path is not retained. After migration, reapply these settings. Typical settings include the following: Power schemes Logging settings Local policy settings

Additionally, you might have to reinstall some applications.

Planning for Handling Inventory and Compliance Data During Migration

Client inventory and compliance data is not saved when you migrate a client to the destination hierarchy. Instead, this information is recreated in the destination hierarchy when a client first sends its information to its assigned site. To help reduce the resulting network bandwidth requirements and server processing, consider migrating a small number of clients in phases rather than migrating a large number of clients at a single time. Additionally, you cannot migrate customizations for hardware inventory from a source hierarchy. You must introduce these to the destination hierarchy independently from migration. For information about how to extend hardware inventory, see How to Extend Hardware Inventory in Configuration Manager.
1089

See Also
Planning for Migration to System Center 2012 Configuration Manager

Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager
While you are actively migrating data to a System Center 2012 Configuration Manager destination hierarchy, Configuration Manager clients in both hierarchies can maintain access to content that you deployed in the source hierarchy. Additionally, you can use migration to upgrade distribution points from the source hierarchy to become distribution points in the destination hierarchy. When you share and upgrade distribution points, this strategy can help you avoid having to redeploy content to new servers in the destination hierarchy for the clients that you migrate. Although you can recreate and distribute content in the destination hierarchy, you can also use the following options to manage this content: Share distribution points in the source hierarchy with clients in the destination hierarchy. Upgrade stand-alone Configuration Manager 2007 distribution points or Configuration Manager 2007 secondary sites in the source hierarchy to System Center 2012 Configuration Manager distribution points in the destination hierarchy. Reassign System Center 2012 Configuration Manager distribution points from the source hierarchy to a site in the destination hierarchy. Share Distribution Points Between Source and Destination Hierarchies Planning to Upgrade Configuration Manager 2007 Shared Distribution Points Distribution Point Upgrade Process Planning to Upgrade Configuration Manager 2007 Secondary Sites Distribution Point Reassignment Process

Use the following sections to help you plan for content deployment during migration:

Planning to Reassign System Center 2012 Configuration Manager Distribution Points Content Ownership when Migrating Content

Share Distribution Points Between Source and Destination Hierarchies

During migration, you can share distribution points from a source hierarchy with the destination hierarchy. You can use shared distribution points to make content that you have migrated from a source hierarchy immediately available to clients in the destination hierarchy without having to recreate that content, and then distribute it to new distribution points in the destination hierarchy.
1090

When clients in the destination hierarchy request content that is deployed to distribution points that you have shared, the shared distribution points can be offered to the clients as valid content locations. In addition to being a valid content location for System Center 2012 Configuration Manager clients during migration, it is possible to upgrade or reassign a distribution point to the destination hierarchy. You can upgrade Configuration Manager 2007 shared distribution points and reassign System Center 2012 Configuration Manager shared distribution points. When you upgrade or reassign a shared distribution point, the distribution point becomes a distribution point in the destination hierarchy. After you upgrade or reassign a shared distribution point, you can continue to use the distribution point in the destination hierarchy after migration from the source hierarchy is finished. For more information about how to upgrade a shared distribution point, see Planning to Upgrade Configuration Manager 2007 Shared Distribution Points. For information about how to reassign a shared distribution point, see Planning to Reassign System Center 2012 Configuration Manager Distribution Points. You can choose to share distribution points from any source site in your source hierarchy. When you share distribution points for a source site, each qualifying distribution point at that primary site and at each of the child secondary sites of that primary site are shared. To qualify to be a shared distribution point, the site system server that hosts the distribution point must be configured with a fully qualified domain name (FQDN). Any distribution points that are configured with a NetBIOS name are disregarded. Tip Unlike System Center 2012 Configuration Manager, Configuration Manager 2007 does not require you to configure an FQDN for site system servers. Use the following information to help you plan for shared distribution points: Distribution points that you share must meet the prerequisites for shared distribution points. For information about these prerequisites, see the Required Configurations for Migration section in the Prerequisites for Migration in System Center 2012 Configuration Manager topic. The share distribution point action is a site-wide setting that shares all qualifying distribution points at a source site and at any direct child secondary sites. You cannot select individual distribution points to share when you enable distribution point sharing. Clients in the destination hierarchy can receive content location information for packages that are installed on distribution points that are shared from the source hierarchy. For distribution points from a Configuration Manager 2007 source hierarchy, this includes branch distribution points, distribution points on server shares, and standard distribution points. Caution If you change the source hierarchy, shared distribution points from the original source hierarchy are no longer available and cannot be offered as content locations to clients in the destination hierarchy. If you reconfigure migration to use the original source hierarchy, the previously shared distribution points are restored as valid content location servers.
1091

When you migrate a package that is hosted on a shared distribution point, the package version must be the same in the source and destination hierarchies. When the package version is not the same in the source and destination hierarchy, clients in the destination hierarchy cannot retrieve the content from the shared distribution point. If you update the package in the source hierarchy, you must re-migrate the package data before clients in the destination hierarchy can retrieve that content from a shared distribution point. Note When you view details for a package that is hosted on a shared distribution point, the number of packages that display as Hosted Migrated Packages on the source sites Shared Distribution Points tab is not updated until the next data gathering cycle is finished.

You can view shared distribution points and their properties in the Source Hierarchy node of the Administration workspace in the System Center 2012 Configuration Manager console. You cannot use a shared distribution point from a Configuration Manager 2007 source hierarchy to host packages for Microsoft Application Virtualization (App-V). App-V packages must migrate and be converted for System Center 2012 Configuration Manager clients. However, you can use a shared distribution point from a System Center 2012 Configuration Manager hierarchy to host App-V packages for clients in a destination hierarchy. When you share a protected distribution point from a Configuration Manager 2007 source hierarchy, the destination hierarchy creates a boundary group that includes the protected network locations of that distribution point. You cannot modify this boundary group in the destination hierarchy. However, if you change the protected boundary information for the distribution point in the Configuration Manager 2007 source hierarchy, that change is reflected in the destination hierarchy after the next data gathering cycle finishes. Note Because System Center 2012 Configuration Manager sites use the concept of preferred distribution points instead of protected distribution points, this condition does not apply to distribution points that are shared from System Center 2012 Configuration Manager source sites.

Before you share distribution points from a source site, the eligible distribution points are not visible in the Configuration Manager console. After you share distribution points, only the distribution points that are successfully shared are listed. After you have shared distribution points, you can change the configuration of any shared distribution point in the source hierarchy. Changes that you make to the configuration of a distribution point are reflected in the destination hierarchy after the next data gathering cycle. Distribution points that you updated to qualify for sharing are shared automatically, while those that no longer qualify stop sharing distribution points. For example, you might have a distribution point that is not configured with an intranet FQDN and was not initially shared with the destination hierarchy. After you configure the FQDN for that distribution point, the next data gathering cycle identifies this configuration, and the distribution point is then shared with the destination hierarchy.
1092

Planning to Upgrade Configuration Manager 2007 Shared Distribution Points

When you migrate from a Configuration Manager 2007 source hierarchy, you can upgrade a shared distribution point to make it a System Center 2012 Configuration Manager distribution point. You can upgrade distribution points at both primary sites and secondary sites. The upgrade process removes the distribution point from the Configuration Manager 2007 hierarchy and makes it a site system server in the System Center 2012 Configuration Manager hierarchy. This process also copies the existing content that is on the distributing point to a new location on the distribution point computer. The upgrade process then modifies the copy of the content to create the System Center 2012 Configuration Manager single instance store for use with System Center 2012 Configuration Manager content deployment. Therefore, when you upgrade a distribution point, you do not have to redistribute migrated content that was hosted on the Configuration Manager 2007 distribution point. After Configuration Manager converts the content to the single instance store, the following action is taken depending on the version of the Configuration Manager destination hierarchy: A hierarchy that runs System Center 2012 Configuration Manager with no service pack leaves the original source content intact on the distribution point computer. A hierarchy that runs System Center 2012 Configuration Manager SP1 deletes the original source content on the distribution point computer to free up disk space. System Center 2012 Configuration Manager does not use the original source content location.

Not all Configuration Manager 2007 distribution points that you can share are eligible for upgrade to System Center 2012 Configuration Manager. To be eligible for upgrade, a Configuration Manager 2007 distribution point must meet the conditions for upgrade that include the site system server on which the distribution point is installed, and the type of Configuration Manager 2007 distribution point that is installed. For example, you cannot upgrade any type of distribution point that is installed on the site server computer at a primary site, but you can upgrade a standard distribution point that is installed on the site server computer at a secondary site. Note You can upgrade only those Configuration Manager 2007 shared distribution points that are on a computer that runs an operating system version that is supported for distribution points in System Center 2012 Configuration Manager. For example, although you can share a Configuration Manager 2007 distribution point that is on a computer that runs Windows XP SP2, you cannot upgrade this shared distribution point because System Center 2012 Configuration Manager does not support this operating system for use as a distribution point. The following table lists the supported locations for each type of Configuration Manager 2007 distribution point that can upgrade to System Center 2012 Configuration Manager.

1093

Type of distribution point

Distribution point on a site system computer other than the site server

Distribution point on a site system computer other than the site server and hosting other site system roles

Distribution point on a secondary site server

Standard distribution point Distribution point on 1 server shares Branch distribution point
1

Yes

No

Yes

Yes

No

No

Yes

No

No

System Center 2012 Configuration Manager does not support server shares for site systems but does support the upgrade of a Configuration Manager 2007 distribution point that is on a server share. When you upgrade a Configuration Manager 2007 distribution point that is on a server share, the distribution point type is automatically converted to a server, and you must select the drive on the distribution point computer that will store the single instance content store. Warning Before you upgrade a branch distribution point, uninstall the Configuration Manager 2007 client software. When you upgrade a branch distribution point that has the Configuration Manager 2007 client software installed, the deployed content is removed from the computer, and the upgrade of the distribution point fails. To identify distribution points that are eligible for upgrade in the Configuration Manager console in the Source Hierarchy node, select a source site, and then select the Shared Distribution Points tab. Eligible distribution points display Yes in the Eligible for Upgrade column. When you upgrade a distribution point that is installed on a Configuration Manager 2007 secondary site server, the secondary site is uninstalled from the source hierarchy. Although this scenario is called a secondary site upgrade, the result is that the secondary site is uninstalled. This leaves only a System Center 2012 Configuration Manager distribution point on the computer that was the secondary site server. Because the secondary site is removed from the source hierarchy, if you plan to upgrade the distribution point on a secondary site, see the Planning to Upgrade Configuration Manager 2007 Secondary Sites section in this topic.

Distribution Point Upgrade Process

You can use the Configuration Manager console to upgrade Configuration Manager 2007 distribution points that you have shared with System Center 2012 Configuration Manager. When you upgrade a shared distribution point, the distribution point is uninstalled from the Configuration Manager 2007 site, and then installed as a System Center 2012 Configuration Manager distribution point that is attached to a primary or secondary site that you specify in the destination hierarchy. The upgrade process creates a copy of the migrated content that is stored on the
1094

distribution point, and then converts this copy to the System Center 2012 Configuration Manager single instance content store. When Configuration Manager converts a package to the single instance content store, it deletes that package from the SMSPKG share on the server unless the package has one or more advertisements that are configured to Run program from distribution point. To upgrade the distribution point, System Center 2012 Configuration Manager uses the Source Site Access Account that is configured to gather data from the SMS Provider of the source site. Although this account requires only Read permission for site objects to gather data from the source site, it must also have Delete and Modify permission to the Site class to successfully remove the distribution point from the Configuration Manager 2007 site during the upgrade. Note Configuration Manager can convert content to the single instance store on only one distribution point at a time. When you configure multiple distribution point upgrades, the distribution points are queued for upgrade and processed one at a time. If you decide not to upgrade a shared distribution point, you can still install a System Center 2012 Configuration Manager distribution point on a former Configuration Manager 2007 distribution point. Before you install the System Center 2012 Configuration Manager distribution point, you must first uninstall all Configuration Manager 2007 site system roles from the distribution point computer. This includes the Configuration Manager 2007 site if it is the site server computer. When you uninstall a Configuration Manager 2007 distribution point, content that was deployed to the distribution point is not deleted from the computer. Before you upgrade a shared distribution point, ensure that all content that is deployed to the distribution point is migrated. Content that you do not migrate before you upgrade the distribution point is not available after the upgrade in the destination hierarchy. When you upgrade a distribution point for System Center 2012 Configuration Manager, the content in the migrated packages is converted into a format that is compatible with the System Center 2012 Configuration Manager single instance store. To upgrade a distribution point from within the Configuration Manager console, the Configuration Manager 2007 site system server must meet the following conditions: The distribution point must be eligible for migration. Refer to the previous section for information about the distribution points that you can migrate. The distribution point computer must have sufficient disk space for the content to be converted from the Configuration Manager 2007 content storage format to the single instance store format. For System Center 2012 Configuration Manager with no service pack, this conversion requires available free disk space equal to two times the size of the existing data on the distribution point. For System Center 2012 Configuration Manager SP1, this conversion requires available free disk space equal the size of the largest package that is stored on the distribution point. The distribution point computer must run an operating system version that is supported as a distribution point in the destination hierarchy. Note
1095

When Configuration Manager checks for the eligibility of a distribution point for upgrade, it does not validate the operating system version of the distribution point computer. To upgrade a distribution point, in the Administration workspace, expand Migration, expand the Source Hierarchy node, and then select the site that contains the distribution point that you want to upgrade. Next, in the details pane, on the Shared Distribution Points tab, select the distribution point that you want to upgrade. You can confirm that the distribution point is ready for upgrade by viewing the status in the Eligible for Upgrade column. Next, in the Configuration Manager console ribbon, on the Distribution Points tab, in the Distribution Point group, select Upgrade. This opens a wizard that you use to complete the upgrade of the distribution point. When you upgrade a shared distribution point, you assign the distribution point to a primary or secondary site of your choice in the destination hierarchy. After the distribution point is upgraded, you manage the distribution point as a distribution point in the destination hierarchy, as you would any other distribution point. You can monitor the progress of a distribution point upgrade in the Configuration Manager console by selecting the Distribution Point Upgrades node under the Migration node of the Administration workspace. You can also view information in the Migmctrl.log on the central administration site server of the destination hierarchy, or in the distmgr.log on the site server in the destination hierarchy that manages the upgraded distribution point. Note When you upgrade a distribution point to System Center 2012 Configuration Manager, the distribution point site system role is removed from the Configuration Manager 2007 source site; however, packages that were sent to the distribution point are not updated. In the Configuration Manager 2007 console, packages that had been sent to the distribution point continue to list the site system computer as a distribution point with a Type of Unknown. Subsequent updates to the package in Configuration Manager 2007 result in Distribution Manager reporting errors in the distmgr.log for that site when it attempts to update the package on the unknown site system.

Planning to Upgrade Configuration Manager 2007 Secondary Sites

When you use migration to upgrade a shared distribution point that is hosted on a Configuration Manager 2007 secondary site server, System Center 2012 Configuration Manager not only upgrades the distribution point site system role to be a System Center 2012 Configuration Manager distribution point, but also uninstalls the secondary site from the source hierarchy. The result is a System Center 2012 Configuration Manager distribution point, but no secondary site. For a distribution point on the site server computer to be eligible for upgrade, Configuration Manager must be able to uninstall the secondary site including each of the site system roles on that computer. Typically, a shared distribution point on a Configuration Manager 2007 server
1096

share is eligible for upgrade. However, when a server share exists on the secondary site server, the secondary site and any shared distribution points on that computer are not eligible for upgrade. This is because when the process attempts to uninstall the secondary site, the server share is treated as an additional site system object, and this process cannot uninstall this object. In this scenario, you can enable a standard distribution point on the secondary site server and then redistribute the content to that standard distribution point. This does not use network bandwidth, and when completed, you can uninstall the distribution point on the server share, remove the server share, and then upgrade the distribution point and secondary site. System Center 2012 Configuration Manager does not provide a visible indication that a shared distribution point is on a remote site system server or whether it is co-located with a secondary site. Before you upgrade a shared distribution point, review the distribution point configuration in Configuration Manager 2007 to avoid upgrading a secondary site that you still want to use with Configuration Manager 2007. After you upgrade a shared distribution point, the site system server is removed from the Configuration Manager 2007 hierarchy and is no longer available for use with that hierarchy. Consider upgrading secondary sites that have a shared distribution point when you have a secondary site in a remote network location that is used primarily to control the deployment of content to that remote location. Because you can configure bandwidth control for when you distribute content to a System Center 2012 Configuration Manager distribution point, you can often upgrade a secondary site to a distribution point, configure the distribution point for network bandwidth control, and avoid installing a System Center 2012 Configuration Manager secondary site in that network location. Before you upgrade a distribution point that is hosted on a secondary site server, ensure that you either upgrade each remote distribution point at that secondary site or uninstall each remote distribution point from the secondary site before you upgrade the distribution point on the site server. This is because after the secondary site is uninstalled during the distribution point upgrade, any remaining remote distribution points are orphaned and are no longer eligible for upgrade. Caution When you select a shared distribution point that is located on a secondary site server, there is no visible indication that the computer is also a secondary site server. The process to upgrade a shared distribution point on a secondary site server operates the same as any other shared distribution point upgrade. Content is copied and converted to the System Center 2012 Configuration Manager single instance store. However, the upgrade process also uninstalls the management point, if it is present, and then uninstalls the secondary site from the server. The result is that the secondary site is removed from the Configuration Manager 2007 hierarchy. To uninstall the secondary site, System Center 2012 Configuration Manager uses the account that is configured to gather data from the source site. There is a delay between when the Configuration Manager 2007 secondary site is uninstalled and the System Center 2012 Configuration Manager distribution point installation begins. The data gathering cycle determines this delay of up to four hours. The delay is intended to provide time for
1097

the secondary site to uninstall before the new System Center 2012 Configuration Manager distribution point installation begins. For more information about how to upgrade a shared distribution point, see Planning to Upgrade Configuration Manager 2007 Shared Distribution Points.

Planning to Reassign System Center 2012 Configuration Manager Distribution Points

When you migrate from a supported version of System Center 2012 Configuration Manager, you can reassign a shared distribution point from the source hierarchy to a site in the destination hierarchy. This action removes the distribution point from the source hierarchy and makes the computer, and its distribution point, a site system server for a site that you select in the destination hierarchy. This is similar to the concept of upgrading a Configuration Manager 2007 distribution point to become a System Center 2012 Configuration Manager distribution point. When you reassign a distribution point between supported System Center 2012 Configuration Manager hierarchies, you do not have to redistribute migrated content that was hosted on the source site distribution point. You can reassign distribution points from both primary sites and secondary sites in the source hierarchy. Because System Center 2012 Configuration Manager distribution points already use the single instance store format for content, reassignment of a distribution point does not require additional disk space on the distribution point computer. Not all System Center 2012 Configuration Manager distribution points that you can share are eligible for reassignment to the destination hierarchy. To be eligible or reassignment, a distribution point in a supported System Center 2012 Configuration Manager source site must meet the following criteria: A shared distribution point must be installed on a computer other than the site server. A shared distribution point cannot be co-located with any additional site system roles.

To identify distribution points that are eligible for reassignment in the Configuration Manager console in the Source Hierarchy node, select a source site, and then select the Shared Distribution Points tab. Eligible distribution points display Yes in the Eligible for Upgrade column.

Distribution Point Reassignment Process

You can use the Configuration Manager console to reassign distribution points that you have shared from an active source hierarchy. When you reassign a shared distribution point, the distribution point is uninstalled from its source site, and then installed as a distribution point that is attached to a primary or secondary site that you specify in the destination hierarchy. To reassign the distribution point, the destination hierarchy uses the Source Site Access Account that is configured to gather data from the SMS Provider of the source site. For information about required permissions and additional prerequisites, see Prerequisites for Migration in System Center 2012 Configuration Manager.
1098

Content Ownership when Migrating Content

When you migrate content for deployments, you must assign the content object to a site in the destination hierarchy. This site then becomes the owner for that content in the destination hierarchy. Although the top-level site of your destination hierarchy is the site that actually migrates the metadata for content, it is the assigned site that accesses the original source files for the content across the network. To minimize the network bandwidth that is used during migration, consider transferring ownership of content to the closest available site. Because information about the content is shared globally in System Center 2012 Configuration Manager, it will be available at every site. Although information about content is shared to all sites by using database replication, any content that you assign to a System Center 2012 Configuration Manager primary site and then deploy to distribution points at other primary sites, transfers by using file-based replication. This transfer is routed through the central administration site and then to the additional primary site. By centralizing packages that you plan to distribute to multiple primary sites before or during migration when you assign a site as the content owner, you can reduce data transfers across low bandwidth networks.

See Also
Planning for Migration to System Center 2012 Configuration Manager

Planning for the Migration of Configuration Manager Objects to System Center 2012 Configuration Manager
Use the following sections to help you plan for the Microsoft System Center 2012 Configuration Manager migration of objects that are associated with specific features in Configuration Manager. Planning to Migrate Software Updates Planning to Migrate Content Planning to Migrate Collections Planning to Migrate Operating System Deployments Planning to Migrate Desired Configuration Management Planning to Migrate AMT-Based Computers that are Provisioned for Out of Band Management Planning to Migrate Boundaries Planning to Migrate Reports Planning to Migrate Organizational and Search Folders
1099

Planning to Migrate Asset Intelligence Customizations Planning to Migrate Software Metering Rules Customizations

Planning to Migrate Software Updates

You can migrate software update objects, such as software update packages and software update deployments. To successfully migrate software update objects, you must first configure your destination hierarchy with configurations that match your source hierarchy environment. This requires the following actions: Deploy an active software update point in the destination hierarchy. Configure the catalog of products and languages to match the configuration of your source hierarchy. Synchronize the software update point in the destination hierarchy with a Windows Server Update Services (WSUS). Migration of software update objects can fail when you have not synchronized information in your destination hierarchy to match the configuration of your source hierarchy. Warning It is not supported to use the WSUSutil tool to synchronize data between a source and destination hierarchy. You cannot migrate custom updates that are published by using System Center Updates Publisher. Instead, custom updates must be republished to the destination hierarchy.

When you migrate software updates, consider the following:

When you migrate from Configuration Manager 2007 to System Center 2012 Configuration Manager, the migration process modifies some software updates objects to the System Center 2012 Configuration Manager format. Use the following table to help you plan the migration of software update objects from a supported Configuration Manager 2007 source hierarchy to System Center 2012 Configuration Manager.
Configuration Manager 2007 object System Center 2012 Configuration Manager object

Software update lists

Software update lists are converted to software update groups. Software update deployments are converted to deployments and update groups. Note After you migrate a software update deployment from Configuration Manager 2007, you must enable it in
1100

Software update deployments

Configuration Manager 2007 object

System Center 2012 Configuration Manager object

System Center 2012 Configuration Manager before you can deploy it. Software update packages Software update packages remain software update packages. Software update templates remain software update templates. Note The Duration value in Configuration Manager 2007 deployment templates does not migrate. When you migrate from a supported System Center 2012 Configuration Manager hierarchy to another System Center 2012 Configuration Manager hierarchy, the software updates objects are not modified.

Software update templates

Planning to Migrate Content

You can migrate content from a supported source hierarchy to your destination hierarchy. For a Configuration Manager 2007 source hierarchy, this content includes software distribution packages and programs and virtual applications, such as Microsoft Application Virtualization (App-V). For a System Center 2012 Configuration Manager source hierarchy, this content includes applications, and App-V virtual applications. When you migrate content between hierarchies, it is the compressed source files that migrate to the destination hierarchy.

Packages and Programs

When you migrate packages and programs, they are not modified by migration. However, before you migrate these, you must configure each package to use a Universal Naming Convention (UNC) path for its source file location. As part of the configuration to migrate packages and programs, you must assign a site in the destination hierarchy to manage this content. The content is not migrated from the assigned site, but after migration the assigned site accesses the original source file location by using the UNC mapping. After you migrate a package and program to the destination hierarchy and while migration from the source hierarchy remains active, you can make the content available to clients in that hierarchy by using a shared distribution point. To use a shared distribution point, the content must remain accessible on the source site distribution point. For information about shared distribution points, see the Share Distribution Points Between Source and Destination Hierarchies section in

1101

the Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager topic. For content that has migrated, if the content version changes in either source hierarchy or the destination hierarchy, clients can no longer access the content from the shared distribution point. In this scenario, you must re-migrate the content to restore a consistent version of the package on the source sites distribution point as identified by the destination hierarchy after the next data gathering cycle. Tip You can use Microsoft System Center Configuration Manager Package Conversion Manager to convert packages and programs into System Center 2012 Configuration Manager applications. Download Package Conversion Manager from the Microsoft Download Center site. For more information, see Configuration Manager Package Conversion Manager.

Virtual Applications
When you migrate App-V packages from a supported Configuration Manager 2007 site, the migration process converts them to applications in the destination hierarchy. Additionally, based on existing advertisements for the App-V package, the following deployment types are created in System Center 2012 Configuration Manager: If there are no advertisements, one deployment type is created that uses the default deployment type settings. If one advertisement exists, one deployment type is created that uses the same settings as the Configuration Manager 2007 advertisement. If multiple advertisements exist, a deployment type is created for each Configuration Manager 2007 advertisement, using the settings for that advertisement. Important If you migrate a previously migrated Configuration Manager 2007 App-V package to System Center 2012 Configuration Manager, the migration fails because virtual application packages do not support the overwrite migration behavior. In this scenario, you must delete the migrated virtual application package from System Center 2012 Configuration Manager, and then create a new migration job to migrate the virtual application. Note After you migrate an App-V package, you can use the Update Content Wizard to change the source path for App-V deployment types. For information on how to update content for a deployment type, see the How to Manage Deployment Types section in the How to Manage Applications and Deployment Types in Configuration Manager topic. When you migrate from a System Center 2012 Configuration Manager source hierarchy, in addition to App-V deployment types and applications, you can migrate objects for the e App-V virtual environment. For information about App-V environments, see the App-V Virtual
1102

Environments section in the Introduction to Application Management in Configuration Manager topic.

Advertisements
You can migrate advertisements from a supported Configuration Manager 2007 source site to System Center 2012 Configuration Manager by using collection-based migration. If you upgrade a client, it retains the history of previously run advertisements to prevent the client from rerunning migrated advertisements. Note You cannot migrate advertisements for virtual packages. This is an exception to the migration of advertisements.

Applications
You can migrate applications from a supported System Center 2012 Configuration Manager source hierarchy to a System Center 2012 Configuration Manager destination hierarchy. If you reassign a client from the source hierarchy to the destination hierarchy, the client retains the history of previously installed applications to prevent the client from rerunning a migrated application.

Planning to Migrate Collections

You can migrate the criteria for collections from a supported System Center 2012 Configuration Manager source hierarchy. To migrate System Center 2012 Configuration Manager collections, you use an object-based migration job. When you migrate a collection, you migrate the rules for the collection and not information about the members of the collection or information or objects related to the members of the collection. Migration of the collection object is not supported when you migrate from a Configuration Manager 2007 source hierarchy.

Planning to Migrate Operating System Deployments

You can migrate the following operating system deployment objects from a supported source hierarchy: Operating system images and packages. The source path of boot images are updated to the default image location for the Windows Administrative Installation Kit (Windows AIK) on the destination site. The following are requirements and limitations to migrating operating system images and packages: To successfully migrate image files, the computer account of the SMS Provider server for the destination hierarchies top-level site must have Read and Write permission to the image source files of the source sites Windows AIK location.
1103

When you migrate an operating system installation package, ensure that the configuration of the package on the source site points to the folder that contains the WIM file, and not to the WIM file itself. If the installation package points to the WIM file, the migration of the installation package will fail. When you migrate a boot image package from a Configuration Manager 2007 source site, the package ID of the package is not maintained in the destination site. The result of this is that clients in the destination hierarchy cannot use boot image packages that are available on shared distribution points.

Task sequences. When you migrate a task sequence that contains a reference to a client installation package, that reference is replaced with a reference to the client installation package of the destination hierarchy. Note When you migrate a task sequence, Configuration Manager might migrate objects that are not required in the destination hierarchy. These objects include boot images and Configuration Manager 2007 client installation packages.

Drivers and driver packages.

Planning to Migrate Desired Configuration Management

You can migrate configuration items and configuration baselines. Note Uninterpreted configuration items from Configuration Manager 2007 source hierarchies are not supported in System Center 2012 Configuration Manager. You cannot migrate or import these configuration items. For information about uninterpreted configuration items, see the Uninterpreted Configuration Item section in the About Configuration Items in Desired Configuration Management topic in the Configuration Manager 2007 documentation library. You can import Configuration Manager 2007 Configuration Packs to System Center 2012 Configuration Manager. The import process automatically converts the Configuration Pack to be compatible with System Center 2012 Configuration Manager.

Planning to Migrate AMT-Based Computers that are Provisioned for Out of Band Management
You cannot migrate the AMT provisioning information between hierarchies and must take additional steps before you can manage an AMT-based computer out of band in the destination hierarchy. These steps include the removal from clients of the AMT provisioning information from the source site, and then provisioning new information from a site in the destination hierarchy. To do this, make sure that you have installed and configured a site in the destination hierarchy for AMT provisioning, and then use one of the following strategies:
1104

In the source site, remove the AMT provisioning information and select the option Disable automatic provisioning. Migrate the client. Then in the destination site, provision the AMTbased computer. In the destination site, configure the AMT Provisioning Removal Account in the Out of Band Management Component Properties: Provisioning tab. Specify a Windows account that has been specified as an AMT User Account in the source site. For migration from a supported Configuration Manager 2007 site, ensure this AMT User Account has the Platform Administration (Configuration Manager 2007 SP2) or PT Administration (Configuration Manager 2007 SP1) permission. Migrate the client and assign it to the destination site. Then remove the provisioning information from the AMT-based computer by using the AMT Provisioning Removal Account, and provision it again. Warning If the account that you specify for the AMT Provisioning Removal Account is not an AMT User Account for the computer, or the AMT User Account does not have the required permission, or if the audit log contains data, you will not be able to remove the provisioning information from the destination site. If you are not sure whether the AMT-based computer is configured with this AMT User Account, for Configuration Manager 2007 source sites either check and update the management controller in the Configuration Manager 2007 site, or remove the provisioning information when the client is still assigned to the Configuration Manager 2007 site. If AMT auditing is enabled, either clear the audit log or disable auditing when the client is still assigned to the Configuration Manager 2007 site. For more information about how to manage the audit log in Configuration Manager 2007, see How to Manage the Audit Log for AMT-based Computers in the Configuration Manager 2007 documentation library.

Migrate the client. Manually remove the provisioning information in the BIOS extensions of the AMT-computer. Then in the destination site, provision the AMT-based computer.

For more information about how to remove the AMT provisioning information, configure AMT User Accounts, and update the management controllers from a Configuration Manager 2007 site, see the following topics in the Configuration Manager 2007 documentation library: How to Remove Provisioning Information for AMT-Based Computers How to Configure AMT Settings and AMT User Accounts How to Update AMT Settings in Provisioned Computers Using Out of Band Management

For more information about to configure AMT provisioning and the AMT Provisioning Removal Account in a System Center 2012 Configuration Manager site, and how to remove AMT provisioning information in a System Center 2012 Configuration Manager site, see the following: How to Provision and Configure AMT-Based Computers in Configuration Manager The How to Remove AMT Information section in the How to Manage AMT Provisioning Information in Configuration Manager topic.

1105

Planning to Migrate Boundaries

You can migrate boundaries from a supported Configuration Manager 2007 source site, or a supported System Center 2012 Configuration Manager source hierarchy. When you migrate boundaries from Configuration Manager 2007, each boundary from the source site migrates at the same time and is added to a new boundary group that is created in the destination hierarchy. When you migrate boundaries from a System Center 2012 Configuration Manager hierarchy, each boundary you select is added to a new boundary group in the destination hierarchy. Each automatically created boundary group is enabled for content location but not for site assignment. This prevents overlapping boundaries for site assignment between the source and destination hierarchies. When you migrate from a Configuration Manager 2007 source site, this helps prevent new Configuration Manager 2007 clients that install from incorrectly assigning to the System Center 2012 Configuration Manager destination hierarchy. By default, System Center 2012 Configuration Manager clients do not automatically assign to Configuration Manager 2007 sites. During migration, if you share a distribution point with the destination hierarchy, any boundaries that are associated with that distribution automatically migrate to the destination hierarchy. In the destination hierarchy, migration creates a new read-only boundary group for each shared distribution point. If you change the boundaries for the distribution point in the source hierarchy, the boundary group in the destination hierarchy updates with these changes during the next data gathering cycle.

Planning to Migrate Reports

System Center 2012 Configuration Manager does not support the migration of reports. Instead, use SQL Server Reporting Services Report Builder to export reports from the source hierarchy, and then import them to the destination hierarchy. Note Because there are schema changes for reports between Configuration Manager 2007 and System Center 2012 Configuration Manager, test each report that you import from a Configuration Manager 2007 hierarchy to ensure that it functions as expected. For more information about reporting, see Reporting in Configuration Manager.

Planning to Migrate Organizational and Search Folders

You can migrate organizational folders and search folders from a supported source hierarchy to a destination hierarchy. In addition, from a System Center 2012 Configuration Manager source hierarchy, you can migrate the criteria for a saved search to a destination hierarchy. By default, the migration process maintains your search folder and administrative folder structures for objects and collections when you migrate. However, in the Create New Migration Job Wizard, on the Settings page, you can configure a migration job to not migrate the
1106

organizational structure for objects by clearing the check box for this option. The organizational structures of collections are always maintained. One exception to this is a search folder that contains virtual applications. When an App-V package is migrated, the App-V package is transformed into an application in System Center 2012 Configuration Manager. After migration of the search folder, only the remaining packages are found, and the search folder cannot locate an App-V package because of this conversion to an application when the App-V package migrates. When you migrate a saved search from a System Center 2012 Configuration Manager source hierarchy, you migrate the criteria for the search, and not the information about the search results. Migration of a saved search is not applicable from a Configuration Manager 2007 source site.

Planning to Migrate Asset Intelligence Customizations

You can migrate customizations for Asset Intelligence from a supported source hierarchy to a destination hierarchy. There are no significant changes to the structure of Asset Intelligence customizations between Configuration Manager 2007 and System Center 2012 Configuration Manager. Note System Center 2012 Configuration Manager does not support the migration of Asset Intelligence objects from a Configuration Manager 2007 site that is using Asset Intelligence Service 2.0 (AIS 2.0).

Planning to Migrate Software Metering Rules Customizations

There are no significant changes to software metering between Configuration Manager 2007 and System Center 2012 Configuration Manager. You can migrate your software metering rules from a supported source hierarchy to a destination hierarchy. By default, software metering rules that you migrate to a destination hierarchy are not associated with a specific site in the destination hierarchy and instead apply to all clients in the hierarchy. To apply a software metering rule to clients at a specific site, you must edit the metering rule after it migrates.

See Also
Planning for Migration to System Center 2012 Configuration Manager

1107

Planning to Monitor Migration Activity in System Center 2012 Configuration Manager

To monitor migration to a System Center 2012 Configuration Manager hierarchy, in the Configuration Manager console, in the Administration workspace, you can use the Migration node to monitor the progress and success of migration jobs. You can view summary information for each migration job that identifies objects that have migrated, those objects that have not yet migrated, and the number of objects that are excluded from a migration job. You will also see details about any migration problems.

View Migration Progress

To view the progress of object migration for a migration job, use any of the following actions: Select a migration job, and then select the Objects in Job tab. Use the Configuration Manager log files to review the migration progress or to identify any problems. Migration Manager is the Configuration Manager process that tracks migration actions and records these in the migmctrl.log file in the <InstallationPath>\LOGS folder on the site server. Note If a migration job fails, review the details in the migmctrl.log file as soon as possible. The migration log entries are continually added to the file and overwrite old details. If the entries are overwritten, you might not be able to identify whether any problems that you might encounter with the migrated objects relate to migration issues. Migration activity is logged at the top-level site of the hierarchy regardless of the site your Configuration Manager console connects to when you configure migration. Use Configuration Manager reporting. Configuration Manager provides several migration reports that you can use as is, or you can edit those reports to fit your requirements. For more information about Configuration Manager reports, see Reporting in Configuration Manager.

See Also
Planning for Migration to System Center 2012 Configuration Manager

Planning to Complete Migration in System Center 2012 Configuration Manager

When a supported source hierarchy no longer contains data that you want to migrate to your System Center 2012 Configuration Manager destination hierarchy, you can complete the process of migration. Completing migration includes the following general steps:
1108

Ensure data that you require has migrated. Before you complete migration from a source hierarchy, make sure that you have successfully migrated all of the resources from the source hierarchy that you require in the destination hierarchy. This can include data and clients. Stop gathering data from source sites. To complete migration from a source hierarchy, you must first stop gathering data from source sites. Clean up migration data. After you stop gathering data from all source sites in a source hierarchy, you can remove data about the migration process and source hierarchy from the database of the destination hierarchy. Decommission the source hierarchy. After you complete migration from a source hierarchy and that hierarchy no longer contains resources that you manage, you can decommission the sites in the source hierarchy and remove the related infrastructure from your environment. For information about how to decommission sites and source hierarchies, consult the documentation for that version of Configuration Manager.

Use the following sections to help you plan to complete migration from a source hierarchy by stopping data gathering, and then cleaning up migration data: Plan to Stop Gathering Data Plan to Clean Up Migration Data

Plan to Stop Gathering Data

Before you complete migration and clean up migration data, you must stop gathering data from each source site in the source hierarchy. To stop gathering data from each source site, you must perform the Stop Gathering Data command on the bottom tier source sites, and then repeat the process at each parent site. The top-level site of the source hierarchy must be the last site on which you stop gathering data. You must stop data gathering at each child site before performing this command on a parent site. Typically, you only stop gathering data when you are ready to complete the migration process. After you stop gathering data from a source site, shared distribution points from that site are no longer available as content locations for clients in the destination hierarchy. Therefore, ensure that any migrated content that the clients require remains available by using one of the following options: Distribute the content to a distribution point in the source hierarchy. Upgrade shared Configuration Manager 2007 distribution points or reassign System Center 2012 Configuration Manager distribution points to be distribution points in the destination hierarchy.

After you stop gathering data from each source site in the source hierarchy, you can clean up migration data. Until you clean up migration data, each migration job that has run or that is scheduled to run remains accessible in the Configuration Manager console. For more information about source sites and data gathering, see Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager.

1109

Plan to Clean Up Migration Data

The last step to complete migration is to clean up migration data. You can use the Clean Up Migration Data command after you have stopped gathering data for each source site. This optional action removes data about the current source hierarchy from the database of the destination hierarchy. When you clean up migration data, most data about the migration is removed from the database of the destination hierarchy. However, details about migrated objects are retained. With these details, you can use the Migration workspace to reconfigure the source hierarchy that contains the data that was migrated to either resume migration, or to review the objects and site ownership of the objects that migrated.

See Also
Planning for Migration to System Center 2012 Configuration Manager

Configuring Source Hierarchies and Source Sites for Migration to System Center 2012 Configuration Manager
To enable migration of data to your System Center 2012 Configuration Manager environment, you must configure a supported Configuration Manager source hierarchy and one or more source sites in that hierarchy that contain data that you want to migrate. Note Operations for migration are run at the top-level site in the destination hierarchy. If you configure migration when you use a Configuration Manager console that is connected to a primary child site, you must allow time for the configuration to replicate to the central administration site, to start, and to then replicate status back to the primary site to which you are connected. Use the information and procedures in the following sections to specify the source hierarchy and to add additional source sites. After you complete these procedures, you can create migration jobs and start to migrate data from the source hierarchy to the destination hierarchy. Specify a Source Hierarchy for Migration Identify Additional Source Sites of the Source Hierarchy

Specify a Source Hierarchy for Migration

To migrate data to your destination hierarchy, you must specify a supported source hierarchy that contains the data that you want to migrate. By default, the top-level site of that hierarchy becomes a source site of the source hierarchy. If you migrate from a Configuration Manager 2007
1110

hierarchy, you can then configure additional source sites for migration. If you migrate from a System Center 2012 Configuration Manager hierarchy, you do not have to configure additional source sites because the System Center 2012 Configuration Manager shared database available at the top-level site of the source hierarchy contains all the information that you can migrate. Use the following procedures to specify a source hierarchy for migration and to identify additional source sites in a Configuration Manager 2007 hierarchy. Perform this procedure with a Configuration Manager console that is connected to the central administration site or to any primary site of the destination hierarchy. To configure a source hierarchy 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Source Hierarchy. 3. On the Home tab, in the Migration group, click Specify Source Hierarchy. 4. In the Specify Migration Source dialog box, select New source hierarchy. 5. Enter the name or IP address of the site server at the top site of the supported source hierarchy. 6. To access the top site of the source hierarchy, specify source site access accounts that have the following permissions: Source Site Account: Read permission to the SMS Provider for the specified top-level site in the source hierarchy. Source Site Database Account: Read and Execute permission to the SQL Server database for the specified top-level site in the source hierarchy.

If you use the computer account of the top-level site of the destination hierarchy, ensure that this account is a member of the security group Distributed COM Users in the domain where the top-level site of the source hierarchy resides. 7. To share distribution points between the source and destination hierarchies, select the Enable distribution point sharing for the source site server check box. If you do not enable distribution point sharing at this time, you can do so after data gathering completes by editing the credentials of the source site. 8. Click OK to save the configuration. This opens the Data Gathering Status dialog box, and data gathering starts automatically. 9. When data gathering finishes, click Close to close the Data Gathering Status dialog box and complete the configuration. Tip The Windows PowerShell cmdlet, Set-CMMigrationSource, performs the same function as this procedure. For more information, see Set-CMMigrationSource in the System Center 2012 Configuration Manager SP1 Cmdlet Reference documentation.

1111

Identify Additional Source Sites of the Source Hierarchy

When you configure a supported source hierarchy, the top-level site of that hierarchy is automatically configured as a source site, and data is automatically gathered from that site. The next action that you take depends on the version of Configuration Manager that is run by the source hierarchy: For a Configuration Manager 2007 source hierarchy, after the data gathering finishes for the initial source site, you can configure additional source sites from the source hierarchy, or begin migration from only that initial source site. For a System Center 2012 Configuration Manager source hierarchy, you do not need to configure additional source sites. This is because System Center 2012 Configuration Manager hierarchies use database replication to share information between sites. This results in the data you can migrate being available from the top-level site of the source hierarchy.

For Configuration Manager 2007 source sites, when you configure additional source sites, you must configure source sites from the top of the source hierarchy to the bottom. You must configure a parent site as a source site before you configure any of its child sites as source sites. Use the following procedure to configure additional source sites for Configuration Manager 2007 source hierarchies. To identify additional source sites in the source hierarchy 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Source Hierarchy. 3. Click the site that you want to configure as a source site. 4. On the Home tab, in the Source Site group, click Configure (Configuration Manager with no service pack) or Configure Credentials (Configuration Manager SP1). 5. In the Source Site Credentials dialog box, for the source site access accounts, specify accounts that have the following permissions: Source Site Account: Read permission to the SMS Provider for the specified top-level site in the source hierarchy. Source Site Database Account: Read and Execute permission to the SQL Server database for the specified top-level site in the source hierarchy.

If you use the computer account of the top-level site of the destination hierarchy, ensure that this account is a member of the security group Distributed COM Users in the domain where the top-level site of the source hierarchy resides. 6. To share distribution points between the source and destination hierarchies, select the Enable distribution point sharing for the source site server check box. If you do not enable distribution point sharing at this time, you can do so after data gathering completes by editing the credentials for the source site. 7. Click OK to save the configuration. This opens the Data Gathering Status dialog box,
1112

and data gathering starts automatically. 8. When data gathering finishes, click Close to complete the configuration.

See Also
Migrating Hierarchies in System Center 2012 Configuration Manager

Operations for Migrating to System Center 2012 Configuration Manager

For migration in System Center 2012 Configuration Manager, after you configure successfully gather data from a source site in a supported source hierarchy, you can start to migrate data and clients. Use the information in the following sections to create, run, and complete the migration process for data. Create and Edit Migration Jobs for System Center 2012 Configuration Manager Run Migration Jobs in System Center 2012 Configuration Manager Upgrade or Reassign a Shared Distribution Point in System Center 2012 Configuration Manager Monitor Migration Activity in the Migration Workspace Complete Migration in System Center 2012 Configuration Manager

Create and Edit Migration Jobs for System Center 2012 Configuration Manager
Use the following procedures to create data migration jobs, edit the exclusion list for collectionbased migration jobs, configure shared distribution points, and edit migration job schedules. Note The following procedure for creating a migrating job that migrates by collections, applies only for source hierarchies that run a supported version of Configuration Manager 2007. The collection-based migration job type is not available when you migrate from a System Center 2012 Configuration Manager source hierarchy. To create a migration job to migrate by collections 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Migration Jobs. 3. On the Home tab, in the Create group, click Create Migration Job. 4. On the General page of the Create Migration Job Wizard configure the following, and then click OK:
1113

Specify a name for the migration job. In the Job type drop-down list, select Collection migration. Select the collections that you want to migrate. If you want to migrate collections only and not the objects that are associated with those collections, clear the Migrate objects that are associated with the specified collections option. If you clear this option, no associated objects are migrated in this job, and you can skip steps 6 and 7.

5. On the Select Collections page, configure the following, and then click Next:

6. On the Select Objects page, clear any object types, or specific available objects that you do not want to migrate. By default, all associated object types and available objects are selected. Then click Next. 7. On the Content Ownership page, assign the ownership of content from each listed source site to a site in the destination hierarchy, and then click Next. 8. On the Security Scope page, select one or more role-based administration security scopes to assign to the objects to migrate in this migration job, and then click Next. 9. On the Collection Limiting page, configure a collection from the destination hierarchy to limit the scope of each listed collection, and then click Next. Or, if no collections are listed, click Next. 10. On the Site Code Replacement page, assign a System Center 2012 Configuration Manager site code from the destination hierarchy to replace the Configuration Manager 2007 site code for each listed collection, and then click Next. Or, if no collections are listed, click Next. 11. On the Review Information page, click Save To File to save the displayed information for later viewing. When you are ready to continue, click Next. 12. On the Settings page, configure when the migration job will run and any additional settings that you need for this migration job, and then click Next. 13. Confirm the settings and complete the wizard. To create a migration Job to migrate by objects 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Migration Jobs. 3. On the Home tab, in the Create group, click Create Migration Job. 4. On the General page of the Create Migration Job Wizard, configure the following, and then click Next: Specify a name for the migration job. In the Job type drop-down list, select Object migration.

5. On the Select Objects page, select the object types that you want to migrate. By default, all available objects are selected for each object type that you select. 6. On the Content Ownership page, assign the ownership of content from each listed source site to a site in the destination hierarchy, and then click Next. Or, if no source sites are listed, click Next.
1114

7. On the Security Scope page, select one or more role-based administration security scopes to assign to the objects in this migration job, and then click Next. 8. On the Review Information page, click Save To File to save the displayed information for later viewing. When you are ready to continue, click Next. 9. On the Settings page, configure when the migration job will run and any additional settings that you need for this migration job. Then click Next. 10. Confirm the settings and complete the wizard. To create a migration job to migrate changed objects 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Migration Jobs. 3. On the Home tab, in the Create group, click Create Migration Job. 4. On the General page of the Create Migration Job Wizard, configure the following and then click Next: Specify a name for the migration job. In the Job type drop down list, select Objects modified after migration.

5. On the Select Objects page, select the object types that you want to migrate. By default, all available objects are selected for each object type that you select. 6. On the Content Ownership page, assign the ownership of content from each listed source site to a site in the destination hierarchy, and then click Next. Or, if no source sites are listed, click Next. 7. On the Security Scope page, select one or more role-based administration security scopes to assign to the objects in this migration job, and then click Next. 8. On the Review Information page, click Save To File to save the displayed information for later viewing. When you are ready to continue, click Next. 9. On the Settings page, configure when the migration job will run and any additional settings that you require for this migration job. Unlike the other migration job types, this migration job must overwrite the previously migrated objects in the System Center 2012 Configuration Manager database. Click Next. 10. Confirm the settings and then complete the wizard. To modify the exclusion list for migration 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Migration to gain access to the exclusion list. You can also access the exclusion list from the Source Hierarchy node. 3. On the Home tab, in the Migration group, click Edit Exclusion List. 4. On the Edit Exclusion List dialog box, select the excluded object that you want to remove from the exclusion list, and then click Remove. 5. Click OK to save the changes and complete the edit. To cancel current changes and restore all the objects that you have removed, click Cancel, and then click No. This will cancel the removal of the objects, and close the Edit Exclusion List dialog box.
1115

To share distribution points from the source hierarchy 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, click Source Hierarchy, and then select the source site that you want to configure. 3. On the Home tab, in the Source Site group, click Configure. Note In Configuration Manager with no service pack, this option is named Share Distribution Points. 4. On the Source Site Credentials dialog box, select Enable distribution point sharing for the source site server, and then click OK. 5. When data gathering finishes, click Close. To change the schedule of a migration job 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Migration Jobs. 3. Click the migration job that you want to modify. On the Home tab, in the Properties group, click Properties. 4. In the properties of the migration job, select the Settings tab, change the run time for the migration job, and then click OK.

Run Migration Jobs in System Center 2012 Configuration Manager

Use the following procedure to run a migration job that has not yet started. To run migration jobs in System Center 2012 Configuration Manager 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Migration Jobs. 3. Click the migration job that you want to run. On the Home tab, in the Migration Job group, click Start. 4. Click Yes to start the migration job now.

Upgrade or Reassign a Shared Distribution Point in System Center 2012 Configuration Manager
You can upgrade a supported distribution point that is shared from a Configuration Manager 2007 source site, or reassign a supported distribution point that is shared from a System Center 2012 Configuration Manager source site, to be a distribution point in the destination hierarchy.
1116

Important Before you upgrade a Configuration Manager 2007 branch distribution point, you must uninstall the Configuration Manager 2007 client software from the branch distribution point computer. If the Configuration Manager 2007 client software is installed when you upgrade the distribution point, the upgrade fails and deployment content is removed from the computer. Caution When you upgrade or reassign a shared distribution point, the distribution point site system role and site system computer is removed from the source site and added to the site in the destination hierarchy that you select. To upgrade or reassign a shared distribution point in System Center 2012 Configuration Manager 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Source Hierarchy. 3. Select the site that owns the distribution point you want to upgrade, click the Shared Distribution Points tab, and select the eligible distribution point that you want to upgrade or reassign. 4. On the Home tab, in the Distribution Point group, click Upgrade. 5. Specify settings in the Upgrade Shared Distribution Point Wizard as if you are installing a new distribution point for System Center 2012 Configuration Manager, with the following additions: On the Distribution Point page, specify a site in the destination hierarchy that will manage this distribution point. On the Content Conversion page, review the required space to convert the existing content. Then, on the Drive Settings page of the wizard, ensure that the drive of the distribution point computer that is selected contains the displayed amount of free disk space.

6. Confirm the settings and then complete the wizard.

Monitor Migration Activity in the Migration Workspace

Use the following procedure to use the Configuration Manager console to monitor migration. To monitor migration activity in the Migration workspace 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Migration Jobs. 3. Click the migration job that you want to monitor. 4. View details and status about the selected migration job on the tabs for Summary and
1117

Objects in Job.

Complete Migration in System Center 2012 Configuration Manager

Use this procedure to complete migration from the source hierarchy. To complete migration in System Center 2012 Configuration Manager 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Source Hierarchy. 3. For a Configuration Manager 2007 source hierarchy, select a source site that is at the bottom level of the source hierarchy. For a System Center 2012 Configuration Manager source hierarchy, select the available source site. 4. On the Home tab, in the Clean Up group, click Stop Gathering Data. 5. Click Yes to confirm the action. 6. For a Configuration Manager 2007 source hierarchy, before you continue to the next step, repeat steps 3, 4, and 5. Perform these steps at each site in the hierarchy, from the bottom of the hierarchy to the top. For a System Center 2012 Configuration Manager source hierarchy, continue to the next step. 7. On the Home tab, in the Clean Up group, click Clean Up Migration Data. 8. On the Clean Up Migration Data dialog box, from the Source hierarchy drop-down list, select the site code and site server of the top-level site of the source hierarchy, and then click OK. 9. Click Yes to complete the migration process for the source hierarchy.

See Also
Migrating Hierarchies in System Center 2012 Configuration Manager

Security and Privacy for Migration to System Center 2012 Configuration Manager
This topic contains security best practices and privacy information for migration to your System Center 2012 Configuration Manager environment.

Security Best Practices for Migration

Use the following security best practice for migration.

1118

Security best practice

More information

Use the computer account for the Source Site SMS Provider Account and the Source Site SQL Server Account rather than a user account. Use IPsec when you migrate content from a distribution point in a source site to a distribution point in your destination site. Restrict and monitor the administrative users who can create migration jobs.

If you must use a user account for migration, remove the account details when migration is completed.

Although the migrated content is hashed to detect tampering, if the data is modified while it is transferred, the migration will fail. The integrity of the database of the destination hierarchy depends upon the integrity of data that the administrative user chooses to import from the source hierarchy. In addition, this administrative user can read all data from the source hierarchy.

Security Issues for Migration

Migration has the following security issues: Clients that are blocked from a source site might successfully assign to the destination hierarchy before their client record is migrated. Although Configuration Manager retains the blocked status of clients that you migrate, the client can successfully assign to the destination hierarchy if assignment occurs before the migration of the client record is completed. Audit messages are not migrated. When you migrate data from a source site to a destination site, you lose any auditing information from the source hierarchy.

Privacy Information for Migration

Migration discovers information from the site databases that you identify in a source infrastructure and stores this data to the database in the destination hierarchy. The information that System Center 2012 Configuration Manager can discover from a source site or hierarchy depends upon the features that were enabled in the source environment, as well as the management operations that were performed in that source environment. For more information about security and privacy information, see one of the following topics: For more information about the privacy information for Configuration Manager 2007, see Security and Privacy for Configuration Manager 2007 in the Configuration Manager 2007 documentation library.

1119

For more information about the privacy information for System Center 2012 Configuration Manager, see Security and Privacy for System Center 2012 Configuration Manager in the System Center 2012 Configuration Manager documentation library.

You can migrate some or all of the supported data from a source site to a System Center 2012 Configuration Manager destination hierarchy. Migration is not enabled by default and requires several configuration steps. Migration information is not sent to Microsoft. Before you migrate data from a source hierarchy, consider your privacy requirements.

See Also
Migrating Hierarchies in System Center 2012 Configuration Manager

Deploying Clients for System Center 2012 Configuration Manager

The Deploying Clients for Configuration Manager guide provides documentation to help you plan, install, configure, and manage client deployment in Microsoft System Center 2012 Configuration Manager. If you are new to Configuration Manager, read Getting Started with System Center 2012 Configuration Manager before you read this guide.

Deploying Clients Topics

Use the following topics to help you deploy clients in System Center 2012 Configuration Manager. Introduction to Client Deployment in Configuration Manager Planning for Client Deployment in Configuration Manager Configuring Client Deployment in Configuration Manager Operations and Maintenance for Client Deployment in Configuration Manager Security and Privacy for Clients in Configuration Manager Technical Reference for Client Deployment in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Documentation Library for System Center 2012 Configuration Manager

1120

Introduction to Client Deployment in Configuration Manager

Client deployment refers to the planning, installation, and management of System Center 2012 Configuration Manager client computers and mobile devices in your enterprise. The types of devices that you have, your business requirements, and your preferences, determine the methods that you use to manage computers and mobile devices. This guide contains information about how to plan, configure, manage, and monitor client deployment in Configuration Manager to computers and mobile devices. Use the following sections for more information about how to deploy and monitor client deployment for computers and mobile devices: Deploying the Configuration Manager Client to Windows-Based Computers Deploying the Configuration Manager Client to Windows Embedded Devices Considerations for Managing the Configuration Manager Client in a Virtual Desktop Infrastructure (VDI) Deploying the Configuration Manager Client to Mac Computers Deploying the Configuration Manager Client to Linux and UNIX Servers Monitoring the Status of Client Computers in Configuration Manager Managing Mobile Devices by Using Configuration Manager

Deploying the Configuration Manager Client to Windows-Based Computers

The following table lists the various methods that you can use to install the Configuration Manager client software on computers. For information about how to decide which client installation method to use, see Determine the Client Installation Method to Use for Windows Computers in Configuration Manager. For more information about how to install the client, see How to Install Clients on Windows-Based Computers in Configuration Manager.
Client installation method Description

Client push installation

Automatically installs the client to assigned resources and manually installs the client to resources that are not assigned. Installs the client by using the Configuration Manager software updates feature. Installs the client by using Windows Group Policy. Installs the client by using a logon script.
1121

Software update point installation

Group Policy installation

Logon script installation

Client installation method

Description

Manual installation Upgrade installation by using application management

Manually installs the client software. Upgrades clients to a newer version by using Configuration Manager application management. You can also use Configuration Manager 2007 software distribution to upgrade clients to System Center 2012 Configuration Manager. Configuration Manager with no service pack Automatically upgrades Configuration Manager 2007 and System Center 2012 Configuration Manager clients to the latest System Center 2012 Configuration Manager version when they are earlier than version that you specify. For Configuration Manager SP1 only: Automatically upgrades Configuration Manager 2007 and System Center 2012 Configuration Manager clients to the latest System Center 2012 Configuration Manager version when they are earlier than the version of their System Center 2012 Configuration Manager assigned site. For more information, see the How to Automatically Upgrade the Configuration Manager Client section in the topic How to Install Clients on Windows-Based Computers in Configuration Manager.

Automatic client upgrade

Client imaging

Prestages the client installation in an operating system image.

For information about how to install the Configuration Manager client on devices that run Windows Embedded operating systems, see the section Tasks for Managing Configuration Manager Clients on Windows Embedded Devices in the Configuration Manager 2007 Documentation Library. After the client is installed successfully, it attempts to assign to a site and find a management point from which to download policy. For more information about site assignment, see How to Assign Clients to a Site in Configuration Manager. Although the Configuration Manager console and reports provide some information about client installation and site assignment, you can use the fallback status point site system role to more
1122

closely track and monitor client installation and site assignment. For more information about the fallback status point, see Determine the Site System Roles for Client Deployment in Configuration Manager.

Whats New in Configuration Manager for Windows-Based Computers

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for client deployment since Configuration Manager 2007: Clients are no longer configured for mixed mode or native mode, but instead use HTTPS together with public key infrastructure (PKI) certificates or HTTP together with self-signed certificates. Clients use HTTPS or HTTP according to the configuration of the site system roles that the clients connect to and whether they have a valid PKI certificate that performs client authentication. On the Configuration Manager client, in Properties, on the General tab, review the Client certificate value to determine the current client communication method. This value displays PKI certificate when the client communicates with a management point over HTTPS, and Self-signed when the client communicates with a management point over HTTP. Just as the client property value for the Connection type updates, depending on the current network status of the client, so the Client certificate client property value updates, depending on with which management point the client communicates. Because System Center 2012 Configuration Manager does not use mixed mode and native mode, the client installation property /native: [<native mode option>] is no longer used. Instead, use /UsePKICert to use a PKI certificate that has client authentication capability, if it is available, but fall back to an HTTP connection if no certificate is available. If /UsePKICert is not specified, the client does not attempt to communicate by using a PKI certificate, but communicates by using HTTP only. Additionally, use the new command /NoCRLCheck if you do not want a client to check the certificate revocation list (CRL) before it establishes an HTTPS communication. The client.msi property SMSSIGNCERT is still used but requires the exported self-signed certificate of the site server. This certificate is stored in the SMS certificate store and has the Subject name Site Server and the friendly name Site Server Signing Certificate. When you reassign a client from a Microsoft System Center 2012 Configuration Manager hierarchy to another System Center 2012 Configuration Manager hierarchy, the client can automatically replace the trusted root key, if the new site is published to Active Directory Domain Services and the client can access that information from a global catalog server. For this scenario in Configuration Manager 2007, you had to remove the trusted root key, manually replace the trusted root key, or uninstall and reinstall the client. The server locator point is no longer used for site assignment or to locate management points. This functionality is replaced by the management point. The CCMSetup Client.msi
1123

property SMSSLP remains supported, but only to specify the computer name of management points. You no longer install International Client Packs when you want to support different languages on the client. Instead, select the client languages that you want during Setup. Then, during the client installation, Configuration Manager automatically installs support for those languages on the client, enabling the display of information in a language that matches the users language preferences. If a matching language is not available, the client displays information in the default of English. For more information, see the Planning for Client Language Packs section in the Planning for Sites and Hierarchies in Configuration Manager topic. Decommissioned clients are no longer displayed in the Configuration Manager console, and they are automatically removed from the database by the Delete Aged Discovery Data task. The Client.msi property for CCMSetup, SMSDIRECTORYLOOKUP=WINSPROMISCUOUS, is no longer supported. This setting allowed the client to use Windows Internet Name Service (WINS) to find a management point without verifying the management point's self-signed certificate. To support the new 64-bit client, the location of the CCM folder for client-related files (such as the client cache and log files) has changed from %windir%\system32 to %windir%. If you reference the CCM folder for your own script files, update these references for the new folder location for System Center 2012 Configuration Manager clients. System Center 2012 Configuration Manager does not support the CCM folder on paths that support redirection (such as Program Files and %windir%\system32) on 64-bit operating systems. Automatic, site-wide client push now installs the Configuration Manager on existing computer resources if the client is not installed, and not just newly discovered computer resources. Client push installation starts and tracks the installation of the client by using the Configuration Manager database and no longer creates individual .CCR files. When you enable client push installation for a site, all discovered resources that are assigned to the site and that do not have a client installed are immediately added to the database, and client installation begins. Configuration Manager can automatically upgrade Configuration Manager 2007 and System Center 2012 Configuration Manager clients to the latest System Center 2012 Configuration Manager version when they are below a version that you specify. For more information see the How to Automatically Upgrade the Configuration Manager Client section in the topic How to Install Clients on Windows-Based Computers in Configuration Manager.

Whats New in Configuration Manager SP1 for Windows-Based Computers

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for client deployment in Configuration Manager SP1:
1124

Configuration Manager can automatically upgrade Configuration Manager 2007 and System Center 2012 Configuration Manager clients to the version of their assigned System Center 2012 Configuration Manager site. For more information see the How to Automatically Upgrade the Configuration Manager Client for the Hierarchy section in the topic How to Install Clients on Windows-Based Computers in Configuration Manager. You can now specify the following CCMSetup.exe properties as installation options when you use client push: /forcereboot /skipprereq /logon /BITSPriority /downloadtimeout /forceinstall

Configuration Manager SP1 clients now use Microsoft Silverlight 5 for the Application Catalog. Configuration Manager automatically installs this version of Silverlight on clients if it is not already installed, and by default, configures the Computer Agent client setting Allow Silverlight applications to run in elevated trust mode to Yes. For more information, see the Certificates for Silverlight 5 and Elevated Trust Mode Required for the Application Catalog section in the Security and Privacy for Application Management in Configuration Manager topic. There is a new value that is now the default for the Computer Agent client setting PowerShell execution policy: All Signed. This new value restricts the Configuration Manager client to running Windows PowerShell scripts only if they are signed by a trusted publisher, regardless of the current Windows PowerShell configuration on the client computer. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic. The new Computer Agent client setting, Disable deadline randomization, by default, disables the installation randomization delay for required software updates and required application deployments. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic. Client notification in Configuration Manager enables some client operations to be performed as soon as possible, instead of during the usual client policy polling interval. For example, you can use the client management task Download Computer Policy to instruct computers to download policy as soon as possible. Additionally, you can initiate some actions for Endpoint Protection, such as a malware scan of a client. By default, client notification communication uses TCP port 10123, which is configurable as a site property for a primary site. You might have to configure Windows Firewall on the management point, clients, and any intervening firewalls for this new port communication. However, client notification can fall back to using the established client-to-management point communication of HTTP or HTTPS. Actions taken by client notification are displayed in the new Client Operations node in the Monitoring workspace. For more information, see How to Configure Client Communication Port Numbers in Configuration Manager and How to Manage Clients in Configuration Manager.
1125

You can install the Configuration Manager client on computers that run Mac OS X. You can then manage this client by using compliance settings, deploying software, and by collecting hardware inventory. For more information, see How to Install Clients on Mac Computers in Configuration Manager. You can install the Configuration Manager client on servers that run a supported version of Linux or UNIX. You can then manage this client by using deploying software, and by collecting hardware inventory. For more information, see How to Install Clients on Linux and UNIX Computers in Configuration Manager.

Deploying the Configuration Manager Client to Windows Embedded Devices

If your Windows Embedded device does not include the Configuration Manager client, you can use any of the client installation methods if the device meets the required dependencies. If the embedded device supports write filters, you must disable these filters before you install the client, and then re-enable the filters again after the client is installed and assigned to a site. Write filters control how the operating system on the embedded device is updated when you make changes, such as when you install software. When write filters are enabled, instead of making the changes directly to the operating system, these changes are redirected to a temporary overlay. If the changes are only written to the overlay, they are lost when the embedded device shuts downs. However, if the write filters are temporarily disabled, the changes can be made permanent so that you do not have to make the changes again (or reinstall software) every time that the embedded device restarts. However, temporarily disabling and then re-enabling the write filters requires one or more restarts, so that you typically want to control when this happens by configuring maintenance windows so that restarts occur outside business hours. When you install software on Windows Embedded devices with Configuration Manager with no service pack, you must always take additional steps to disable the write filters, install the software, and then re-enable the write filters. However, if the embedded client runs Configuration Manager SP1, you can configure options to automatically disable and re-enable the write filters when you deploy software such as applications, task sequences, software updates, and the Endpoint Protection client. The exception is for configuration baselines with configuration items that use automatic remediation. In this scenario, the remediation always occurs in the overlay so that it is available only until the device is restarted. The remediation is applied again at the next evaluation cycle, but only to the overlay, which is cleared at restart. To force Configuration Manager SP1 to commit the remediation changes, you can deploy the configuration baseline and then another software deployment that supports committing the change as soon as possible. If the write filters are disabled, you can install software on Windows Embedded devices by using Software Center. However, if the write filters are enabled, the installation fails and Configuration Manager displays an error message that you have insufficient permissions to install the application. Warning
1126

Even if you do not select the Configuration Manager SP1 options to commit the changes, the changes might be committed if another software installation or change is made that commits changes. In this scenario, the original changes will be committed in addition to the new changes. When Configuration Manager SP1 disables the write filters to make changes permanent, only users who have local administrative rights can log on and use the embedded device. During this period, low-rights users are locked out and see a message that the computer is unavailable because it is being serviced. This helps protect the device while it is in a state where changes can be permanently applied, and this servicing mode lockout behavior is another reason to configure a maintenance window for a time when users will not log on to these devices. Configuration Manager supports the following types of write filters: File-Based Write Filter (FBWF). For more information, see File-Based Write Filter on MSDN. Enhanced Write Filter (EWF) RAM. For more information, see Enhanced Write Filter on MSDN.

Configuration Manager does not support write filter operations when the Windows Embedded device is in EWF RAM Reg mode. Important If you have the choice, use File-Based Write Filters with Configuration Manager SP1 for increased efficiency and higher scalability. When you have this configuration, configure the following exceptions to persist client state and inventory data between device restarts: CCMINSTALLDIR\*.sdf CCMINSTALLDIR\ServiceData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\StateSystem

For an example scenario to deploy and manage write-filter-enabled Windows Embedded devices in Configuration Manager SP1, see Example Scenario for Deploying and Managing Configuration Manager Clients on Windows Embedded Devices. For more information about how to build images for Windows Embedded devices and configure write filters, see your Windows Embedded documentation, or contact your OEM. Note When you select the applicable platforms for software deployments and configuration items, these display the Windows Embedded families rather than specific versions. Use the following list to map the specific version of Windows Embedded to the options in the list box: Embedded Operating Systems based on Windows XP (32-bit) includes the following: Windows XP Embedded Windows Embedded for Point of Service Windows Embedded Standard 2009 Windows Embedded POSReady 2009
1127

Embedded operating systems based on Windows 7 (32-bit) includes the following: Windows Embedded Standard 7 (32-bit) Windows Embedded POSReady 7 (32-bit) Windows ThinPC Windows Embedded Standard 7 (64-bit) Windows Embedded POSReady 7 (64-bit)

Embedded operating systems based on Windows 7 (64-bit) includes the following:

Considerations for Managing the Configuration Manager Client in a Virtual Desktop Infrastructure (VDI)
System Center 2012 Configuration Manager supports installing the Configuration Manager client on the following virtual desktop infrastructure (VDI) scenarios: Personal virtual machines Personal virtual machines are generally used when you want to make sure that user data and settings are maintained on the virtual machine between sessions. Remote Desktop Services sessions Remote Desktop Services enables a server to host multiple, concurrent client sessions. Users can connect to a session and then run applications on that server. Pooled virtual machines Pooled virtual machines are not persisted between sessions. When a session is closed, all data and settings are discarded. Pooled virtual machines are useful when Remote Desktop Services cannot be used because a required business application cannot run on the Windows Server that hosts the client sessions.

The following table lists considerations for managing the Configuration Manager client in a virtual desktop infrastructure.
Virtual machine type More information

Personal virtual machines

Configuration Manager treats personal virtual machines identically to a physical computer. The Configuration Manager client can be preinstalled on the virtual machine image or deployed after the virtual machine is provisioned. The Configuration Manager client is not installed for individual Remote Desktop sessions. Instead, the client is only installed one time on the Remote Desktop Services server. All Configuration Manager features can be used on the Remote Desktop Services server.
1128

Remote Desktop Services

Virtual machine type

More information

Pooled virtual machines

When a pooled virtual machine is decommissioned, any changes that you make by using Configuration Manager are lost. Data returned from Configuration Manager features such as hardware inventory, software inventory and software metering might not be relevant to your needs as the virtual machine might only be operational for a short length of time. Consider excluding pooled virtual machines from inventory tasks.

Because virtualization supports running multiple Configuration Manager clients on the same physical computer, many client operations have a built-in randomized delay for scheduled actions such as hardware and software inventory, antimalware scans, software installations, and software update scans. This delay helps distribute the CPU processing and data transfer for a computer that has multiple virtual machines that run the Configuration Manager client. Note With the exception of Windows Embedded clients that are in servicing mode, Configuration Manager clients that are not running in virtualized environments also use this randomized delay. When you have many deployed clients, this behavior helps avoid peaks in network bandwidth and reduces the CPU processing requirement on the Configuration Manager site systems, such as the management point and site server. The delay interval varies according to the Configuration Manager capability. In Configuration Manager with no service pack, this behavior is not configurable in the Configuration Manager console. For Configuration Manager SP1 only, the randomization delay is disabled by default for required software updates and required application deployments by using the following client setting: Computer Agent: Disable deadline randomization.

Deploying the Configuration Manager Client to Mac Computers

For Configuration Manager SP1 only: You can install the Configuration Manager client on Mac computers that run the Mac OS X operating system and use the following management capabilities:

1129

Capability

More Information

Hardware inventory

You can use Configuration Manager hardware inventory to collect information about the hardware and installed applications on Mac computers. This information can then be viewed in Resource Explorer in the Configuration Manager console and used to create collections, queries and reports. For more information, see How to Use Resource Explorer to View Hardware Inventory in Configuration Manager. You can use Configuration Manager compliance settings to view the compliance of and remediate Mac OS X preference (.plist) settings. For example, you could enforce settings for the home page in the Safari web browser or ensure that the Apple firewall is enabled. You can also use shell scripts to monitor and remediate settings in MAC OS X. Configuration Manager can deploy software to Mac computers. You can deploy the following software formats to Mac computers: Apple Disk Image (.DMG) Meta Package File (.MPKG) Mac OS X Installer Package (.PKG) Mac OS X Application (.APP)

Compliance settings

Application management

When you install the Configuration Manager client on Mac computers, you cannot use the following management capabilities that are supported by the Configuration Manager client on Windows-based computers: Client push installation Operating system deployment Software updates Note You can use Configuration Manager application management to deploy required Mac OS X software updates to Mac computers. In addition, you can use compliance settings to make sure that computers have any required software updates. Remote control Power management
1130

Client status client check and remediation

For more information about how to install and configure the Configuration Manager Mac client, see How to Install Clients on Mac Computers in Configuration Manager.

Deploying the Configuration Manager Client to Linux and UNIX Servers

For Configuration Manager SP1 only: You can install the Configuration Manager client on computers that run Linux or UNIX. This client is designed for servers that operate as a workgroup computer, and the client does not support interaction with logged-on users. After you install the client software and the client establishes communication with the Configuration Manager site, you manage the client by using the Configuration Manager console and reports. You can use the following management capabilities when you install the Configuration Manager client on Linux and UNIX computers:
Functionality More information

Collections, queries, and maintenance windows

See How to Manage Linux and UNIX Clients in Configuration Manager. See Hardware Inventory for Linux and UNIX in Configuration Manager. See Deploying Software to Linux and UNIX Servers in Configuration Manager. See How to Monitor Linux and UNIX Clients in Configuration Manager.

Hardware inventory

Software deployment

Monitoring and reporting

When you install the Configuration Manager client on Linux and UNIX computers, you cannot use the following management capabilities that are supported by the Configuration Manager client on Windows-based computers: Client push installation Operating system deployment Application deployment; instead, deploy software by using packages and programs. Software updates Compliance settings Remote control Power management Client status client check and remediation
1131

Internet-based client management

For more information about how to install and configure the Configuration Manager client for Linux and UNIX, see How to Install Clients on Linux and UNIX Computers in Configuration Manager.

Monitoring the Status of Client Computers in Configuration Manager

Use the Client Status node in the Monitoring workspace of the Configuration Manager console to monitor the health and activity of client computers in your hierarchy. Configuration Manager uses the following two methods to evaluate the overall status of client computers. Client Activity: You can configure thresholds to determine whether a client is active, for example: Whether the client requested policy during the last seven days. Whether Heartbeat Discovery found the client during the last seven days. Whether the client sent hardware inventory during the last seven days.

When all these thresholds are exceeded, the client is determined to be inactive. Client Check: A client evaluation engine is installed with the Configuration Manager client, which periodically evaluates the health of the Configuration Manager client and its dependencies. This engine can check or remediate some problems with the Configuration Manager client. You can configure remediation not to run on specific computers, for example, a business-critical server. In addition, if there are additional items that you want to evaluate, you can use System Center 2012 Configuration Manager compliance settings to provide a comprehensive solution to monitor the overall health, activity, and compliance of computers in your organization. For more information about compliance settings, see Compliance Settings in Configuration Manager. Client status uses the monitoring and reporting capabilities of Configuration Manager to provide information in the Configuration Manager console about the health and activity of the client. You can configure alerts to notify you when clients check results or client activity drops below a specified percentage of clients in a collection or when remediation fails on a specified percentage of clients. For information about how to configure client status, see How to Configure Client Status in Configuration Manager.

Checks and remediations made by client check

The following checks and remediations can be performed by client check.
Client check Remediation action More information

Verify that client check has

Run client check

Checks that client check has run at least one time in the
1132

Client check

Remediation action

More information

recently run Verify that client prerequisites are installed Install the client prerequisites

past three days. Checks that client prerequisites are installed. Reads the file ccmsetup.xml in the client installation folder to discover the prerequisites. Checks that Configuration Manager client entries are present in WMI. No additional information

WMI repository integrity test

Reinstall the Configuration Manager client

Verify that the client service is running WMI Event Sink Test.

Start the client (SMS Agent Host) service Restart the client service

Check whether the Configuration Manager related WMI event sink is lost No additional information

Verify that the Windows Management Instrumentation (WMI) service exists Verify that the client was installed correctly WMI repository read and write test

No remediation

Reinstall the client

No additional information

Reset the WMI repository and reinstall the Configuration Manager client

Remediation of this client check is only performed on computers that run Windows Server 2003, Windows XP (64-bit) or earlier versions. No additional information

Verify that the antimalware service startup type is automatic Verify that the antimalware service is running Verify that the Windows Update service startup type is automatic or manual Verify that the client service (SMS Agent Host) startup type is automatic Verify that the Windows

Reset the service startup type to automatic

Start the antimalware service

No additional information

Reset the service startup type to automatic

No additional information

Reset the service startup type to automatic

No additional information

Start the Windows

No additional information
1133

Client check

Remediation action

More information

Management Instrumentation (WMI) service is running. Verify that the Microsoft SQL CE database is healthy Verify that the Microsoft Policy Platform service startup type is manual. Verify that the Background Intelligent Transfer Service exists Verify that the Background Intelligent Transfer Service startup type is automatic or manual Verify that the Network Inspection Service startup type is manual Verify that the Windows Management Instrumentation (WMI) service startup type is automatic Verify that the Windows Update service startup type on Windows 8 computers is automatic or manual Verify that the client (SMS Agent Host) service exists. Verify that the Configuration Manager Remote Control service startup type is automatic or manual Verify that the Configuration Manager Remote Control service is running Verify that the client WMI provider is healthy

Management Instrumentation service Reinstall the Configuration Manager client Reset the service startup type to manual No additional information

No additional information

No Remediation

No additional information

Reset the service startup type to automatic

No additional information

Reset the service startup type to manual if installed

No additional information

Reset the service startup type to automatic

No additional information

Reset the service startup type to manual

No additional information

No Remediation

No additional information

Reset the service startup type to automatic

No additional information

Start the remote control service No additional information

Restart the Windows Management Instrumentation

Remediation of this client check is only performed on

1134

Client check

Remediation action

More information

service

computers that run Windows Server 2003, Windows XP (64-bit) or earlier. For Configuration Manager SP1 only: This client check is made only if the Power Management: Enable wake-up proxy client setting is set to Yes on supported client operating systems.

Verify that the wake-up proxy service (ConfigMgr Wake-up Proxy) is running

Start the ConfigMgr Wakeup Proxy service

Verify that the wake-up proxy service (ConfigMgr Wake-up Proxy) startup type is automatic

Reset the ConfigMgr Wakeup Proxy service startup type to automatic

For Configuration Manager SP1 only: This client check is made only if the Power Management: Enable wake-up proxy client setting is set to Yes on supported client operating systems.

Whats New in Configuration Manager for Client Status

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for client status since Configuration Manager 2007: Client check and client activity information is integrated into the Configuration Manager console. Typical client problems that are detected are automatically remediated. The Ping tool used by Configuration Manager 2007 R2 client status reporting is not used by System Center 2012 Configuration Manager.

Managing Mobile Devices by Using Configuration Manager

You can use the following solutions to manage mobile devices in Configuration Manager:

1135

In Configuration Manager SP1, you can use the Windows Intune connector to enroll mobile devices that run Windows Phone 8, Windows RT, and iOS. This solution uses the built-in management client and does not install the Configuration Manager client, but does automatically install PKI certificates on the mobile devices. This solution does not require you to have your own PKI, but does require a Windows Intune subscription. Configuration Manager can enroll mobile devices and deploy the Configuration Manager client on supported mobile operating systems when the mobile device and site system roles use PKI certificates. This solution automatically installs PKI certificates onto the mobile devices but requires you to run Active Directory Certificate Services and an enterprise certification authority. When the mobile devices run Windows CE or Windows Mobile 6.0, you must install the mobile device legacy client by using a package and program. This solution also requires PKI certificates that must be installed independently from Configuration Manager. If you cannot use the other mobile device management solutions, you can use the Configuration Manager Exchange Server connector to find and manage mobile devices that connect to Microsoft Exchange Server or Exchange Online. Because a management client is not installed, management is more limited for this solution than the others. For example, with the exception of Android devices that use the Windows Intune connector in Configuration Manager SP1, you cannot deploy applications to these mobile devices. However, you can retrieve some inventory information, define settings and access rules, and issue wipe commands for these mobile devices in Configuration Manager.

For more information about these mobile device management solutions, see Determine How to Manage Mobile Devices in Configuration Manager. For more information about how to install the mobile device legacy client for Windows CE mobile devices, see Mobile Device Management in Configuration Manager in the Configuration Manager 2007 documentation library.

Whats New in Configuration Manager for Mobile Devices

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new for mobile devices since Configuration Manager 2007: Enrollment for mobile devices in Configuration Manager is now natively supported by using the two new enrollment site system roles (the enrollment point and the enrollment proxy point) and a Microsoft enterprise certification authority. For more information about how to configure and enroll mobile devices in Configuration Manager, see How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager. New in Configuration Manager, the Exchange Server connector lets you find and manage devices that connect to Exchange Server, on-premise or hosted, by using the Exchange ActiveSync protocol. Use this mobile device management process when you cannot install the Configuration Manager client on the mobile device. For more information, see How to Manage Mobile Devices by Using the Exchange Server Connector in Configuration Manager.
1136

If you have mobile devices that you managed with Configuration Manager 2007, and you cannot enroll them by using System Center 2012 Configuration Manager, you can continue to use them with System Center 2012 Configuration Manager. The installation for this mobile device client is still the same. However, whereas Configuration Manager 2007 did not require PKI certificates, System Center 2012 Configuration Manager requires PKI certificates on the mobile device and the management points and distribution points. File collection is no longer supported for these mobile device clients in Configuration Managerand, unlike the mobile devices that you can enroll with Configuration Manager or manage by using the Exchange Server connector, you cannot manage settings for these mobile devices. In addition, the mobile device management inventory extension tool (DmInvExtension.exe) is no longer supported. This functionality is replaced with the Exchange Server connector.

Whats New in Configuration Manager SP1 for Mobile Devices

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new for mobile devices in Configuration Manager SP1: The client settings group to configure mobile device enrollment settings is no longer named Mobile Devices and is now named Enrollment. This change and associated changes, such as the change from the client setting of Mobile device enrollment profile to Enrollment profile, reflects that the enrollment functionality is now extended to Mac computers. Important The client certificates for mobile devices and Mac computers have different requirements. Therefore, if you configure client settings enrollment for mobile devices and Mac computers, do not configure the certificate templates to use the same user accounts. Mobile devices that are enrolled by Configuration Manager SP1 now use the client policy polling interval setting in the Client Policy client setting group and no longer use the polling interval in the renamed Enrollment client setting group. This change lets you configure different client policy intervals for mobile devices that are enrolled by Configuration Manager, by using custom device client settings. You cannot create custom device client settings for Enrollment. You can enroll mobile devices that run Windows Phone 8, Windows RT, and iOS when you use the Windows Intune connector. For more information, see How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager. Users who have mobile devices that are enrolled by Windows Intune and Android devices that are managed by the Exchange Server connector can install apps from the company portal. The company portal is the Application Catalog equivalent for these mobile devices. The new Retire option for mobile devices in the Configuration Manager console is supported only for mobile devices that are enrolled by Windows Intune.

1137

See Also
Deploying Clients for System Center 2012 Configuration Manager

Planning for Client Deployment in Configuration Manager

Client deployment in System Center 2012 Configuration Manager provides various methods to deploy and configure the Configuration Manager client. Before you deploy the client, review the information in this section to help you plan for a successful deployment.

Planning Topics
Prerequisites for Windows Client Deployment in Configuration Manager Best Practices for Client Deployment in Configuration Manager Determine How to Manage Mobile Devices in Configuration Manager Planning for Client Deployment for Linux and UNIX Servers Determine the Site System Roles for Client Deployment in Configuration Manager Determine the Client Installation Method to Use for Windows Computers in Configuration Manager Determine Whether to Block Clients in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Deploying Clients for System Center 2012 Configuration Manager

Prerequisites for Windows Client Deployment in Configuration Manager

Deploying System Center 2012 Configuration Manager clients in your environment has the following external dependencies and dependencies within the product. Additionally, each client deployment method has its own dependencies that must be met for client installations to be successful. Use the following sections to determine the prerequisites to install the Configuration Manager client on computers and mobile devices: Prerequisites for Computer Clients Prerequisites for Mobile Device Clients
1138

Make sure that you also review Supported Configurations for Configuration Manager to confirm that devices meet the minimum hardware and operating system requirements for the System Center 2012 Configuration Manager client. For information about the prerequisites for the Configuration Manager client for Linux and UNIX, see the Prerequisites for Client Deployment section in the Planning for Client Deployment for Linux and UNIX Servers topic.

Prerequisites for Computer Clients

Use the following information to determine the prerequisites for when you install the Configuration Manager client on computers.

Dependencies External to Configuration Manager

Dependencies external to Configuration Manager More information

For Configuration Manager client computers with no service pack that will connect to the Application Catalog: Configure Internet Explorer to exclude the ActiveX control Microsoft.ConfigurationManager.SoftwareC atalog.Website.ClientBridgeControl.dll from ActiveX filtering and allow it to run in the browser.

If you run Configuration Manager with no service pack, the Application Catalog website uses an ActiveX control for Internet Explorer, which coordinates application installation and approval requests with the Configuration Manager client. The ActiveX control file is named Microsoft.ConfigurationManager.SoftwareC atalog.Website.ClientBridgeControl.dll and is automatically installed on the client when the Configuration Manager client is installed. You must configure Internet Explorer to exclude this ActiveX control from ActiveX filtering and allow it to run in the browser. You can manually configure Internet Explorer or use Group Policy settings. For more information, see your Windows documentation. Note This configuration is not required for Configuration Manager SP1, because Configuration Manager SP1 does not use an ActiveX control.

Windows Installer version 3.1.4000.2435

Required to support the use of Windows Installer update (.msp) files for packages and software updates.
1139

Dependencies external to Configuration Manager

More information

Install the hotfix described in KB2552033 on site servers that run Windows Server 2008 R2.

The hotfix described in KB2552033 must be installed on site servers that run Windows Server 2008 R2 when client push installation is enabled. Microsoft Background Intelligent Transfer Service (BITS) is required to allow throttled data transfers between the client computer and System Center 2012 Configuration Manager site systems. BITS is not automatically downloaded during client installation. Note When BITS is installed on computers, a restart is typically required to complete the installation. Important Most operating systems include BITS, but if they do not (for example, Windows Server 2003 R2 SP2), you must install BITS before you install the System Center 2012 Configuration Manager client.

Microsoft Background Intelligent Transfer Service (BITS) version 2.5

Note The software version numbers only list the minimum version numbers.

Dependencies External to Configuration Manager and Automatically Downloaded During Installation

The System Center 2012 Configuration Manager client has some potential external dependencies. These dependencies depend on the operating system and the installed software on the client computer. If these dependencies are required to complete the installation of the client, they are automatically installed with the client software.
Dependencies automatically supplied during installation More information

Windows Update Agent version 7.0.6000.363

Required by Windows to support update detection and deployment.

1140

Dependencies automatically supplied during installation

More information

Microsoft Core XML Services (MSXML) version 6.20.5002 or later Microsoft Remote Differential Compression (RDC) Microsoft Visual C++ 2008 Redistributable version 9.0.30729.4148 Microsoft Visual C++ 2005 Redistributable version 8.0.50727.42 Windows Imaging APIs 6.0.6001.18000

Required to support the processing of XML documents in Windows. Required to optimize data transmission over the network. Required to support client operations.

Required to support Microsoft SQL Server Compact operations. Required to allow Configuration Manager to manage Windows image (.wim) files. Required to allow clients to evaluate compliance settings. For Configuration Manager with no service pack only. Required to support the Application Catalog website user experience.

Microsoft Policy Platform 1.2.3514.0

Microsoft Silverlight 4.0.50524.0

Microsoft Silverlight 5.1.10411.0

For Configuration Manager SP1 only: Required to support the Application Catalog website user experience.

Microsoft .NET Framework 4 Client Profile

Client computers require the .NET Framework to support client operations. If a client computer does not have one of the following installed versions, the Microsoft .NET Framework 4 Client Profile is installed automatically: Microsoft .NET Framework version 3.0. Microsoft .NET Framework version 3.5. Microsoft .NET Framework version 4.0. Note When the .NET Framework 4 is installed on computers, a restart might be required to complete the installation.

Microsoft SQL Server Compact 3.5 SP2 components Microsoft Windows Imaging Components

Required to store information related to client operations. Required by Microsoft .NET Framework 4.0 for
1141

Dependencies automatically supplied during installation

More information

Windows Server 2003 or Windows XP SP2 for 64-bit computers.

Note The software version numbers only list the minimum version numbers.

Configuration Manager Dependencies

For more information about the following site system roles, see Determine the Site System Roles for Client Deployment in Configuration Manager.
Configuration Manager site system More information

Management point

Although a management point is not required to deploy the System Center 2012 Configuration Manager client, you must have a management point to transfer information between client computers and System Center 2012 Configuration Manager servers. Without a management point, you cannot manage client computers. The distribution point is an optional, but recommended site system role for client deployment. All distribution points host the client source files, which lets computers find the nearest distribution point from which to download the client source files during client deployment. If the site does not have a distribution point, computers download the client source files from their management point. The fallback status point is an optional, but recommended site system role for client deployment. The fallback status point tracks client deployment and enables computers in the System Center 2012 Configuration Manager site to send state messages when they cannot communicate with a management point. The reporting services point is an optional, but recommended site system role that can display
1142

Distribution point

Fallback status point

Reporting services point

Configuration Manager site system

More information

reports related to client deployment and management. For more information, see Reporting in Configuration Manager.

Installation Method Dependencies

The following prerequisites are specific to the various methods of client installation.
Client installation method More information

Client push installation

Client push installation accounts are used to connect to computers to install the client and are specified on the Accounts tab of the Client Push Installation Properties dialog box. The account must be a member of the local administrators group on the destination computer. If you do not specify a client push installation account, the site server computer account will be used.

The computer on which you are installing the client must have been discovered by at least one System Center 2012 Configuration Manager discovery method. The computer has an ADMIN$ share. Enable client push installation to assigned resources must be selected in the Client Push Installation Properties dialog box if you want to automatically push the System Center 2012 Configuration Manager client to discovered resources. The client computer must be able to contact a distribution point or a management point to download the supporting files.

You must have the following security permissions to install the Configuration Manager client by using client push: To configure the Client Push Installation
1143

Client installation method

More information

account: Modify and Read permission for the Site object. To use client push to install the client to collections, devices and queries: Modify Resource and Read permission for the Collection object.

The Infrastructure Administrator security role includes the required permissions to manage client push installation. For more information about how to configure the requirements in the Client Push Installation Properties dialog box, see the How to Install Configuration Manager Clients by Using Client Push section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic. For more information about how to configure the discovery of computers, see Configuring Discovery in Configuration Manager. Software update point-based installation If the Active Directory schema has not been extended, or you are installing clients from another forest, installation properties for CCMSetup.exe must be provisioned in the registry of the computer by using Group Policy. For more information, see the How to Provision Client Installation Properties (Group Policy and Software Update-Based Client Installation) section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic. The System Center 2012 Configuration Manager client must be published to the software update point. The client computer must be able to contact a distribution point or a management point in order to download supporting files.

For the security permissions required to manage Configuration Manager software updates, see Prerequisites for Software Updates in Configuration Manager.
1144

Client installation method

More information

Group Policy-based installation

If the Active Directory schema has not been extended, or you are installing clients from another forest, installation properties for CCMSetup.exe must be provisioned in the registry of the computer by using Group Policy. For more information, see the How to Provision Client Installation Properties (Group Policy and Software Update-Based Client Installation) section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic. The client computer must be able to contact a management point in order to download supporting files. The client computer must be able to contact a distribution point or a management point in order to download supporting files unless, at the command prompt, you specified CCMSetup.exe with the command-line property ccmsetup /source. The client computer must be able to contact a distribution point or a management point in order to download supporting files unless, at the command prompt, you specified CCMSetup.exe with the command-line property ccmsetup /source. In order to access resources in the System Center 2012 Configuration Manager site server domain, the Network Access Account must be configured for the site.

Logon script-based installation

Manual installation

Workgroup computer installation

For more information about how to configure the Network Access Account, see the Configure the Network Access Account section in the Configuring Content Management in Configuration Manager topic. Software distribution-based installation (for upgrades only) If the Active Directory schema has not been extended, or you are installing clients from another forest, installation properties for CCMSetup.exe must be provisioned in the
1145

Client installation method

More information

registry of the computer by using Group Policy. For more information, see the How to Provision Client Installation Properties (Group Policy and Software Update-Based Client Installation) section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic. The client computer must be able to contact a distribution point or a management point to download the supporting files.

For the security permissions required to upgrade the Configuration Manager client using application management, see Prerequisites for Application Management in Configuration Manager. Automatic client upgrades You must be a member of the Full Administrator security role to configure automatic client upgrades.

Firewall Requirements
If there is a firewall between the site system servers and the computers onto which you want to install the Configuration Manager client, see Windows Firewall and Port Settings for Client Computers in Configuration Manager.

Prerequisites for Mobile Device Clients

Use the following information to determine the prerequisites for when you install the Configuration Manager client on mobile devices and use Configuration Manager to enroll them.

Dependencies External to Configuration Manager

Dependencies external to Configuration Manager More information

A Microsoft enterprise certification authority (CA) with certificate templates to deploy and manage the certificates required for mobile devices. The issuing CA must automatically approve certificate requests from the mobile device

For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

1146

Dependencies external to Configuration Manager

More information

users during the enrollment process. A security group that contains the users that can enroll their mobile devices. This security group is used to configure the certificate template that is used during mobile device enrollment. For more information, see the Deploying the Enrollment Certificate for Mobile Devices section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. This DNS alias is required to support automatic discovery for the enrollment service: If you do not configure this DNS record, users must manually specify the site system server name of the enrollment proxy point as part of the enrollment process. See the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic.

Optional but recommended: a DNS alias (CNAME record) named ConfigMgrEnroll that is configured for the site system server name on which you will install the enrollment proxy point.

Site system role dependencies for the computers that will run the enrollment point and the enrollment proxy point site system roles.

Configuration Manager Dependencies

For more information about the following site system roles, see Determine the Site System Roles for Client Deployment in Configuration Manager.
Configuration Manager site system More information

Management point that is configured for HTTPS client connections and enabled for mobile devices

A management point is always required to install the System Center 2012 Configuration Manager client on mobile devices. In addition to the configuration requirements of HTTPS and enabled for mobile devices, the management point must be configured with an Internet FQDN and accept client connections from the Internet. An enrollment proxy point manages enrollment requests from mobile devices and the enrollment point completes the enrollment process. The enrollment point must be in the
1147

Enrollment point and enrollment proxy point

Configuration Manager site system

More information

same Active Directory forest as the site server, but the enrollment proxy point can be in another forest. Client settings for mobile device enrollment Configure client settings to allow users to enroll mobile devices and configure at least one enrollment profile. The reporting services point is an optional, but recommended site system role that can display reports related to mobile device enrollment and client management. For more information, see Reporting in Configuration Manager. To configure enrollment for mobile devices, you must have the following security permissions: To add, modify, and delete the enrollment site system roles: Modify permission for the Site object. To configure client settings for enrollment: Default client settings require Modify permission for the Site object, and custom client settings require Client agent permissions. For more information about how to configure security permissions, see the Configure RoleBased Administration section in the Configuring Security for Configuration Manager topic.

Reporting services point

The Full Administrator security role includes the required permissions to configure the enrollment site system roles. To manage enrolled mobile devices, you must have the following security permissions: To wipe a mobile device: Delete resource for the Collection object. To cancel a wipe command: Modify resource for the Collection object. To allow and block mobile devices: Modify resource for the Collection object.

The Operations Administrator security role includes the required permissions to manage mobile devices.

1148

Firewall Requirements
Intervening network devices such as routers and firewalls, and Windows Firewall if applicable, must allow the traffic associated with mobile device enrollment: Between mobile devices and the enrollment proxy point: HTTPS (by default, TCP 443) Between the enrollment proxy point and the enrollment point: HTTPS (by default, TCP 443)

If you use a proxy web server, it must be configured for SSL tunneling; SSL bridging is not supported for mobile devices.

See Also
Planning for Client Deployment in Configuration Manager

Best Practices for Client Deployment in Configuration Manager

Use the following best practices information to help you deploy clients on computers in System Center 2012 Configuration Manager.

Use software update-based client installation for Active Directory computers

This client deployment method has the benefit of using existing Windows technologies, integrates with your Active Directory infrastructure, requires the least configuration in Configuration Manager, is the easiest to configure for firewalls, and is the most secure. By using security groups and WMI filtering for the Group Policy configuration, you also have a lot of flexibility to control which computers install the Configuration Manager client. For more information about how to install clients by using software update-based installation, see the How to Install Configuration Manager Clients by Using Software Update-Based Installation section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic.

Extend the Active Directory schema and publish the site so that you can run CCMSetup without command-line options
When you extend the Active Directory schema for Configuration Manager and the site is published to Active Directory Domain Services, many client installation properties are published to Active Directory Domain Services. If a computer can locate these client installation properties, it can use them during Configuration Manager client deployment. Because this information is
1149

automatically generated, the risk of human error associated with manually entering installation properties is eliminated. For more information, see About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager.

When you have many clients to deploy, plan a phased rollout outside business hours
Minimize the effect of the CPU processing requirements on the site server by planning a phased rollout of clients over a period of time. Deploy clients outside business hours so that critical business services have more available bandwidth during the day and users are not disrupted if their computer slows down or requires a restart to complete the installation.

Enable automatic upgrade after your main client deployment has finished
Configuration Manager with no service pack only Automatic client upgrades are useful when you want to upgrade a small number of client computers that might have been missed by your main client installation method. For example, you have completed an initial client upgrade, but some clients were offline during the upgrade deployment. You then use this method to upgrade the client on these computers when they are next active. Note Performance improvements in Configuration Manager SP1 can allow you to use automatic upgrades as a primary client upgrade method. However, performance will depend on your hierarchy infrastructure, such as the number of clients. For more information about client deployment method, the How to Automatically Upgrade the Configuration Manager Client for the Hierarchy section in the How to Install Clients on WindowsBased Computers in Configuration Manager topic.

Use SMSMP and FSP if you install the client with client.msi properties
The SMSMP property specifies the initial management point for the client to communicate with and removes the dependency on service location solutions such as Active Directory Domain Services, DNS, and WINS. Use the FSP property and install a fallback status point so that you can monitor client installation and assignment, and identify any communication problems. For more information about these options, see About Client Installation Properties in Configuration Manager.
1150

If you want to use client languages other than English, install the client language packs before you install the clients
If you install client language packs on a site after you install clients, you must reinstall the clients before they can use the additional languages. For mobile device clients, this means you must wipe the mobile device and enroll it again. For more information about how to add support for additional client languages, see Install Sites and Create a Hierarchy for Configuration Manager.

Plan and prepare any required PKI certificates in advance for Internet-based client management, enrolled mobile devices, and Mac computers
To manage devices on the Internet, enrolled mobile devices, and Mac computers, you must have PKI certificates on site systems (management points and distribution points) and the client devices. For many customers, this requires advanced planning and preparation, especially if you have a separate team who manages your PKI. On production networks, you might require change management approval to use new certificates, restart site system servers, or users might have to logoff and logon for new group membership. In addition, you might have to allow sufficient time for replication of security permissions and for any new certificate templates. For more information about the PKI certificates that are required, see PKI Certificate Requirements for Configuration Manager. For an example deployment of the certificates that is suitable for a test environment, see Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority.

Before you install clients, configure any required client settings and maintenance windows
Although you can configure client settings and maintenance windows before or after clients are installed, configure any required settings before you install clients so that these settings are used as soon as the client is installed. Important Configuring maintenance windows is particularly important for servers and for Windows Embedded devices, to ensure business continuity for these often business-critical computers. For example, maintenance windows will ensure that required software updates and antimalware software do not restart the computer during business hours.

1151

For Mac computers and mobile devices that are enrolled by Configuration Manager, plan your user enrollment experience
If users will enroll their own Mac computers and mobile devices by using Configuration Manager, plan and prepare the user experience. For example, you might script the installation and enrollment process by using a web page so users enter the minimum amount of information necessary, and you send them instructions with a link by email.

When you manage Windows Embedded devices on the Configuration Manager SP1 client, use FileBased Write Filters (FBWF) rather than Enhanced Write Filters (EWF) for higher scalability
Embedded devices that use Enhanced Write Filters (EWF) are likely to experience state message resynchronizations. If you have just a few embedded devices that use Enhanced Write Filters, you might not notice this. However, when you have a lot of embedded devices that resynchronize their information, such as sending full inventory rather than delta inventory, this can generate a noticeable increase in network packets and higher CPU processing on the site server. When you have a choice of which type of write filter to enable, choose File-Based Write Filters and configure exceptions to persist client state and inventory data between device restarts for network and CPU efficiency on the Configuration Manager SP1 client. For more information about write filters, see the Deploying the Configuration Manager Client to Windows Embedded Devices section in the Introduction to Client Deployment in Configuration Manager topic. For more information about the maximum number of Windows Embedded clients that a primary site can support, see the Site and Site System Role Scalability section in the Supported Configurations for Configuration Manager topic.

See Also
Planning for Client Deployment in Configuration Manager

Determine How to Manage Mobile Devices in Configuration Manager

Use the following information to help you decide how to manage mobile devices in System Center 2012 Configuration Manager. You can use Configuration Manager to enroll mobile devices and install the Configuration Manager client, you can use the mobile device legacy client (for example, for Windows CE mobile operating systems), and you can use the Exchange Server
1152

connector. In addition, in Configuration Manager SP1, you can enroll devices that run Windows Phone 8, Windows RT, and iOS by using the Windows Intune connector. The following table lists these four mobile device management methods and provides information about the management functions that each method supports.
Management functionality Enrollment by Windows Intune Enrollment by Configuration Manager Mobile device legacy client Exchange Server connector

Public key infrastructure (PKI) security between the mobile device and Configuration Manager by using mutual authentication and SSL to encrypt data transfers

Yes

Yes More information: Requires Active Directory Certificate Services and an enterprise certification authority (CA). The mobile device certificates are installed automatically by Configuration Manager during the enrollment process.

Yes More information: Any PKI that meets the certificate requirements. The mobile device certificates must be installed independently from Configuration Manager.

No

Client installation

No More information: Instead of a client the user installs or connects to a company portal.

Yes More information: Installed by the user from the browser on the mobile device.

Yes More information: Installed by an administrative user by deploying a package and program. Yes

No

Support over the Internet Discovery

Yes

Yes

Yes

No

No

No

Yes
1153

Management functionality

Enrollment by Windows Intune

Enrollment by Configuration Manager

Mobile device legacy client

Exchange Server connector

Hardware inventory

Yes

Yes More information: You can collect default information and create your own customized hardware inventory.

Yes

Yes More information: Limited by what Exchange Server collects.

Software inventory

No

No

Yes More information: List of installed software only; you cannot inventory all files and you cannot collect files.

No

Settings

Yes More information: Deploy configuration baselines that contain mobile device configuration items on Windows Phone 8, Windows RT, and iOS. You can configure default settings and create your own customized settings.

Yes More information: Deploy configuration baselines that contain mobile device configuration items. You can configure default settings and create your own customized settings.

No

Yes More information: Limited by the settings in the default Exchange ActiveSync mailbox policies.

1154

Management functionality

Enrollment by Windows Intune

Enrollment by Configuration Manager

Mobile device legacy client

Exchange Server connector

Software deployment

Yes More information: You can deploy available apps that users can download from the company portal.

Yes More information: You can deploy required applications (install and uninstall), but not packages or software updates. Available applications, which users request from the Application Catalog, are not supported for mobile devices. Mobile devices also do not support simulated deployments. No

Yes More information: You can deploy packages, but not applications or software updates.

No

Monitor with the fallback status point Connections to management points

No

Yes

No

No

Yes More information: A single management point in the clients assigned (primary) site.

Yes More information: A single management point in primary sites and secondary sites.

No

Connections to distribution

Yes

Yes

Yes

No
1155

Management functionality

Enrollment by Windows Intune

Enrollment by Configuration Manager

Mobile device legacy client

Exchange Server connector

points

More information: manage.microsoft.com is the only distribution point that is used.

More information: Distribution points in the assigned (primary) site.

More information: Distribution points in primary sites and secondary sites. Yes No

Block from Configuration Manager Quarantine and block from Exchange Server (and Configuration Manager) Remote wipe

Yes

Yes

No

No

No

Yes

Yes

Yes More information: By Configuration Manager and by a user from the Configuration Manager Application Catalog.

No

Yes More information: By Configuration Manager and by a user if supported by Exchange.

For more information about the mobile operating systems that System Center 2012 Configuration Manager supports, see Supported Configurations for Configuration Manager. Use Configuration Manager to enroll mobile devices when the mobile operating system is supported by System Center 2012 Configuration Manager mobile device enrollment and when both of the following conditions apply: You have a Microsoft enterprise CA to issue and manage the required certificates. You want the additional management features or settings that are not supported by the Exchange Server connector, such as software installation and full hardware inventory. Important
1156

If the mobile device synchronizes with Exchange Server, set the Exchange flag AllowExternalDeviceManagement to ensure that the mobile device continues to receive email from Exchange after it is enrolled by Configuration Manager. If you install the Configuration Manager Exchange Server connector, you can set this flag by configuring the option External mobile device management in the Exchange Server connector properties. If you do not install the connector, you must set this flag by using the Exchange management tools. For example, use the PowerShell cmdlet Set-ActiveSyncMailPolicy with the parameter AllowExternalDeviceManagement. Use the mobile device legacy client when the mobile operating system is not supported by System Center 2012 Configuration Manager mobile device enrollment and when both of the following conditions apply: You can install the required PKI certificates on the mobile device and the Configuration Manager site systems (management point and distribution point). You want to install software packages on the mobile device and collect hardware inventory.

Manage mobile devices by using the Exchange Server connector when the mobile device can connect to Exchange Server by using ActiveSync and when either of the following conditions applies: You do not require the security that a PKI offers or you do not have a PKI. You do not require all the management functions and settings that enrollment provides.

Dual Management: Enrolled by Configuration Manager and Managed by Using the Exchange Server Connector
You can enroll a mobile device by using Configuration Manager and also manage it by using the Exchange Server connector. In this scenario, although you see only one mobile device in the Configuration Manager console, you have dual management for a mobile device and the following consequences: No settings are applied from the Exchange Server connector; you must configure the mobile device settings by deploying a configuration baseline. If you collect hardware inventory by enabling the client setting for hardware inventory and by using the Exchange Server connector, the hardware inventory information from the mobile device is consolidated by Configuration Manager.

See Also
Planning for Client Deployment in Configuration Manager

1157

Planning for Client Deployment for Linux and UNIX Servers

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. Use the information in the following sections to help you plan to deploy the Configuration Manager client for Linux and UNIX. Prerequisites for Client Deployment Planning for Communication across Forest Trusts for Linux and UNIX Servers Planning for Security and Certificates for Linux and UNIX Servers About Linux and UNIX Operating Systems That do not Support SHA-256

Planning for Client Deployment to Linux and UNIX Servers

Before you deploy the Configuration Manager client for Linux and UNIX, review the information in this section to help you plan for a successful deployment.

Prerequisites for Client Deployment

Use the following information to determine the prerequisites you must have in place to successfully install the client for Linux and UNIX.

Dependencies External to Configuration Manager:

The following tables describe the required UNIX and Linux operating systems and package dependencies. Red Hat Enterprise Linux ES Release 4
Required package Description Minimum version

glibc Openssl

C Standard Libraries OpenSSL Libraries; Secure Network Communications Protocol Pluggable Authentication Modules

2.3.4-2 0.9.7a-43.1

PAM

0.77-65.1

Red Hat Enterprise Linux Server release 5.1 (Tikanga)

1158

Required package

Description

Minimum version

glibc Openssl

C Standard Libraries OpenSSL Libraries; Secure Network Communications Protocol Pluggable Authentication Modules

2.5-12 0.9.8b-8.3.el5

PAM

0.99.6.2-3.14.el5

Red Hat Enterprise Linux Server release 6

Required package Description Minimum version

glibc Openssl

C Standard Libraries OpenSSL Libraries; Secure Network Communications Protocol Pluggable Authentication Modules

2.12-1.7 1.0.0-4

PAM

1.1.1-4

Solaris 9 SPARC
Required package Description Minimum version

Required operating system patch SUNWlibC

PAM memory leak

112960-48

Sun Workshop Compilers Bundled libC (sparc) Forte Developer Bundled Shared libm (sparc) SMCosslg (sparc) Sun does not provide a version of OpenSSL for Solaris 9 SPARC. There is a version available from Sunfreeware.

5.9,REV=2002.03.18

SUNWlibms

5.9,REV=2001.12.10

OpenSSL

0.9.7g

PAM

Pluggable Authentication Modules SUNWcsl, Core Solaris,

11.9.0,REV=2002.04.06.15.27

1159

Required package

Description

Minimum version

(Shared Libs) (sparc) Solaris 10 SPARC

Required package Description Minimum version

Required operating system PAM memory leak patch SUNWlibC Sun Workshop Compilers Bundled libC (sparc) Math & Microtasking Libraries (Usr) (sparc) Math & Microtasking Libraries (Root) (sparc) Core Solaris Libraries (Root) (sparc) Core Solaris Libraries (Root) (sparc) SUNopenssl-librararies (Usr) Sun provides the OpenSSL libraries for Solaris 10 SPARC. They are bundled with the operating system. PAM Pluggable Authentication Modules SUNWcsr, Core Solaris, (Root) (sparc) Solaris 10 x86
Required package Description

117463-05

5.10, REV=2004.12.22

SUNWlibms

5.10, REV=2004.11.23

SUNWlibmsr

5.10, REV=2004.11.23

SUNWcslr

11.10.0, REV=2005.01.21.15.53

SUNWcsl

11.10.0, REV=2005.01.21.15.53

OpenSSL

11.10.0,REV=2005.01.21.15.53

11.10.0, REV=2005.01.21.15.53

Minimum version

Required operating system patch SUNWlibC

PAM memory leak

117464-04

Sun Workshop Compilers Bundled libC (i386)

5.10,REV=2004.12.20

1160

Required package

Description

Minimum version

SUNWlibmsr

Math & Microtasking Libraries (Root) (i386) Core Solaris, (Shared Libs) (i386) Core Solaris Libraries (Root) (i386) SUNWopenssl-libraries; OpenSSL Libraries (Usr) (i386) Pluggable Authentication Modules SUNWcsr Core Solaris, (Root)(i386)

5.10, REV=2004.12.18

SUNWcsl

11.10.0,REV=2005.01.21.16.34

SUNWcslr

11.10.0, REV=2005.01.21.16.34

OpenSSL

11.10.0, REV=2005.01.21.16.34

PAM

11.10.0,REV=2005.01.21.16.34

SUSE Linux Enterprise Server 9 (i586)

Required package Description Minimum version

Service Pack 4 OS Patch lib gcc-41.rpm OS Patch lib stdc++-41.rpm Openssl

SUSE Linux Enterprise Server 9 Standard shared library Standard shared library OpenSSL Libraries; Secure Network Communications Protocol Pluggable Authentication Modules 41-4.1.2_20070115-0.6 41-4.1.2_20070115-0.6 0.9.7d-15.35

PAM

0.77-221-11

SUSE Linux Enterprise Server 10 SP1 (i586)

Required package Description Minimum version

glibc-2.4-31.30 OpenSSL

C Standard shared library OpenSSL Libraries; Secure Network Communications Protocol Pluggable Authentication

2.4-31.30 0.9.8a-18.15

PAM

0.99.6.3-28.8
1161

Required package

Description

Minimum version

Modules SUSE Linux Enterprise Server 11 (i586)

Required package Description Minimum version

glibc-2.9-13.2 PAM

C Standard shared library Pluggable Authentication Modules

2.9-13.2 pam-1.0.2-20.1

Configuration Manager Dependencies: The following table lists site system roles that support Linux and UNIX clients. For more information about these site system roles, see Determine the Site System Roles for Client Deployment in Configuration Manager.
Configuration Manager site system More information

Management point

Although a management point is not required to install a Configuration Manager client for Linux and UNIX, you must have a management point to transfer information between client computers and Configuration Manager servers. Without a management point, you cannot manage client computers. The distribution point is not required to install a Configuration Manager client for Linux and UNIX. However, the site system role is required if you deploy software to Linux and UNIX servers. Because the Configuration Manager client for Linux and UNIX does not support communications that use SMB, the distribution points you use with the client must support HTTP or HTTPS communication.

Distribution point

Firewall Requirements: Ensure that firewalls do not block communications across the ports you specify as client request ports. The client for Linux and UNIX communicates directly with management points and distribution points. For information about client communication and request ports, see the Configure Request Ports for the Client for Linux and UNIX section in the How to Install Clients on Linux and UNIX Computers in Configuration Manager topic.
1162

Planning for Communication across Forest Trusts for Linux and UNIX Servers
Linux and UNIX servers you manage with Configuration Manager operate as workgroup clients and require similar configurations as Windows-based clients that are in a workgroup. For information about communications from computers that are in workgroups, see the Planning for Communications Across Forests in Configuration Manager section in the Planning for Communications in Configuration Manager topic.

Service Location by the client for Linux and UNIX

The task of locating a site system server that provides service to clients is referred to as service location. Unlike a Windows-based client, the client for Linux and UNIX does not use Active Directory for service location. Additionally, the Configuration Manager client for Linux and UNIX does not support a client property that specifies the domain suffix of a management point. Instead, the client learns about additional site system servers that provide services to clients from a known management point you assign when you install the client software. For more information about service location, see the Planning for Service Location by Clients section in the Planning for Communications in Configuration Manager topic.

Planning for Security and Certificates for Linux and UNIX Servers
For secure and authenticated communications with Configuration Manager sites, the Configuration Manager client for Linux and UNIX uses the same model for communication as the Configuration Manager client for Windows. When you install the Linux and UNIX client, you can assign the client a PKI certificate that enables it to use HTTPS to communicate with Configuration Manager sites. If you do not assign a PKI certificate, the client creates a self-signed certificate and communicates only by HTTP. Clients that are provided a PKI certificate when they install use HTTPS to communicate with management points. When a client is unable to locate a management point that supports HTTPS, it will fall back to use HTTP with the provided PKI certificate. When a Linux or UNIX client uses a PKI certificate you do not have to approve them. When a client uses a self-signed certificate, review the hierarchy settings for client approval in the Configuration Manager console. If the client approval method is not Automatically approve all computers (not recommended), you must manually approve the client. For more information about how to manually approve the client, see the Managing Clients from the Devices Node section in the How to Manage Clients in Configuration Manager topic. For information about how to use certificates in Configuration Manager, see PKI Certificate Requirements for Configuration Manager.

1163

About Certificates for use by Linux and UNIX Servers

The Configuration Manager client for Linux and UNIX uses a self-signed certificate or an X.509 PKI certificate just like Windows-based clients. There are no changes to the PKI requirements for Configuration Manager site systems when you manage Linux and UNIX clients. The certificates you use for Linux and UNIX clients that communicate to Configuration Manager site systems must be in a Public Key Certificate Standard (PKCS#12) format, and the password must be known so you can specify it to the client when you specify the PKI certificate. The Configuration Manager client for Linux and UNIX supports a single PKI certificate, and does not support multiple certificates. Therefore, the certificate selection criteria you configure for a Configuration Manager site does not apply.

Configuring Certificates for Linux and UNIX Servers

To configure a Configuration Manager client for Linux and UNIX servers to use HTTPS communications, you must configure the client to use a PKI certificate at the time you install the client. You cannot provision a certificate prior to installation of the client software. When you install a client that uses a PKI certificate, you use the command-line parameter UsePKICert to specify the location and name of a PKCS#12 file that contains the PKI certificate. Additionally you must use the command line parameter -certpw to specify the password for the certificate. If you do not specify -UsePKICert, the client generates a self-signed certificate and attempts to communicate to site system servers by using HTTP only.

About Linux and UNIX Operating Systems That do not Support SHA-256
The following Linux and UNIX operating systems that are supported as clients for Configuration Manager were released with versions of OpenSSL that do not support SHA-256: Red Hat Enterprise Linux Version 4 (x86/x64) Solaris Version 9 (SPARC) and Solaris Version 10 (SPARC/x86)

To manage these operating systems with Configuration Manager, you must install the Configuration Manager client for Linux and UNIX with a command line switch that directs the client to skip validation of SHA-256. Configuration Manager clients that run on these operating system versions operate in a less secure mode than clients that support SHA-256. This less secure mode of operation has the following behavior: Clients do not validate the site server signature associated with policy they request from a management point. Clients do not validate the hash for packages that they download from a distribution point.

Security The ignoreSHA256validation option allows you to run the client for Linux and UNIX computers in a less secure mode. This is intended for use on older platforms that did not
1164

include support for SHA-256. This is a security override and is not recommended by Microsoft, but is supported for use in a secure and trusted datacenter environment. When the Configuration Manager client for Linux and UNIX installs, the install script checks the operating system version. By default, if the operating system version is identified as having released without a version of OpenSSL that supports SHA-256, the installation of the Configuration Manager client fails. To install the Configuration Manager client on Linux and UNIX operating systems that did not release with a version of OpenSSL that supports SHA-256, you must use the install command line switch ignoreSHA256validation. When you use this command line option on an applicable Linux or UNIX operating system, the Configuration Manager client will skip SHA-256 validation and after installation, the client will not use SHA-256 to sign data it submits to site systems by using HTTP. For information about configuring Linux and UNIX clients to use certificates, see Planning for Security and Certificates for Linux and UNIX Servers in this topic. For information about requiring SHA-256, see the Configure Signing and Encryption section in the Configuring Security for Configuration Manager topic. Note The command line option ignoreSHA256validation is ignored on computers that run a version of Linux and UNIX that released with versions of OpenSSL that support SHA256.

See Also
Planning for Client Deployment in Configuration Manager

Determine the Site System Roles for Client Deployment in Configuration Manager
Use the following sections to help you determine the site systems that you require to deploy System Center 2012 Configuration Manager clients: Determine Whether You Require a Management Point Determine Whether You Require a Fallback Status Point Determine Whether You Require an Enrollment Point and an Enrollment Proxy Point Determine Whether You Require a Distribution Point Determine Whether You Require an Application Catalog Website Point and an Application Catalog Web Services Point

For more information about where to install these site system roles in the hierarchy, see Planning Where to Install Sites System Roles in the Hierarchy.

1165

For more information about how to install and configure the site system roles that you require, see Install and Configure Site System Roles for Configuration Manager.

Determine Whether You Require a Management Point

By default, all Windows client computers use a distribution point to install the Configuration Manager client and can fall back to a management point when a distribution point is not available. However, you can install Windows clients on computers from an alternative source when you use the CCMSetup command-line property /source:<Path>. For example, this might be appropriate if you install clients on the Internet. Another scenario is when you want to avoid sending network packets between the computer and the management point during client installation, perhaps because a firewall blocks the ports required for your installation method or because you have a low-bandwidth connection. However, all clients must communicate with a management point to assign to a site, and to be managed by Configuration Manager. For more information about the CCMSetup command-line property /source:<Path>, see About Client Installation Properties in Configuration Manager. When you install more than one management point in the hierarchy, clients automatically connect to the most appropriate one, based on their forest membership and network location. You cannot install more than one management point in a secondary site. Mac computer clients (Configuration Manager SP1 only) and mobile device clients that you enroll with Configuration Manager always require a management point for client installation. This management point must be in a primary site, must be configured to support mobile devices, and must accept client connections from the Internet. These clients cannot use management points in secondary sites or connect to management points in other primary sites.

Determine Whether You Require a Fallback Status Point

You can use a fallback status point to monitor client deployment for Windows computers and identify the clients on these computers that are unmanaged because they cannot communicate with a management point. Mac computers (Configuration Manager SP1 only), mobile devices that are enrolled by Configuration Manager, and mobile devices that are managed by using the Exchange Server connector do not use a fallback status point. Note A fallback status point is not required to monitor client activity and client health. The fallback status point always communicates with clients by using HTTP, which uses unauthenticated connections and sends data in clear text. This makes the fallback status point vulnerable to attack, particularly when it is used with Internet-based client management. To help reduce the attack surface, always dedicate a server to running the fallback status point and do not install other site system roles on the same server in a production environment.
1166

Install a fallback status point if all the following conditions apply: You want client communication errors from Windows computers to be sent to the site, even if these client computers cannot communicate with a management point. You want to use the System Center 2012 Configuration Manager client deployment reports, which display the data that is sent by the fallback status point. You have a dedicated server for this site system role and have additional security measures to help protect the server from attack. The benefits of using a fallback status point outweigh any security risks associated with unauthenticated connections and clear text transfers over HTTP traffic. The security risks of running a website with unauthenticated connections and clear text transfers outweigh the benefits of identifying client communication problems.

Do not install a fallback status point if the following condition applies:

Determine Whether You Require a Reporting Services Point

Configuration Manager provides many reports to help you monitor the installation, assignment, and management of clients in the Configuration Manager console. Some of the client deployment reports require that clients are assigned to a fallback status point. Although the reports are not required to deploy clients and you can see some deployment information in the Configuration Manager console or use the client log files for detailed information, the client reports provide valuable information to help monitor and troubleshoot client deployment.

Determine Whether You Require an Enrollment Point and an Enrollment Proxy Point
Configuration Manager requires the enrollment point and the enrollment proxy point to enroll mobile devices and to enroll certificates for Mac computers (Configuration Manager SP1 only). These site system roles are not required if you will manage mobile devices by using the Exchange Server connector, or if you install the mobile device legacy client (for example, for Windows CE), or if you request and install the client certificate on Mac computers independently from Configuration Manager.

Determine Whether You Require a Distribution Point

Although you dont require a distribution point to install Configuration Manager clients on Windows computers, by default, Configuration Manager uses a distribution point to install the client source files on Windows computers but can fall back to downloading these files from a management point. Distribution points are not used to install mobile device clients that are
1167

enrolled by Configuration Manager but are used if you install the mobile device legacy client. If you install the Configuration Manager client as part of an operating system deployment, the operating system image is stored and retrieved from a distribution point. Although you might not require distribution points to install most Configuration Manager clients, you will require distribution points to install software such as applications and software updates on the clients.

Determine Whether You Require an Application Catalog Website Point and an Application Catalog Web Services Point
The Application Catalog website point and the Application Catalog web service point are not required for client deployment. However, you might want to install them as part of your client deployment process, so that users can perform the following actions as soon as the Configuration Manager client is installed on Windows computers: Wipe their mobile devices. Search for and install applications from the Application Catalog.

See Also
Planning for Client Deployment in Configuration Manager

Determine the Client Installation Method to Use for Windows Computers in Configuration Manager
You can use different methods to install the System Center 2012 Configuration Manager client software on devices in your enterprise. You can use one or any combination of these methods that suit your requirements. The following table outlines the advantages and disadvantages of each client installation method to help you determine which will work best in your organization. For information about using each installation method, see How to Install Clients on Windows-Based Computers in Configuration Manager.
Client installation method Advantage Disadvantage

Client push installation

Can be used to install the client on a single computer, a collection of computers, or

Can cause high network traffic when pushing to large collections.

1168

Client installation method

Advantage

Disadvantage

to the results from a query. Can be used to automatically install the client on all discovered computers. Automatically uses client installation properties defined on the Client tab in the Client Push Installation Properties dialog box.

Can only be used on computers that have been discovered by System Center 2012 Configuration Manager. Cannot be used to install clients in a workgroup. A client push installation account must be specified that has administrative rights to the intended client computer. Windows Firewall must be configured on client computers with exceptions so that client push installation can be completed. You cannot cancel client push installation. When you use this client installation method for a site, Configuration Manager tries to install the client on all discovered resources and retries any failures for up to 7 days. Requires a functioning software updates infrastructure as a prerequisite. Must use the same server for client installation and software updates, and this server must reside in a primary site. To install new clients, you must configure an Group Policy Object (GDO) in Active Directory Domain Services with the client's active software update point and port. If the Active Directory
1169

Software update pointbased installation

Can use your existing software updates infrastructure to manage the client software. Can automatically install the client software on new computers if Windows Server Update Services (WSUS) and Group Policy settings in Active Directory Domain Services are configured correctly. Does not require computers to be discovered before the client can be installed. Computers can read client installation properties that

Client installation method

Advantage

Disadvantage

have been published to Active Directory Domain Services. Will reinstall the client software if it is removed. Does not require you to configure and maintain an installation account for the intended client computer r. Does not require computers to be discovered before the client can be installed. Can be used for new client installations or for upgrades. Computers can read client installation properties that have been published to Active Directory Domain Services. Does not require you to configure and maintain an installation account for the intended client computer. Does not require computers to be discovered before the client can be installed. Supports using commandline properties for CCMSetup.

schema is not extended for System Center 2012 Configuration Manager, you must use Group Policy settings to provision computers with client installation properties.

Group Policy installation

Can cause high network traffic if a large number of clients are being installed. If the Active Directory schema is not extended for System Center 2012 Configuration Manager, you must use Group Policy settings to add client installation properties to computers in your site.

Logon script installation

Can cause high network traffic if a large number of clients are being installed over a short time period. Can take a long time to install on all client computers if users do not frequently log on to the network. No automation, therefore time consuming.

Manual installation

Does not require computers to be discovered before the client can be installed. Can be useful for testing purposes. Supports using commandline properties for CCMSetup. Can use System Center 2012

Upgrade installation (software distribution)

Can cause high network traffic when distributing the

1170

Client installation method

Advantage

Disadvantage

Configuration Manager to upgrade the client to a newer version by collection, or to a defined timescale. Supports using commandline properties for CCMSetup.

client to large collections. Can only be used to upgrade the client software on computers that have been discovered and assigned to the site.

You cannot upgrade Configuration Manager 2007 clients to System Center 2012 Configuration Manager by using this method. In this scenario, use automatic client upgrade, which automatically creates and deploys a package that contains the latest version of the client. Automatic client upgrade Can be used to automatically keep clients in your site at the latest version. Requires minimal administration by the administrative user. Can only be used to upgrade the client software and cannot be used to install a new client. Not suitable for upgrading many clients simultaneously. Supplements rather than replaces other client installation or upgrade methods. Applies to all clients in the hierarchy that are assigned to a site. Cannot be scoped by collection. Limited scheduling options.

See Also
Planning for Client Deployment in Configuration Manager

1171

Determine Whether to Block Clients in Configuration Manager

If a client computer or client mobile device is no longer trusted, you can block the client in the System Center 2012 Configuration Manager console. Blocked clients are rejected by the Configuration Manager infrastructure so that they cannot communicate with site systems to download policy, upload inventory data, or send state or status messages. In Configuration Manager SP1, Mac clients, Linux and UNIX clients, and mobile devices that are enrolled by Windows Intune support block and unblock. You must block and unblock a client from its assigned site rather than from a secondary site or a central administration site. Important Although blocking in Configuration Manager can help to secure the Configuration Manager site, do not rely on this feature to protect the site from untrusted computers or mobile devices if you allow clients to communicate with site systems by using HTTP, because a blocked client could rejoin the site with a new self-signed certificate and hardware ID. Instead, use the blocking feature to block lost or compromised boot media that you use to deploy operating systems, and when site systems accept HTTPS client connections. Clients that access the site by using the ISV Proxy certificate cannot be blocked. For more information about the ISV Proxy certificate, see the Microsoft System Center 2012 Configuration Manager Software Development Kit (SDK). If your site systems accept HTTPS client connections and your public key infrastructure (PKI) supports a certificate revocation list (CRL), always consider certificate revocation to be the primary line of defense against potentially compromised certificates. Blocking clients in Configuration Manager offers a second line of defense to protect your hierarchy. Use the following sections to help differentiate between blocking clients and using a certificate revocation list, and the implications of blocking AMT-based computers: Comparing Blocking Clients and Revoking Client Certificates Blocking AMT-Based Computers

Comparing Blocking Clients and Revoking Client Certificates

Use the following table to help differentiate between blocking a client and using certificate revocation in a PKI-supported environment.
Blocking Client Using Certificate Revocation

The option is available for HTTP and HTTPS

The option is available for HTTPS Windows

1172

Blocking Client

Using Certificate Revocation

client connections, but has limited security when clients connect to site systems by using HTTP.

client connections if the public key infrastructure supports a certificate revocation list (CRL). In Configuration Manager SP1, Mac clients always perform CRL checking and this functionality cannot be disabled. Although mobile device clients do not use certificate revocation lists to check the certificates for site systems, their certificates can be revoked and checked by Configuration Manager.

Configuration Manager administrative users have the authority to block a client, and the action is taken in the Configuration Manager console. Client communication is rejected from the Configuration Manager hierarchy only. Note The same client could register with a different Configuration Manager hierarchy. The client is immediately blocked from the Configuration Manager site.

Public key infrastructure administrators have the authority to revoke a certificate, and the action is taken outside the Configuration Manager console. Client communication can be rejected from any computer or mobile device that requires this client certificate.

There is likely to be a delay between revoking a certificate and site systems downloading the modified certificate revocation list (CRL). For many PKI deployments, this delay can be a day or longer. For example, in Active Directory Certificate Services, the default expiration period is one week for a full CRL, and one day for a delta CRL.

Helps to protect site systems from potentially compromised computers and mobile devices.

Helps to protect site systems and clients from potentially compromised computers and mobile devices. Note You can further protect site systems that run IIS from unknown clients by configuring a certificate trust list (CTL) in IIS.
1173

Blocking AMT-Based Computers

After you block an Intel AMT-based computer that is provisioned by System Center 2012 Configuration Manager, you will no longer be able to manage it out of band. When an AMT-based computer is blocked, the following actions automatically occur to help protect the network from the security risks of elevation of privileges and information disclosure: The site server revokes all certificates issued to the AMT-based computer with the revocation reason of Cease of Operation. The AMT-based computer might have multiple certificates if it is configured for 802.1X authenticated wired or wireless networks that support client certificates. The site server deletes the AMT account in Active Directory Domain Services.

The AMT provisioning information is not removed from the computer, but the computer can no longer be managed out of band because its certificate is revoked and its account is deleted. If you later unblock the client, you must take the following actions before you can manage the computer out of band: 1. Manually remove provisioning information from the computers BIOS extensions. You will not be able to perform this configuration remotely. 2. Reprovision the computer with Configuration Manager. If you think you might unblock the client later and you can verify a connection to the AMT-based computer before you block the client, you can remove the AMT provisioning information with Configuration Manager and then block the client. This sequence of actions saves you from having to manually configure the BIOS extensions after you unblock the client. However, this option relies on a successful connection to the untrusted computer to complete the removal of provisioning information. This is particularly risky when the AMT-based computer is a laptop and might be disconnected from the network or on a wireless connection. Note To verify that the AMT-based computer successfully removed provisioning information, confirm that the AMT status has changed from Provisioned to Not Provisioned. However, if the provisioning information was not removed before the client was blocked, the AMT status remains at Provisioned but you will be unable to manage the computer out of band until you reconfigure the BIOS extensions and reprovision the computer for AMT. For more information about the AMT status, see About the AMT Status and Out of Band Management in Configuration Manager.

See Also
Planning for Client Deployment in Configuration Manager

1174

Configuring Client Deployment in Configuration Manager

There are various configuration tasks that must be completed before you can install or upgrade the System Center 2012 Configuration Manager client software. The links in this section provide the necessary information to complete each task associated with configuring Configuration Manager client deployment.

Configuring Topics
How to Configure Client Communication Port Numbers in Configuration Manager How to Configure Client Computers to Find Management Points by using DNS Publishing in Configuration Manager How to Prevent the Client Software from Installing on Specific Computers in Configuration Manager How to Configure Client Settings in Configuration Manager How to Install Clients on Windows-Based Computers in Configuration Manager How to Assign Clients to a Site in Configuration Manager How to Install Clients on Mac Computers in Configuration Manager How to Install Clients on Linux and UNIX Computers in Configuration Manager How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager How to Configure Client Status in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Deploying Clients for System Center 2012 Configuration Manager

How to Configure Client Communication Port Numbers in Configuration Manager

You can change the request port numbers that System Center 2012 Configuration Manager clients use to communicate with site systems that use HTTP and HTTPS for communication. For Configuration Manager SP1 only, you can also specify a client notification port if you do not want to use HTTP or HTTPS. Although HTTP or HTTPS is more likely to be already configured for firewalls, client notification that uses HTTP or HTTPS requires more CPU usage and memory on the management point computer than if you use a custom port number. For all versions of Configuration Manager, you can also specify the site port number to use if you wake up clients by using traditional wake-up packets.
1175

When you specify HTTP and HTTPS request ports, you can specify both a default port number and an alternative port number. Clients automatically try the alternative port after communication fails with the default port. You can specify settings for HTTP and HTTPS data communication. The default values for client request ports are 80 for HTTP traffic and 443 for HTTPS traffic. Change them only if you do not want to use these default values. A typical scenario for using custom ports is when you use a custom website in IIS rather than the default website. If you change the default port numbers for the default website in IIS and other applications also use the default website, they are likely to fail. Important Do not change the port numbers in Configuration Manager without understanding the consequences. Examples: If you change the port numbers for the client request services as a site configuration and existing clients are not reconfigured to use the new port numbers, these clients will become unmanaged. Before you configure a non-default port number, make sure that firewalls and all intervening network devices can support this configuration and reconfigure them as necessary. If you will manage clients on the Internet and change the default HTTPS port number of 443, routers and firewalls on the Internet might block this communication.

To make sure that clients do not become unmanaged after you change the request port numbers, clients must be configured to use the new request port numbers. When you change the request ports on a primary site, any attached secondary sites automatically inherit the same port configuration. Use the procedure in this topic to configure the request ports on the primary site. Note For Configuration Manager SP1 only: For information about how to configure the request ports for clients on computers that run Linux and UNIX, see Configure Request Ports for the Client for Linux and UNIX. When the Configuration Manager site is published to Active Directory Domain Services, new and existing clients that can access this information will automatically be configured with their site port settings and you do not need to take further action. Clients that cannot access this information published to Active Directory Domain Services include workgroup clients, clients from another Active Directory forest, clients that are configured for Internet-only, and clients that are currently on the Internet. If you change the default port numbers after these clients have been installed, reinstall them and install any new clients by using one of the following methods: Reinstall the clients by using the Client Push Installation Wizard. Client push installation automatically configures clients with the current site port configuration. For more information about how to use the Client Push Installation Wizard, see How to Install Configuration Manager Clients by Using Client Push. Reinstall the clients by using CCMSetup.exe and the client.msi installation properties of CCMHTTPPORT and CCMHTTPSPORT. For more information about these properties, see How to Install Configuration Manager Clients by Using Client Push.

1176

Reinstall the clients by using a method that searches Active Directory Domain Services for Configuration Manager client installation properties. For more information, see About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager.

To reconfigure the port numbers for existing clients, you can also use the script PORTSWITCH.VBS that is provided with the installation media in the SMSSETUP\Tools\PortConfiguration folder. Important For existing and new clients that are currently on the Internet, you must configure the non-default port numbers by using the CCMSetup.exe client.msi properties of CCMHTTPPORT and CCMHTTPSPORT. After changing the request ports on the site, new clients that are installed by using the site-wide client push installation method will be automatically configured with the current port numbers for the site. To configure the client communication port numbers for a site 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and select the primary site to configure. 3. On the Home tab, click Properties, and then click the Ports tab. 4. Select any of the items and click the Properties icon to display the Port Detail dialog box. 5. In the Port Detail dialog box, specify the port number and description for the item, and then click OK. 6. Select Use custom web site if you will use the custom website name of SMSWeb for site systems that run IIS. 7. Click OK to close the properties dialog box for the site. Repeat this procedure for all primary sites in the hierarchy.

See Also
Configuring Client Deployment in Configuration Manager

How to Configure Client Computers to Find Management Points by using DNS Publishing in Configuration Manager
Clients in System Center 2012 Configuration Manager must locate a management point during site assignment and as an on-going process to remain managed. Active Directory Domain
1177

Services provides the most secure method for clients on the intranet to find management points. However, if clients cannot use this service location method (for example, you have not extended the Active Directory schema, or clients are from a workgroup), use DNS publishing as the preferred alternative service location method. Note For Configuration Manager SP1 only: When you install the client for Linux and UNIX, you must specify a management point to use as an initial point of contact. For information about how to install the client for Linux and UNIX, see the Install the Client on Linux and UNIX Servers section in the How to Install Clients on Linux and UNIX Computers in Configuration Manager topic. Before you configure clients to find management points by using DNS publishing, make sure that DNS servers on the intranet have service location resource records (SRV RR) and corresponding host (A or AAA) resource records for the site's management points. The service location resource records can be created automatically by Configuration Manager or manually, by the DNS administrator who creates the records in DNS. For more information about DNS publishing as a service location method for Configuration Manager clients, see the Planning for Service Location by Clients section in the Planning for Communications in Configuration Manager topic. You can configure clients to find management points by using DNS publishing either during or after client installation: To configure clients to find management points by using DNS publishing during client installation, configure the CCMSetup Client.msi properties. To configure clients to find management points by using DNS publishing after client installation, in Control Panel, configure the Configuration Manager Properties. To configure clients to find management points by using DNS publishing during client installation Install the client with the following CCMSetup Client.msi properties: DNSSUFFIX=<management point domain> If the site has more than one management point and they are in more than one domain, specify just one domain. When clients connect to a management point in this domain, they download a list of available management points, which will include the management points from the other domains. SMSSITECODE=<site code of client's assigned site> You cannot use automatic site assignment when you configure clients to find management points in DNS, but must directly assign them to a site. For more information about the CCMSetup command-line properties, see About Client Installation Properties in Configuration Manager.

1178

To configure clients to find management points by using DNS publishing after client installation 1. In Control Panel of the client computer, navigate to Configuration Manager, and then double-click Properties. 2. On the Site tab, specify the DNS suffix of the management points, and then click OK. If the site has more than one management point and they are in more than one domain, specify just one domain. When clients connect to a management point in this domain, they download a list of available management points, which will include the management points from the other domains.

See Also
Configuring Client Deployment in Configuration Manager

How to Prevent the Client Software from Installing on Specific Computers in Configuration Manager
You can edit the Windows registry to prevent the System Center 2012 Configuration Manager client from installing on specific computers when you use the site-wide automatic client push installation method. The registry of each Configuration Manager primary site server contains a list of computers to exclude from site-wide automatic client push installation. When you exclude these computers, they can still be found by using Configuration Manager discovery methods. In addition, this registry entry does not prevent the client from installing when you use other client installation methods, such as the Client Push Wizard or by manually running CCMSetup.exe. Important If you use the Registry Editor incorrectly, you might cause serious problems that might require you to reinstall the operating system. Microsoft cannot guarantee that you can solve problems that result from using the Registry Editor incorrectly. Use the Registry Editor at your own risk. When you add a computer to the ExcludeServers list, Configuration Manager sets the installed flag in the resource record for this computer. During standard operation, the installed flag prevents Configuration Manager from reinstalling the client when automatic site-wide client push installation is enabled. When you add a computer name to the exclude list, it also prevents Configuration Manager from installing the client on that computer when it is discovered and automatic site-wide client push installation is enabled. If you later remove the computer from the exclude list because you want to install the client, the installed flag remains. To clear this flag so that the client will install, you must also run the Clear
1179

Install Flag maintenance task. To verify whether the installed flag is set for a computer, view the properties of the resource in the Administration workspace. The item Client in the Discovery data list displays Yes when the installed flag is set and No when the install flag is not set. Use the following procedures to add computers to the exclude list and to run the Clear Install Flag task if this task is necessary. To add computers to the exclude list to prevent client software from being installed when automatic site-wide client push is enabled 1. Open the Windows Registry Editor on the System Center 2012 Configuration Manager site server for the site that you want to exclude a computer from joining. 2. Locate the SMS_DISCOVERY_DATA_MANAGER sub-key by browsing to the following path: For a 32-bit operating system: HKEY_LOCAL_MACHINE/Software/Microsoft/SMS/Components/SMS_DISCOVE RY_DATA_MANAGER For a 64-bit operating system: HKEY_LOCAL_MACHINE/Software/Wow6432Node/Microsoft/SMS/Components/ SMS_DISCOVERY_DATA_MANAGER

3. To enter the name of the computers that you want to exclude, double-click the key ExcludeServers to open the Edit Multi-String window. 4. In the Edit Multi-String window, specify the NetBIOS name of each computer that you want to exclude. Press the Enter key after you type each computer name to ensure that each computer name appears on a separate line. 5. After you have entered all the computer names of computers to exclude, click OK. Close the Registry Editor window. To clear the install flag so that client software will install when automatic site-wide client push is enabled 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then select the site that automatically installs the client software. 3. On the Home tab, in the Settings group, click Site Maintenance. 4. In the Site Maintenance dialog box, select Clear Install Flag, and then click Edit. 5. In the Clear Install Flag Properties dialog box, specify the following: Select Enable this task to enable the clear install flag task. Configure the schedule to control how often the task runs.

6. Click OK to close the Clear Install Flag Properties dialog box. After this task runs at the specified schedule, any computers that you remove from the exclude list can now be installed by using automatic site-wide client push installation.

1180

See Also
Configuring Client Deployment in Configuration Manager

How to Configure Client Settings in Configuration Manager

You manage all client settings in System Center 2012 Configuration Manager from the Client Settings node in the Administration workspace of the Configuration Manager console. Modify the default settings when you want to configure settings for all users and devices in the hierarchy that do not have any custom settings applied. If you want to apply different settings to just some users or devices, create custom settings and deploy these to collections. Note You can also use configuration items to manage clients to assess, track, and remediate the configuration compliance of devices. For more information, see Compliance Settings in Configuration Manager. Use one of the following procedures to configure client settings: How to Configure the Default Client Settings How to Create and Deploy Custom Client Settings

How to Configure the Default Client Settings

Use the following procedure to configure the default client settings for all clients in the hierarchy. To configure the default client settings 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings, and then select Default Client Settings. 3. On the Home tab, click Properties. 4. View and configure the client settings for each group of settings in the navigation pane. For more information about each setting, see About Client Settings in Configuration Manager. 5. Click OK to close the Default Client Settings dialog box. Client computers will be configured with these settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

1181

How to Create and Deploy Custom Client Settings

Use the following procedure to configure and deploy custom settings for a selected collection of users or devices. When you deploy these custom settings, they override the default client settings. Note Before you begin this procedure, ensure that you have a collection that contains the users or devices that require these custom client settings. To configure and deploy custom client settings 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. On the Home tab, in the Create group, click Create Custom Client Settings, and then click one of the following options depending on whether you want to create custom client settings for devices or for users: Create Custom Client Device Settings Create Custom Client User Settings

4. In the Create Custom Device Settings or Create Custom User Settings dialog box, specify a unique name for the custom settings, and an optional description. 5. Select one or more of the available check boxes that display a group of settings. 6. Click the first group settings from the navigation pane, and then view and configure the available custom settings. Repeat this process for any remaining group settings. For information about each client setting, see About Client Settings in Configuration Manager. 7. Click OK to close the Create Custom Device Settings or Create Custom User Settings dialog box. 8. Select the custom client setting that you have just created. On the Home tab, in the Client Settings group, click Deploy. 9. In the Select Collection dialog box, select the collection that contains the devices or users to be configured with the custom settings, and then click OK. You can verify the selected collection if you click the Deployments tab in the details pane. 10. View the order of the custom client setting that you have just created. When you have multiple custom client settings, they are applied according to their order number. If there are any conflicts, the setting that has the lowest order number overrides the other settings. To change the order number, on the Home tab, in the Client Settings group, click Move Item Up or Move Item Down. Client computers will be configured with these settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

1182

See Also
Configuring Client Deployment in Configuration Manager

How to Install Clients on Windows-Based Computers in Configuration Manager

You can use different client deployment methods to install the System Center 2012 Configuration Manager client software on computers. To help you decide which deployment method to use, see Determine the Client Installation Method to Use for Windows Computers in Configuration Manager. Before you install System Center 2012 Configuration Manager clients, ensure that all the prerequisites are in place and that you have completed all required deployment configurations. For more information, see Prerequisites for Windows Client Deployment in Configuration Manager and Configuring Client Deployment in Configuration Manager. Use the following procedures to install clients in System Center 2012 Configuration Manager.

How to Install Configuration Manager Clients by Using Client Push

Use client push installation to install the System Center 2012 Configuration Manager client software on computers that Configuration Manager discovered. You can configure client push installation for a site, and client installation will automatically run on the computers that are discovered within the site's configured boundaries when those boundaries are configured as a boundary group. Or, you can initiate a client push installation by running the Client Push Installation Wizard for a specific collection or resource within a collection. Note Configuration Manager SP1 does not support client push installation for Windows Embedded devices that have write filters that are enabled. You can also use the Client Push Installation Wizard to install the System Center 2012 Configuration Manager client to the results that are obtained from running a query. For installation to succeed in this scenario, one of the items returned by the selected query must be the attribute ResourceID from the attribute class System Resource. For more information about queries, see Queries in Configuration Manager. If the site server cannot contact the client computer or start the setup process, it automatically repeats the installation attempt every hour for up to 7 days until it succeeds. To help track the client installation process, install a fallback status point site system before you install the clients. When a fallback status point is installed, it is automatically assigned to clients when they are installed by the client push installation method. View the client deployment and
1183

assignment reports to track client installation progress. Additionally, the client log files provide more detailed information for troubleshooting and do not require the installation of a fallback status point. For example, the CCM.log file on the site server records any problems that the site server has connecting to the computer, and the CCMSetup.log file on the client records the installation process. Important For client push to succeed, ensure that all the prerequisites are in place. These are listed in the section Installation Method Dependencies in Prerequisites for Windows Client Deployment in Configuration Manager. To configure the site to automatically use client push for discovered computers 1. If there are specific computers that are assigned to the site and that must not install the Configuration Manager client, configure the ExcludeServers list. For more information, see How to Prevent the Client Software from Installing on Specific Computers in Configuration Manager. 2. In the Configuration Manager console, click Administration. 3. In the Administration workspace, expand Site Configuration, and then click Sites. 4. In the Sites list, select the site for which you want to configure automatic site-wide client push installation. 5. On the Home tab, in the Settings group, click Client Installation Settings, and then click Client Push Installation. 6. On the General tab of the Client Push Installation Properties dialog box, select Enable automatic site-wide client push installation. Select the system types to which System Center 2012 Configuration Manager should push the client software by selecting Servers, Workstations, or Configuration Manager site system servers. The default selection is Servers and Workstations. 7. Select whether you want automatic site-wide client push installation to install the System Center 2012 Configuration Manager client software on domain controllers. 8. On the Accounts tab, specify one or more accounts for System Center 2012 Configuration Manager to use when connecting to the computer to install the client software. Click the Create icon, enter the User name and Password, confirm the password, and then click OK. If you do not specify at least one client push installation account, System Center 2012 Configuration Manager tries to use the site system computer account. The account must have local administrator rights on every computer on which you want to install the client. Important The password for the client push installation account is limited to 38 characters or less. Note If you intend to use the client push installation method from a secondary site, the account must be specified at the secondary site that initiates the client push.
1184

For more information about the client push installation account, see the next procedure,To use the Client Push Installation Wizard. 9. On the Installation Properties tab, specify any installation properties to use when installing the System Center 2012 Configuration Manager client: For Configuration Manager with no service pack: You can specify only installation properties for the Windows Installer package (Client.msi) in this tab; you cannot specify properties for CCMSetup.exe. For Configuration Manager SP1: You can specify installation properties for the Windows Installer package (Client.msi) in this tab and the following CCMSetup.exe properties: /forcereboot /skipprereq /logon /BITSPriority /downloadtimeout /forceinstall

Client installation properties that are specified in this tab are published to Active Directory Domain Services if the schema is extended for System Center 2012 Configuration Manager and read by client installations where CCMSetup is run without installation properties. For more information about client installation properties, see About Client Installation Properties in Configuration Manager. Note If you enable client push installation on a secondary site, ensure that the SMSSITECODE property is set to the System Center 2012 Configuration Manager site name of its parent primary site. If the Active Directory schema is extended for System Center 2012 Configuration Manager, you can also set this to AUTO to automatically find the correct site assignment. To use the Client Push Installation Wizard 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. In the Sites list, select the site for which you want to configure automatic site-wide client push installation. 4. On the Home tab, in the Settings group, click Client Installation Settings, and then click Client Push Installation. 5. On the Installation Properties tab, specify any installation properties to use when installing the System Center 2012 Configuration Manager client: For Configuration Manager with no service pack: You can specify only installation properties for the Windows Installer package (Client.msi) in this tab; you cannot specify properties for CCMSetup.exe.
1185

For Configuration Manager SP1: You can specify installation properties for the Windows Installer package (Client.msi) in this tab and the following CCMSetup.exe properties: /forcereboot /skipprereq /logon /BITSPriority /downloadtimeout /forceinstall

Client installation properties that are specified in this tab are published to Active Directory Domain Services if the schema is extended for System Center 2012 Configuration Manager and read by client installations where CCMSetup is run without installation properties. For more information about client installation properties, see About Client Installation Properties in Configuration Manager. 6. In the Configuration Manager console, click Assets and Compliance. 7. In the Assets and Compliance workspace, select one or more computers, or a collection of computers. 8. On the Home tab, choose one of the following: If you want to install the client to a single computer or multiple computers, in the Device group, click Install Client. If you want to install the client to a collection of computers, in the Collection group, click Install Client.

9. On the Before You Begin page of the Install Client Wizard, review the information, and then click Next. 10. On the Installation options page, configure whether the client can be installed on domain controllers, whether the client will be reinstalled, upgraded, or repaired on computers with an existing client, and the name of the site that will install the client software. Click Next. 11. Review the installation settings, and then close the wizard. Note You can use the wizard to install clients even if the site is not configured for client push.

How to Install Configuration Manager Clients by Using Software Update-Based Installation

Software update-based client installation publishes the System Center 2012 Configuration Manager client to a software update point as an additional software update. This method of client installation can be used to install the System Center 2012

1186

Configuration Manager client on computers that do not already have the client installed or to upgrade existing System Center 2012 Configuration Manager clients. If a computer has the System Center 2012 Configuration Manager client installed, Configuration Manager provides the client with the software update point server name and port from which to obtain software updates. This information is included in the client policy. Important To use software update-based installation, you must use the same Windows Server Update Services (WSUS) server for client installation and software updates. This server must be the active software update point in a primary site. For more information, see Configuring Software Updates in Configuration Manager. If a computer does not have the System Center 2012 Configuration Manager client installed, you must configure and assign a Group Policy Object (GPO) in Active Directory Domain Services to specify the software update point server name from which the computer will obtain software updates. You cannot add command-line properties to a software update-based client installation. If you have extended the Active Directory schema for System Center 2012 Configuration Manager, client computers automatically query Active Directory Domain Services for installation properties when they install. If you have not extended the Active Directory schema, you can use Group Policy to provision client installation settings to computers in your site. These settings are automatically applied to any software update-based client installations. For more information, see How to Provision Client Installation Properties (Group Policy and Software Update-Based Client Installation) and How to Assign Clients to a Site in Configuration Manager. Use the following procedures to configure computers without a System Center 2012 Configuration Manager client to use the software update point for client installation and software updates, and to publish the System Center 2012 Configuration Manager client software to the software update point. To configure a Group Policy Object in Active Directory Domain Services to specify the software update point for client installation and software updates 1. Use the Group Policy Management Console to open a new or existing Group Policy Object. 2. In the console, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update. 3. Open the properties of the setting Specify intranet Microsoft update service location, and then click Enabled. 4. In the box Set the intranet update service for detecting updates, specify the name of the software update point server that you want to use and the port. These must match exactly the server name format and the port being used by the software update point: If the Configuration Manager site system is configured to use a fully qualified domain name (FQDN), specify the server name by using FQDN format.
1187

If the Configuration Manager site system is not configured to use a fully qualified domain name (FQDN), specify the server name by using a short name format. Note To determine the port number that is being used by the software update point, see How to Determine the Port Settings Used by WSUS.

Example: http://server1.contoso.com:8530 5. In the box Set the intranet statistics server, specify the name of the intranet statistics server that you want to use. There are no specific requirements for specifying this server. It does not have to be the same computer as the software update point server, and the format does not have to match if it is the same server. 6. Assign the Group Policy Object to the computers on which you want to install the Configuration Manager client and receive software updates. To publish the Configuration Manager client to the software update point 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. In the Sites list, select the site for which you want to configure software update-based client installation. 4. On the Home tab, in the Settings group, click Client Installation Settings, and then click Software Update-Based Client Installation. 5. In the Software Update Point Client Installation Properties dialog box, select Enable software update-based client installation to enable this client installation method. 6. If the client software on the System Center 2012 Configuration Manager site server is a later version than the client version stored on the software update point, the Later Version of Client Package Detected dialog box opens. Click Yes to publish the most recent version of the client software to the software update point. Note If the client software has not been previously published to the software update point, this box will be blank. 7. To finish configuring the software update point client installation, click OK. Note The software update for the Configuration Manager client is not automatically updated when there is a new version. If you upgrade the site, which includes a new client version, you must repeat this procedure and click Yes for step 6.

How to Install Configuration Manager Clients by Using Group Policy

You can use Group Policy in Active Directory Domain Services to publish or assign the System Center 2012 Configuration Manager client to install on computers in your enterprise.
1188

When you assign the Configuration Manager client to computers by using Group Policy, the client installs when the computer first starts. When you publish the System Center 2012 Configuration Manager client to users by using Group Policy, the client displays in the Control Panel Add or Remove Programs for the computer for the user to install. Use the Windows Installer package (CCMSetup.msi) for Group Policy-based installations. This file is found in the folder <ConfigMgr installation directory>\bin\i386 on the System Center 2012 Configuration Manager site server. You cannot add properties to this file to modify installation behavior: Important You must have Administrator permissions to the folder to access the client installation files. If the Active Directory schema is extended for System Center 2012 Configuration Manager and Publish this site in Active Directory Domain Services is selected in the Advanced tab of the Site Properties dialog box, client computers automatically search Active Directory Domain Services for installation properties. For more information about the installation properties that are published, see About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager. If the Active Directory schema has not been extended, you can use the following procedure in this topic to store installation properties in the registry of computers: How to Provision Client Installation Properties (Group Policy and Software Update-Based Client Installation). These installation properties are then used when the System Center 2012 Configuration Manager client is installed.

For information about how to use Group Policy in Active Directory Domain Services to install software, refer to your Windows Server documentation.

How to Install Configuration Manager Clients Manually

You can manually install the System Center 2012 Configuration Manager client software on computers in your enterprise by using the CCMSetup.exe program. This program and its supporting files can be found in the Client folder of the System Center 2012 Configuration Manager installation folder on the site server and on management points in your site. This folder is shared to the network as <Site Server Name>\SMS_<Site Code>\Client. Important You must have Administrator permissions to the folder to access the client installation files. CCMSetup.exe copies all necessary installation prerequisites to the client computer and calls the Windows Installer package (Client.msi) to perform the client installation. Important You cannot run Client.msi directly.
1189

You can specify command-line properties for both CCMSetup.exe and Client.msi to modify the behavior of the client installation. Make sure that you specify CCMSetup properties (the properties that begin with / ) before you specify Client.msi properties. For example, you could specify the following command line CCMSetup.exe /mp:SMSMP01 /logon SMSSITECODE=AUTO FSP=SMSFP01 and the client installs by using the following properties:
Property Description

/mp:SMSMP01

This CCMSetup property specifies the management point SMSMP01 to download the required client installation files. This CCMSetup property specifies that the installation should stop if an existing System Center 2012 Configuration Manager or Configuration Manager 2007 client is found on the computer. This Client.msi property specifies that the client tries to locate the System Center 2012 Configuration Manager site code to use, for example, by using Active Directory Domain Services. This Client.msi property specifies that the fallback status point named SMSFP01 will be used to receive state messages sent from the client computer.

/logon

SMSSITECODE=AUTO

FSP=SMSFP01

Examples for Installing Configuration Manager Clients Manually

In the following examples for Active Directory clients on the intranet, a management point is installed on a computer named MPSERVER, a fallback status point is installed on FSPSERVER, the site is named ABC, and the domain is contoso.com. All site system servers are configured with an intranet FQDN and the site is published to the clients Active Directory forest. On the client computer, you log on as a local administrator, map a drive to \\MPSERVER\SMS_ABC\Client, and then run one of the following commands. Example 1: CCMSetup.exe Note This example installs the client with no additional properties so that the client is automatically configured by using the client installation properties published to Active Directory Domain Services. For example, the client is automatically configured for the site code (requires the clients network location to be included in a boundary group that is
1190

configured for client assignment), a management point, the fallback status point, and whether the client must communicate by using HTTPS only. For more information about the client installation properties that can be automatically configured for Active Directory clients, see About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager. Example 2: CCMSetup.exe /MP:mpserver.contoso.com /UsePKICert SMSSITECODE=ABC CCMHOSTNAME=server05.contoso.com CCMFIRSTCERT=1 FSP=server06.constoso.com Note This example overrides the automatic configuration that Active Directory Domain Services can provide and does not require that the clients network location is included in a boundary group that is configured for client assignment. Instead, the installation specifies the site, an intranet management point and an Internet-based management point, a fallback status point that accepts connections from the Internet, and to use a client PKI certificate (if available) that has the longest validity period.

How to Install Configuration Manager Clients by Using Logon Scripts

System Center 2012 Configuration Manager supports logon scripts to install the System Center 2012 Configuration Manager client software. You can use the program file CCMSetup.exe in a logon script to trigger the client installation. Logon script installation uses the same methods as manual client installation. You can specify the /logon installation property for CCMSsetup.exe, which prevents the client from installing if any version of the client already exists on the computer. This prevents reinstallation of the client from taking place each time the logon script runs. If no installation source is specified that is using the /Source property and no management point from which to obtain installation is specified by using the /MP property, CCMSetup.exe can locate the management point by searching Active Directory Domain Services if the schema has been extended for System Center 2012 Configuration Manager and the site is published to Active Directory Domain Services. Alternatively, the client can use DNS or WINS to locate a management point.

How to Upgrade Configuration Manager Clients by Using a Package and Program

You can use Configuration Manager to create and deploy a package and program that upgrades the client software for selected computers in your hierarchy. A package definition file is supplied with Configuration Manager that populates the package properties with typically used values. You can customize the behavior of the client installation by specifying additional command line properties.

1191

You cannot upgrade Configuration Manager 2007 clients to System Center 2012 Configuration Manager by using this method. In this scenario, use automatic client upgrade, which automatically creates and deploys a package that contains the latest version of the client. For more information about how to migrate from Configuration Manager 2007 to System Center 2012 Configuration Manager, see Planning a Client Migration Strategy in System Center 2012 Configuration Manager. Use the following procedure to create a Configuration Manager package and program that you can deploy to System Center 2012 Configuration Manager client computers to upgrade the client software. To create a package and program for the client software 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Packages. 3. On the Home tab, in the Create group, click Create Package from Definition. 4. On the Package Definition page of the Create Package from Definition Wizard , select Microsoft from the Publisher drop-down list, select Configuration Manager Client Upgrade from the Package definition list, and then click Next. 5. On the Source Files page of the wizard, select Always obtain files from a source folder, and then click Next. 6. On the Source Folder page of the Create Package from Definition Wizard, select Network path (UNC Name) and enter the network path to the computer and folder that contains the Configuration Manager client installation files. Note The computer on which the Configuration Manager deployment runs must have access to the network folder that you specify. If the computer does not have access, the installation will fail. 7. Click Next and complete the wizard. 8. If you want to change any of the client installation properties, you can modify the CCMSetup.exe command line parameters on the General tab of the Configuration Manager agent silent upgrade Properties program dialog box. The default installation properties are /noservice SMSSITECODE=AUTO. 9. Distribute the package to all distribution points that you want to host the client upgrade package. You can then deploy the package to computer collections that contain System Center 2012 Configuration Manager clients that you want to upgrade.

How to Automatically Upgrade the Configuration Manager Client for the Hierarchy
You can configure Configuration Manager to automatically upgrade the client software to the latest System Center 2012 Configuration Manager client version when Configuration Manager
1192

identifies that a client that is assigned to the System Center 2012 Configuration Manager hierarchy is lower than the version used in the hierarchy. This scenario includes upgrading the Configuration Manager 2007 client to the latest System Center 2012 Configuration Manager client when it attempts to assign to a System Center 2012 Configuration Manager site. A client can be automatically upgraded in the following scenarios: The client version is lower that the version being used in the hierarchy. The client on the central administration site has a language pack installed and the existing client does not. A client prerequisite in the hierarchy is a different version than the one installed on the client. One or more of the client installation files are a different version.

Configuration Manager creates an upgrade package by default that is automatically sent to all distribution points in the hierarchy. If you make changes to the client package on the central administration site, for example, add a client language pack, Configuration Manager automatically updates the package, and distributes it to all distribution points in the hierarchy. If automatic client upgrade is enabled, every client will install the new client language package automatically. Note Configuration Manager does not automatically send the client upgrade package to Configuration Manager SP1 cloud-based distribution points. Automatic client upgrades are useful when you want to upgrade a small number of client computers that might have been missed by your main client installation method. For example, you have completed an initial client upgrade, but some clients were offline during the upgrade deployment. You then use this method to upgrade the client on these computers when they are next active. Note For Configuration Manager SP1 only: The performance improvements in Configuration Manager SP1 let you use automatic client upgrades as the main method to upgrade clients. However, the performance of this method might be affected by the infrastructure of your hierarchy, such as the number of clients that you have. Use the following procedure to configure automatic client upgrade. Automatic client upgrade must be configured at a central administration site and this configuration applies to all clients in your hierarchy. To configure automatic client upgrades (Configuration Manager with no service pack) 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. On the Home tab, in the Sites group, click Hierarchy Settings. 4. In the Client Installation Settings tab of the Site Settings Properties dialog box, configure the following options:
1193

Upgrade client automatically when new client updates are available Enables or disables automatic client upgrades. Allow clients to use a fallback source location for content Allows clients to use a fallback source location to retrieve the client installation files. Do not run program when a client is within a slow or unreliable network boundary or when the client uses a fallback source location for content Select this option to ensure that clients do not retrieve client installation files from distribution points that are on a slow or unreliable network from the client location and only use distribution points that are in a boundary group with a fast connection. Automatically upgrade clients within days Specify the number of days in which client computers must upgrade the client after they receive client policy. The client will be upgraded at a random interval within this number of days. This prevents scenarios where a large number of client computers are upgraded simultaneously. Automatically upgrade clients that are this version or earlier Specify the minimum client version to upgrade on client computers. Note You can run the report Count of Configuration Manager clients by client versions in the report folder Site Client Information to identify the different versions of the Configuration Manager client in your hierarchy.

5. Click OK to save the settings and close the Site Settings Properties dialog box. Clients will receive these settings when they next download policy. To configure automatic client upgrades (Configuration Manager SP1) 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. On the Home tab, in the Sites group, click Hierarchy Settings. 4. In the Automatic Client Upgrade tab of the Site Settings Properties dialog box, configure the following options: Upgrade client automatically when new client updates are available Enables or disables automatic client upgrades. Automatically upgrade clients within days Specify the number of days in which client computers must upgrade the client after they receive client policy. The client will be upgraded at a random interval within this number of days. This prevents scenarios where a large number of client computers are upgraded simultaneously. Automatically distribute client installation package to distribution points that are enabled for prestaged content You must enable this option if you want the client installation package to be copied to distribution points that have been enabled for prestaged content. Note You can run the report Count of Configuration Manager clients by client versions in the report folder Site Client Information to identify the different
1194

versions of the Configuration Manager client in your hierarchy. 5. Click OK to save the settings and close the Site Settings Properties dialog box. Clients receive these settings when they next download policy.

How to Install Configuration Manager Clients by Using Computer Imaging

You can preinstall the System Center 2012 Configuration Manager client software on a master image computer that will be used to build computers in your enterprise. To install the client on a master computer, do not specify a site code for the client. When computers are imaged from this master image, they will contain the System Center 2012 Configuration Manager client and must complete site assignment when installation is complete. Important The imaged computers cannot function as System Center 2012 Configuration Manager clients until the System Center 2012 Configuration Manager clients are assigned to a System Center 2012 Configuration Manager site. You must remove any computer-specific certificates that are installed on the master image computer. For example, if you use public key infrastructure (PKI) certificates, you must remove the certificates in the Personal store for Computer and User before you image the computer. If clients cannot query Active Directory Domain Services to locate a management point, they use the trusted root key to determine trusted management points. If all imaged clients will be deployed in the same hierarchy as the master computer, leave the trusted root key in place. If the clients will be deployed in different hierarchies, remove the trusted root key and as a best practice, preprovision these clients with the new trusted root key. For more information, see Planning for the Trusted Root Key. To prepare the client computer for imaging 1. Manually install the System Center 2012 Configuration Manager client software on the master image computer. For more information, see How to Install Configuration Manager Clients Manually. Important Do not specify a System Center 2012 Configuration Manager site code for the client in the CCMSetup.exe command-line properties. 2. At a command prompt, type net stop ccmexec to ensure that the SMS Agent Host service (Ccmexec.exe) is not running on the master image computer. 3. Remove any certificates that are stored in the local computer store on the master image computer. 4. If the clients will be installed in a different System Center 2012 Configuration Manager hierarchy than the master image computer, remove the Trusted Root Key from the master image computer.
1195

5. Use your imaging software to capture the image of the master computer. 6. Deploy the image to destination computers.

How to Install Configuration Manager Clients on Workgroup Computers

System Center 2012 Configuration Manager supports client installation for computers in workgroups. Install the client on workgroup computers by using the method specified in How to Install Configuration Manager Clients Manually. The following prerequisites must be met in order to install the System Center 2012 Configuration Manager client on workgroup computers: The client must be installed manually on each workgroup computer. During installation, the logged-on user must have local administrator rights on the workgroup computer. In order to access resources in the System Center 2012 Configuration Manager site server domain, the Network Access Account must be configured for the site. You specify this account as a software distribution component property. For more information, see Configuring Site Components in Configuration Manager. Workgroup clients cannot locate management points from Active Directory Domain Services, and instead must use DNS, WINS, or another management point. Global roaming is not supported, because clients cannot query Active Directory Domain Services for site information. Active Directory discovery methods cannot discover computers in workgroups. You cannot deploy software to users of workgroup computers. You cannot use the client push installation method to install the client on workgroup computers. Workgroup clients cannot use Kerberos for authentication and so might require manual approval. A workgroup client cannot be configured as a distribution point. System Center 2012 Configuration Manager requires that distribution point computers be members of a domain. To install the client on workgroup computers 1. Ensure that the computers on which you want to install the client meet the above prerequisites. 2. Follow the directions in the section How to Install Configuration Manager Clients Manually. Example 1: CCMSetup.exe SMSSITECODE=ABC DNSSUFFIX=constoso.com Note This example installs the client for intranet client management and specifies the site code and DNS suffix to locate a management point.
1196

There are a number of limitations to supporting workgroup computers:

Example 2: CCMSetup.exe FSP=fspserver.constoso.com Note This example requires the client to be on a network location that is configured in a boundary group so that automatic site assignment can succeed. The command includes a fallback status point on server FSPSERVER, to help track client deployment and to identify any client communication issues.

How to Install Configuration Manager Clients for Internet-based Client Management

When the System Center 2012 Configuration Manager site supports Internet-based client management for clients that are sometimes on the intranet, and sometimes on the Internet, you have two options when you install clients on the intranet: You can include the Client.msi property of CCMHOSTNAME=<Internet FQDN of the Internetbased management point> when you install the client, for example by using manual installation or client push. When you use this method, you must also directly assign the client to the site and cannot use automatic site assignment. The How to Install Configuration Manager Clients Manually section in this topic provides an example of this configuration method. You can install the client for intranet client management, and then assign an Internet-based client management point to the client by using the Configuration Manager client properties in Control Panel, or by using a script. When you use this method, you can use automatic client assignment. For more information, see the How to Configure Clients for Internet-based Client Management after Client Installation section in this topic.

If you must install clients that are on the Internet either because they are Internet-only clients, or because you must install them before they come back into the intranet, choose one of the following supported methods: Provide a mechanism for these clients to temporarily connect to the intranet by using a virtual private network (VPN), and then install them by using any appropriate client installation method. Use an installation method that is independent from Configuration Manager, such as packaging the client installation source files onto removable media that you can send to users to install with instructions. The client installation source files are located in the <InstallationPath>\Client folder on the System Center 2012 Configuration Manager site server and management points. Include on the media a script to manually copy over the client folder and from this folder, install the client by using CCMSetup.exe and all the appropriate CCMSetup command-line properties. Note Configuration Manager does not support installing a client directly from the Internetbased management point or from the Internet-based software update point.

1197

Because clients that are managed over the Internet must communicate with Internet-based site systems, ensure that these clients also have public key infrastructure (PKI) certificates installed before you install them. You must install these certificates independently from System Center 2012 Configuration Manager. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. To install clients on the Internet by specifying CCMSetup command-line properties 1. Follow the directions in the section How to Install Configuration Manager Clients Manually and always include the following: CCMSetup command-line property /source:<local path to the copied Client folder> CCMSetup command-line property /UsePKICert Client.msi property CCMHOSTNAME=<FQDN of Internet-based management point> Client.msi property SMSSIGNCERT=<local path to exported site server signing certificate> Client.msi property SMSSITECODE=<site code of Internet-based management point> Note If the site has more than one Internet-based management point, it does not matter which Internet-based management point you specify for the CCMHOSTNAME property. When a Configuration Manager client connects to the specified Internet-based management point, the management point sends the client a list of available Internet-based management points in the site, and the client selects one from the list. The selection is nondeterministic. 2. If you do not want the client to check the certificate revocation list (CRL), specify the CCMSetup command-line property /NoCRLCheck. 3. If you are using an Internet-based fallback status point, specify the Client.msi property FSP=<Internet FQDN of the Internet-based fallback status point>. 4. If you are installing the client for Internet-only client management, specify the Client.msi property CCMALWAYSINF=1. 5. Verify whether you have to specify any additional CCMSetup command-line properties. For example, you might have to specify a certificate selection criteria if the client has more than one valid PKI certificate. For a list of available properties, see About Client Installation Properties in Configuration Manager. Example: CCMSetup.exe /source: D:\Clients /UsePKICert CCMHOSTNAME=server1.contoso.com SMSSIGNCERT=siteserver.cer SMSSITECODE=ABC FSP=server2.contoso.com CCMALWAYSINF=1 CCMFIRSTCERT=1 Note This example installs the client source files from a folder on the D drive with settings to use a client PKI certificate and select the certificate with the longest validity period for Internet-only client management, assigns the client to use the
1198

Internet-based management point named SERVER1 and the Internet-based fallback status point in the contoso.com domain, and assigns the client to the ABC site.

How to Configure Clients for Internet-based Client Management after Client Installation
To assign the Internet-based management point after the client is installed, use one of the following procedures. The first procedure requires manual configuration so it is appropriate for a few clients, whereas the second procedure is more appropriate if you have many clients to configure. To configure clients for Internet-based client management after client installation by assigning the Internet-based management point in Configuration Manager Properties 1. Navigate to Configuration Manager in the Control Panel of the client computer, and then double-click to open its properties. 2. On the Internet tab, enter the fully qualified domain name of the Internet-based management point in the Internet FQDN text box. Note The Internet tab is only available if the client has a client PKI certificate. 3. Enter proxy server settings if the client will access the Internet by using a proxy server. 4. Click OK. To configure clients for Internet-based client management after client installation by using a script 1. Open a text editor, such as Notepad. 2. Copy and insert the following into the file: on error resume next

' Create variables. Dim newInternetBasedManagementPointFQDN Dim client

newInternetBasedManagementPointFQDN = "mp.contoso.com"

' Create the client COM object. Set client = CreateObject ("Microsoft.SMS.Client")

1199

' Set the Internet-Based Management Point FQDN by calling the SetCurrentManagementPoint method. client.SetInternetManagementPointFQDN newInternetBasedManagementPointFQDN

' Clear variables. Set client = Nothing Set internetBasedManagementPointFQDN = Nothing

3. Replace mp.contoso.com with the Internet FQDN of your Internet-based management point. Note If you have to delete a specified Internet-based management point so that the client is not configured to use an Internet-based management point, remove the value inside the quotation marks so that this line becomes newInternetBasedManagementPointFQDN = "". 4. Save the file with a .vbs extension. 5. Use cscript to run the script on client computers, by using one of the following methods: Deploy the file to existing Configuration Manager clients by using a package and a program. Run the file locally on existing Configuration Manager clients by double-clicking the script file in Windows Explorer.

You might have to restart the client for the new setting in this script to take effect.

How to Provision Client Installation Properties (Group Policy and Software Update-Based Client Installation)
You can use Windows Group Policy to provision computers in your enterprise with System Center 2012 Configuration Manager client installation properties. These properties are stored in the registry of the computer and read when the client software is installed. This procedure would not normally be required for System Center 2012 Configuration Manager. However, this might be required for some client installation scenarios, such as the following: You are using the Group Policy settings or software update-based client installation methods, and you have not extended the Active Directory schema for System Center 2012 Configuration Manager.
1200

You want to override client installation properties on specific computers. Note If any installation properties are supplied on the CCMSetup.exe command line, installation properties provisioned on computers will not be used.

A Group Policy administrative template named ConfigMgrInstallation.adm is supplied on the System Center 2012 Configuration Manager installation media, which can be used to provision client computers with installation properties. Use the following procedure to configure and assign this template to computers in your organization. To configure and assign client installation properties by using a Group Policy Object 1. Import the administrative template ConfigMgrInstallation.adm into a new or existing Group Policy Object, by using an editor such as Windows Group Policy Object Editor. Note This file can be found in the folder TOOLS\ConfigMgrADMTemplates on the System Center 2012 Configuration Manager installation media. 2. Open the properties of the imported setting Configure Client Deployment Settings. 3. Click Enabled. 4. In the CCMSetup box, enter the required CCMSetup command-line properties. For a list of all CCMSetup command-line properties and examples of their use, see About Client Installation Properties in Configuration Manager. 5. Assign the Group Policy Object to the computers that you want to provision with System Center 2012 Configuration Manager client installation properties. For information about Windows Group Policy, refer to your Windows Server documentation.

See Also
Configuring Client Deployment in Configuration Manager

How to Assign Clients to a Site in Configuration Manager

After a System Center 2012 Configuration Manager client is installed, it must join a System Center 2012 Configuration Manager primary site before it can be managed. The site that a client joins is referred to as its assigned site. Clients cannot be assigned to a central administration site or to a secondary site. The assignment process occurs after the client is successfully installed and determines which site manages the client computer. When you install the mobile device client during Configuration Manager enrollment, this process always automatically assigns the mobile device to a site. When
1201

you install the client on a computer, you can also assign the client to a site or you can just install the client without assigning it to a site. However, when the client is installed but not assigned, the client is unmanaged until site assignment is successful. For more information about how to install a client on computers, see How to Install Clients on Windows-Based Computers in Configuration Manager. To assign a client computer, you can either directly assign the client to a site, or you can use automatic site assignment where the client automatically finds an appropriate site based on its current network location or a fallback site that has been configured for the hierarchy. After the client is assigned to a site, it remains assigned to that site, even if the client changes its IP address and roams to another site. Only an administrator can later manually assign the client to another site or remove the client assignment. Warning An exception to a client remaining assigned to a site is if you assign the client on a Windows Embedded device when the write filters are enabled. If you do not first disable write filters before you assign the client, the site assignment status of the client reverts to its original state when the device next restarts. For example, if the client is configured for automatic site assignment, it will reassign on startup and might be assigned to a different site. If the client is not configured for automatic site assignment but requires manual site assignment, you must manually reassign the client after startup before you can manage this client again by using Configuration Manager. To avoid this behavior, disable the write filters before you assign the client on embedded devices, and then enable the write filters after you have verified that site assignment was successful. If the client fails to assign to a site, the client software remains installed, but will be unmanaged. Note A client is considered unmanaged when it is installed but not assigned to a site, or is assigned to a site but cannot communicate with a management point. If you reassign an Intel AMT-based computer to another Configuration Manager site, you must remove the AMT provisioning information, and then provision the computer again in the new site. Until you do this, you cannot manage the computer out of band in the new site. In this scenario, the AMT Status displays Detected. For more information, see Reassigning AMT-Based Computers to Another Configuration Manager Site. Use the following sections for more information about client site assignment: Using Manual Site Assignment for Computers Using Automatic Site Assignment for Computers Completing Site Assignment by Checking Site Compatibility Locating Management Points Downloading Site Settings
1202

Verifying Site Assignment Roaming to Other Sites Whats New in Configuration Manager

Using Manual Site Assignment for Computers

You can manually assign client computers to a site by using the following two methods: Use a client installation property that specifies the site code. In Control Panel, in Configuration Manager, specify the site code. Note If you manually assign a client computer to a System Center 2012 Configuration Manager site code that does not exist, the site assignment fails. The client remains installed but unmanaged until it is assigned to a valid System Center 2012 Configuration Manager site.

Using Automatic Site Assignment for Computers

Automatic site assignment can occur during client deployment, or when you click Find Site in the Advanced tab of the Configuration Manager Properties in the Control Panel. The Configuration Manager client compares its own network location with the boundaries that are configured in the System Center 2012 Configuration Manager hierarchy. When the network location of the client falls within a boundary group that is enabled for site assignment, or the hierarchy is configured for a fallback site, the client is automatically assigned to that site. You can configure boundaries by using one or more of the following: IP subnet Active Directory site IP v6 prefix IP address range Note If a System Center 2012 Configuration Manager client has multiple network adapters (possibly a LAN network adapter and a dial-up modem), and therefore has multiple IP addresses, the IP address used to an evaluate client site assignment is nondeterministic. For information about how to configure boundary groups for site assignment and how to configure a fallback site for automatic site assignment, see the Create and Configure Boundary Groups for Configuration Manager section in the Configuring Boundaries and Boundary Groups in Configuration Manager. System Center 2012 Configuration Manager clients that use automatic site assignment attempt to find site boundary groups that are published to Active Directory Domain Services. If this method fails (for example, the Active Directory schema is not extended for System Center 2012

1203

Configuration Manager, or clients are workgroup computers), clients can find boundary group information from a management point. You can specify a management point for client computers to use when they are installed, or clients can locate a management point by using DNS publishing or WINS. If the client cannot find a site that is associated with a boundary group that contains its network location, and the hierarchy does not have a fallback site, the client retries every 10 minutes until it can be assigned to a site. System Center 2012 Configuration Manager client computers cannot be automatically assigned to a site if any of the following scenarios apply, and instead, they must be manually assigned: They are currently assigned to a site. They are on the Internet or configured as Internet-only clients. They use DNS publishing to locate management points. Their network location does not fall within one of the configured boundary groups in the Configuration Manager hierarchy, and there is no fallback site for the hierarchy.

Completing Site Assignment by Checking Site Compatibility

After a client has found its assigned site, the version and operating system of the client is checked to ensure that a System Center 2012 Configuration Manager site can manage it. For example, System Center 2012 Configuration Manager cannot manage Configuration Manager 2007 clients or clients that are running Windows 2000. Whereas site assignment fails if you assign a client that runs Windows 2000 to a System Center 2012 Configuration Manager site, when you assign a Configuration Manager 2007 client to a System Center 2012 Configuration Manager, site assignment succeeds to support automatic client upgrade. However, until the Configuration Manager 2007 client is upgraded to a System Center 2012 Configuration Manager client, Configuration Manager cannot manage this client by using client settings, applications, or software updates. Note To support the site assignment of a Configuration Manager 2007 client to a System Center 2012 Configuration Manager site, you must configure automatic client upgrade for the hierarchy. For more information, see the How to Automatically Upgrade the Configuration Manager Client procedure in the How to Install Clients on WindowsBased Computers in Configuration Manager topic. Configuration Manager also checks that you have assigned the System Center 2012 Configuration Manager client to a site that supports the Configuration Manager client version, as shown in the following table. These scenarios might occur during a migration period when you migrate from Configuration Manager 2007 to System Center 2012 Configuration Manager.

1204

Assignment scenario

Assignment outcome

You have used automatic site assignment and your System Center 2012 Configuration Manager boundaries overlap with Configuration Manager 2007 boundaries.

The client automatically tries to find a System Center 2012 Configuration Manager site. The client first checks Active Directory Domain Services and if it finds a System Center 2012 Configuration Manager site published, site assignment succeeds. If this is not successful (for example, the System Center 2012 Configuration Manager sites is not published or the computer is a workgroup client), the client then checks for site information from its assigned management point. Note You can assign a management point to the client during client installation by using the Client.msi property SMSMP=<server_name>. If both these methods fail, site assignment fails and you must manually assign the client.

You have assigned the System Center 2012 Configuration Manager client by using a specific site code rather than automatic site assignment, and mistakenly specified a site code for a Configuration Manager 2007 site.

Site assignment fails and you must manually reassign the client to a System Center 2012 Configuration Manager site.

The site compatibility check requires one of the following conditions: The client can access site information published to Active Directory Domain Services. The client can communicate with a management point in the site.

If the site compatibility check fails to finish successfully, the site assignment fails, and the client remains unmanaged until the site compatibility check finishes successfully when it is run again. The exception to performing the site compatibility check occurs when a client is configured for an Internet-based management point. In this scenario, no site compatibility check is made. If you are assigning clients to a site that contains Internet-based site systems, and you specify an Internetbased management point, ensure that you are assigning the client to the correct site. If you mistakenly assign the client to a Configuration Manager 2007 site or to a System Center 2012 Configuration Manager site that does not have Internet-based site system roles, the client will be unmanaged.

1205

Locating Management Points

After a client is successfully assigned to a site, it locates a management point in the site. Client computers download a list of management points in the site that they can connect to. This process happens whenever the client restarts, every 25 hours, and if the client detects a network change, such as the computer disconnects and reconnects on the network or it receives a new IP address. The list includes management points on the intranet and whether they accept client connections over HTTP or HTTPS. When the client computer is on the Internet and the client doesnt yet have a list of management points, it connects to the specif ied Internet-based management point to obtain a list of management points. When the client has a list of management points for its assigned site, it then selects one to connect to: When the client is on the intranet and it has a valid PKI certificate that it can use, the client chooses HTTPS management points before HTTP management points. It then locates the closest management point, based on its forest membership. When the client is on the Internet, it non-deterministically chooses one of the Internet-based management points.

Mobile device clients that are enrolled by Configuration Manager only connect to one management point in their assigned site and never connect to management points in secondary sites. These clients always connect over HTTPS and the management point must be configured to accept client connections over the Internet. When there is more than one management point for mobile device clients in the primary site, Configuration Manager non-deterministically chooses one of these management points during assignment and the mobile device client continues to use the same management point. When the client has downloaded client policy from a management point in the site, the client is then a managed client.

Downloading Site Settings

After site assignment succeeds, and the client has found a management point, a client computer that uses Active Directory Domain Services for its site compatibility check downloads clientrelated site settings for its assigned site. These settings include the client certificate selection criteria, whether to use a certificate revocation list, and the client request port numbers. The client continues to check these settings on a periodic basis. When client computers cannot obtain site settings from Active Directory Domain Services, they download them from their management point. Client computers can also obtain the site settings when they are installed by using client push, or you specify them manually by using CCMSetup.exe and client installation properties. For more information about the client installation properties, see About Client Installation Properties in Configuration Manager.

Downloading Client Settings

All clients download the default client settings policy and any applicable custom client settings policy. Software Center relies on these client configuration policies for Windows computers and
1206

will notify users that Software Center cannot run successfully until this configuration information is downloaded. Depending on the client settings that are configured, the initial download of client settings might take a while, and some client management tasks might not run until this process is complete.

Verifying Site Assignment

You can verify that site assignment is successful by using any of the following methods: For clients on Windows computers, use Configuration Manager in the Control Panel and verify that the site code is correctly displayed on the Site tab. For client computers, in the Assets and Compliance workspace, use the Devices node to verify that the computer displays Yes for the Client column and the correct primary site code for the Site Code column. For mobile device clients, in the Assets and Compliance workspace, use the All Mobile Devices collection to verify that the mobile device displays Yes for the Client column and the correct primary site code for the Site Code column. Use the reports for client assignment and mobile device enrollment. For client computers, use the LocationServices.log file on the client.

Roaming to Other Sites

When client computers on the intranet are assigned to a primary site but change their network location so that it falls within a boundary group that is configured for another site, they have roamed to another site. When this site is a secondary site for their assigned site, clients can use a management point in the secondary to download client policy and upload client data, which avoids sending this data over a potentially slow network. However, if these clients roam into the boundaries for another primary site or a secondary that is not a child site of their assigned site, these clients always use a management point in their assigned site to download client policy and to upload data to their site. These client computers that roam to other sites (all primary sites and all secondary sites) can always use management points in other sites for content location requests. Management points in the current site can give clients a list of distribution points that have the content that clients request. For client computers that are configured for Internet-only client management, and for Mac computers and mobile devices that are enrolled by Configuration Manager, these clients only communicate with management points in their assigned site. These clients never communicate with management points in secondary sites or with management points in other primary sites.

Whats New in Configuration Manager

The following have changed for site assignment since Configuration Manager 2007:

1207

For automatic site assignment to succeed with boundary information, the boundary must be configured in a boundary group that is configured for site assignment. In Configuration Manager 2007, automatic site assignment would fail if the client was not in a specified boundary. New in System Center 2012 Configuration Manager, if you specify a fallback site (an optional setting for the hierarchy) and the clients network location is not in a boundary group, automatic site assignment succeeds, and the client is assigned to the specified fallback site. Clients can now download site settings from the management point after they have assigned to the site if they cannot locate these settings from Active Directory Domain Services. Although clients continue to download policy and upload client data to management points in their assigned site or in a secondary site that is a child site of their assigned site, all clients that are configured for intranet client management can now use any management point in the hierarchy for content location requests. There is no longer a requirement to extend the Active Directory schema to support this capability, and there is no longer a concept of regional and global roaming.

See Also
Configuring Client Deployment in Configuration Manager

How to Install Clients on Mac Computers in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. Client installation and management for Mac computers in System Center 2012 Configuration Manager requires public key infrastructure (PKI) certificates. Configuration Manager can request and install a user client certificate by using Microsoft Certificate Services with an enterprise certification authority (CA) and the Configuration Manager enrollment point and enrollment proxy point site system roles. Or, you can request and install a computer certificate independently from Configuration Manager if the certificate meets the requirements for Configuration Manager. PKI certificates secure the communication between the Mac computers and the Configuration Manager site by using mutual authentication and encrypted data transfers. Important Configuration Manager Mac clients always perform certificate revocation checking; unlike Configuration Manager clients that run on Windows, you cannot disable this certificate revocation list (CRL) checking function. If Mac clients cannot confirm the certificate revocation status for a server certificate because they cannot locate the CRL, they will not be able to successfully connect to
1208

Configuration Manager site systems, such as management points and distribution points. Especially for Mac clients in a different forest to the issuing certification authority, check your CRL design to ensure that Mac clients can locate and connect to a CRL distribution point (CDP) for connecting site system servers. Before you install the Configuration Manager client on a Mac computer, decide how to install the client certificate: Use Configuration Manager enrollment by using the CMEnroll tool and follow the steps in the next section of this topic. The enrollment process does not support automatic certificate renewal so you must re-enroll Mac computers before the installed certificate expires. Use a certificate request and installation method that is independent from Configuration Manager. For this installation method, see the Use a Certificate Request and Installation Method that is Independent from Configuration Manager section in this topic. Note For more information about the Mac client certificate requirement and other PKI certificates that are required to support Mac computers, see PKI Certificate Requirements for Configuration Manager. Mac clients are automatically assigned to the Configuration Manager site that manages them. Mac clients install as Internet-only clients, which means that they will communicate with the site system roles (management points and distribution points) in their assigned site when you configure these site system roles to allow client connections from the Internet. They do not communicate with site system roles outside their assigned site. Use the following steps and the supplemental procedures to install, configure, and manage Mac computers for Configuration Manager. The steps cover the following: Deploy PKI certificates for the site system servers (web server certificate and client authentication certificate). Prepare the certificate template for the Mac computer. Configure the site system servers to support Mac computers. Configure the enrollment site system roles. Configure client settings for enrollment. Download the client source files for Mac clients. Install the client and enroll the client certificate on the Mac computer.

Steps to Install and Configure the Client for Mac Computers

Use the following table for the steps, details, and more information about how to install and configure the client for Mac computers. Important

1209

Before you perform these steps, make sure that your Mac computer meets the prerequisites listed in the Client Requirements for Mac Computers section in the Supported Configurations for Configuration Manager topic.
Steps Details More information

Step 1: Deploy a web server certificate to site system servers.

These site systems might already have this certificate for other Configuration Manager clients. If not, deploy a web server certificate to the following computers that hold the following site system roles: Management point Distribution point Enrollment point Enrollment proxy point Important The web server certificate must contain the Internet FQDN that is specified in the site system properties.

For an example deployment that creates and installs this web server certificate, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-byStep Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. Important Make sure that you specify the Internet FQDN in the web server certificate for the management point, the distribution point, and the enrollment proxy point. For an example deployment that creates and installs the client certificate for management points, see the Deploying the Client Certificate for Computers section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. For an example deployment that creates and installs the client certificate for distribution points, see the Deploying the
1210

Step 2: Deploy a client authentication certificate to site system servers.

These site systems might already have this certificate for Configuration Manager functionality. If not, deploy a client authentication certificate to the following computers that hold the following site system roles: Management point Distribution point

Steps

Details

More information

Client Certificate for Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. Step 3: Prepare the client certificate template for Mac computers. Note To run the Configuration Manager enrollment tool, you must have an Active Directory user account. Step 4: Configure the management point and distribution point. The certificate template must have Read and Enroll permissions for the user account that will enroll the certificate on the Mac computer. See the Deploying the Client Certificate for Mac Computers section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Configure management points for the following options: HTTPS Allow client connections from the Internet Allow mobile devices and Mac computers to use this management point

See the following procedure in this topic: Step 4: Configuring Management Points and Distribution Points to support Mac Computers.

Although distribution points are not required to install the client on Mac computers, you must configure distribution points to allow client connections from the Internet if you want to deploy software to these Mac computers after the Configuration Manager client is installed. Step 5: Configure the enrollment proxy point and the enrollment point. You must install both these site system roles in the same site but you do not have to For more information about site system role placement and considerations, see the
1211

Steps

Details

More information

install them on the same site system server, or in the same Active Directory forest.

Planning Where to Install Sites System Roles in the Hierarchy section in the Planning for Site Systems in Configuration Manager topic. To configure the enrollment proxy point and the enrollment point, see the following procedure in this topic: Step 5: Installing and Configuring the Enrollment Site Systems.

Step 6: Optional: Install the reporting services point

Install the reporting services point if you want to run reports for Mac computers.

For more information about how to install and configure the reporting services point, see Configuring Reporting in Configuration Manager. For more information about client settings, see About Client Settings in Configuration Manager. For information about how to configure these client settings, see the following procedure in this topic: Step 7: Configuring the Client Settings for Enrollment. See the following procedure in this topic: Step 8: Download and Install the Mac Client Files. See the following procedure in this topic: Step 9: Installing the Client and Enrolling the Certificate by using the CMEnroll Tool on the Mac computer.

Step 7: Configure client settings for enrollment.

You must use the default client settings to configure enrollment for Mac computers; you cannot use custom client settings.

Step 8: Download the client source files for Mac clients.

Download the installation files and then install them on the Mac computer. When you use Configuration Manager enrollment, you must first install the client by using the Ccmsetup application, and then enroll the client certificate by using the CMEnroll tool.

Step 9: Install the client and then enroll the client certificate on the Mac computer.

1212

Supplemental Procedures to Install and Configure the Client for Mac Computers
Use the following information when the steps in the preceding table require supplemental procedures.

Step 4: Configuring Management Points and Distribution Points to support Mac Computers
This procedure configures existing management points and distribution points to support Mac computers. Before you start this procedure, make sure that the site system server that runs the management point and distribution point is configured with an Internet FQDN. In addition, these site system roles must be in a primary site. To configure management points and distribution points to support Mac computers 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that holds the site system roles to configure. 3. In the details pane, right-click Management point, click Role Properties, and in the Management Point Properties dialog box, configure the following options, and then click OK: a. Select HTTPS. b. Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties. c. Select Allow mobile devices and Mac computers to use this management point. 4. In the details pane, right-click Distribution point, click Role Properties, and in the Distribution Point Properties dialog box, configure the following options, and then click OK: Select HTTPS. Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties. Click Import certificate, browse to the exported client distribution point certificate file, and then specify the password.

5. Repeat steps 2 through 4 in this procedure for all management points and distribution points in primary sites that you will use with Mac computers.

1213

Step 5: Installing and Configuring the Enrollment Site Systems

These procedures configure the site system roles to support Mac computers. Choose one of these procedures, depending on whether you will install a new site system server to support Mac computers or use an existing site system server: To install and configure the enrollment site systems: New site system server To install and configure the enrollment site systems: Existing site system server To install and configure the enrollment site systems: New site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and click Servers and Site System Roles 3. On the Home tab, in the Create group, click Create Site System Server. 4. On the General page, specify the general settings for the site system, and then click Next. Important Make sure that you specify the Internet FQDN, even if it is the same value as the intranet FQDN. Mac computers always connect to the Internet FQDN, even when they are on the intranet. 5. On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of available roles, and then click Next. 6. On the Enrollment Proxy Point page, review the settings and make any changes that you require, and then click Next. 7. On the Enrollment Point Settings page, review the settings and make any changes that you require, and then click Next. 8. Complete the wizard. To install and configure the enrollment site systems: Existing site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that you want to use to support Mac computers. 3. On the Home tab, in the Create group, click Add Site System Roles. 4. On the General page, specify the general settings for the site system, and then click Next. Important Make sure that you specify the Internet FQDN, even if it is the same value as the intranet FQDN. Mac computers always connect to the Internet FQDN, even when they are on the intranet. 5. On the System Role Selection page, select Enrollment proxy point and Enrollment
1214

point from the list of available roles, and then click Next. 6. On the Enrollment Proxy Point page, review the settings and make any changes that you require, and then click Next. 7. On the Enrollment Point Settings page, review the settings and make any changes that you require, and then click Next. 8. Complete the wizard.

Step 7: Configuring the Client Settings for Enrollment

This step is required for Configuration Manager to request and install the certificate on the Mac computer. To configure the default client settings for Configuration Manager to enroll certificates for Mac computers 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. Important You cannot use a custom client setting for the enrollment configuration; you must use the default client settings. 4. On the Home tab, in the Properties group, click Properties. 5. Select the Enrollment section, and then configure the following user settings: a. Allow users to enroll mobile devices and Mac computers: Yes b. Enrollment profile: Click Set Profile. 6. In the Mobile Device Enrollment Profile dialog box, click Create. 7. In the Create Enrollment Profile dialog box, enter a name for this enrollment profile, and then configure the Management site code. Select the Configuration Manager SP1 primary site that contains the management points that will manage the Mac computers. Note If you cannot select the site, check that at least one management point in the site is configured to support mobile devices. 8. Click Add. 9. In the Add Certification Authority for Mobile Devices dialog box, select the certification authority (CA) server that will issue certificates to Mac computers, and then click OK. 10. In the Create Enrollment Profile dialog box, select the Mac computer certificate template that you created in Step 3, and then click OK. 11. Click OK to close the Enrollment Profile dialog box, and then click OK to close the Default Client Settings dialog box. Tip
1215

If you want to change the client policy interval, use the Client policy polling interval client setting in the Client Policy client setting group. All users will be configured with these settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic. In addition to the enrollment client settings, ensure that you have configured the following Configuration Manager client device settings: Hardware inventory: Enable and configure this client setting if you want to collect hardware inventory from Mac and Windows client computers. For more information, see How to Configure Hardware Inventory in Configuration Manager. Compliance settings: Enable and configure this client setting if you want to evaluate and remediate settings on Mac and Windows client computers. For more information, see Configuring Compliance Settings in Configuration Manager. Note For more information about Configuration Manager client settings, see How to Configure Client Settings in Configuration Manager.

Step 8: Download and Install the Mac Client Files

You must download and install the following programs before you can install and manage the Configuration Manager client on Mac computers: Ccmsetup: Use this application to install the Configuration Manager client on Mac computers in your organization. CMDiagnostics: Use this tool to collect diagnostic information related to the Configuration Manager client on Mac computers in your organization. CMUninstall: Use this tool to uninstall the Configuration Manager client from Mac computers in your organization. CMAppUtil: Use this tool to convert Apple application packages into a format that can be deployed as a Configuration Manager application. CMEnroll: Use this tool to request and install the client certificate for a Mac computer so that you can then install the Configuration Manager client.

These programs are contained in a Windows Installer file named ConfigmgrMacClient.msi. This file is not supplied on the Configuration Manager installation media. You can download this file from the Microsoft Download Center. To download and install the Mac OS X client files 1. Download the Mac OS X client file package, ConfigmgrMacClient.msi from the Microsoft Download Center and save this file to a computer that runs Windows. 2. On the Windows computer, run the ConfigmgrMacClient.msi file that you just downloaded to extract the Mac client package, Macclient.dmg to a folder on the local disk (by default C:\Program Files (x86)\Microsoft\System Center 2012 Configuration
1216

Manager Mac Client\). 3. Copy the Macclient.dmg file to a folder on the Mac computer. 4. On the Mac computer, run the Macclient.dmg file that you just downloaded to extract the files to a folder on the local disk. 5. In the folder, ensure that the files Ccmsetup and CMClient.pkg are extracted and that a folder named Tools is created that contains the CMDiagnostics, CMUninstall, CMAppUtil and CMEnroll tools.

Step 9: Installing the Client and Enrolling the Certificate by using the CMEnroll Tool on the Mac computer
This procedure installs the client and then uses the CMEnroll tool to request and install the client certificate for a Mac computer so that you can then manage this computer by using Configuration Manager. To install the client and enroll the certificate by using the CMEnroll tool 1. On the Mac computer, navigate to the folder where you extracted the contents of the Macclient.dmg file that you downloaded from the Microsoft Download Center. 2. Enter the following command-line: sudo ./ccmsetup 3. Wait until you see the Completed installation message. Although the installer displays a message that you must restart now, do not restart now but continue to the next step. 4. From the Tools folder on the Mac computer, type the following: sudo ./CMEnroll -s <enrollment_proxy_server_name> -ignorecertchainvalidation -u <'user name'> [-p <password>] If you do not specify the optional -p <password>, you are then prompted to type the password. The user name can be in the following formats: 'domain\name. For example: 'contoso\mnorth' 'user@domain'. For example: '[email protected]'

The user name and corresponding password must match an Active Directory user account that is granted Read and Enroll permissions on the Mac client certificate template. Example: If the enrollment proxy point server is named server02.contoso.com, and a user name of contoso\mnorth with a password of Passw0rd! has been granted permissions for the Mac client certificate template, type the following: sudo ./CMEnroll -s server02.contoso.com ignorecertchainvalidation -u 'contoso\mnorth' -p Passw0rd! Note For a more seamless user experience, you can script the installation steps and commands so that users only have to supply their user name and password.
1217

5. Wait until you see the Successfully enrolled message. 6. Restart the Mac computer. Verify that the client installation is successful by opening the Configuration Manager item in System Preferences on the Mac computer. You can also update and view the All Systems collection to confirm that the Mac computer now appears in this collection as a managed client. Tip To help troubleshoot any problems with the Mac client, you can use the CMDiagnostics program that is included with the Mac OS X client package to collect the following diagnostic information: A list of running processes The Mac OS X operating system version Mac OS X crash reports relating to the Configuration Manager client including CCM*.crash and System Preference.crash. The Bill of Materials (BOM) file and property list (.plist) file created by the Configuration Manager client installation. The contents of the folder /Library/Application Support/Microsoft/CCM/Logs. The information collected by CmDiagnostics is added to a zip file that is saved to the desktop of the computer and is named cmdiag-<hostname>-<date and time>.zip.

Uninstalling the Mac Client

If you want to uninstall the Mac client, use the CMUninstall script that is provided with the Mac client files you downloaded from the web. Use the following procedure to help you uninstall the Configuration Manager client from Mac computers. To uninstall the Mac client 1. On a Mac computer, open a terminal window and navigate to the folder where you extracted the contents of the macclient.dmg file that you downloaded from the Microsoft Download Center. 2. Navigate to the Tools folder and enter the following command-line: ./CMUninstall -c Note The c property instructs the client uninstall to also remove and client crash logs and log files. This is optional, but a best practice to help avoid confusion if you later reinstall the client.

1218

Renewing the Mac Client Certificate

A typical validity period for the Mac client certificate is 1 year. Configuration Manager does not automatically renew the user certificate that it requests during enrollment, so you must use the following procedure to renew the certificate. This procedure removes the SMSID, which is required to request a new certificate for the same Mac computer. After the new certificate is requested, it is automatically used by Configuration Manager. Important When you remove and replace the client SMSID, any stored client history such as inventory is deleted after you delete the client from the Configuration Manager console. To renew the Mac client certificate 1. Create a device collection for the Mac computers that must renew the user certificates, and then add the Mac computers to the collection. Warning Configuration Manager does not monitor the validity period of the certificate that it enrolls for Mac computers. You must monitor this independently from Configuration Manager to identify the Mac computers to add to this collection. 2. In the Assets and Compliance workspace, start the Create Configuration Item Wizard. 3. On the General page of the wizard, specify the following information: Name: Remove SMSID for Mac Type: Mac OS X

4. On the Supported Platforms page of the wizard, ensure that all Mac OS X versions are selected. 5. On the Settings page of the wizard, click New and then, in the Create Setting dialog box, specify the following information: Name: Remove SMSID for Mac Setting type: Script Data type: String

6. In the Create Setting dialog box, for Discovery script, click Add script to specify a script that discovers Mac computers with an SMSID configured. 7. In the Edit Discovery Script dialog box, enter the following Shell Script: defaults read com.microsoft.ccmclient SMSID 8. Click OK to close the Edit Discovery Script dialog box. 9. In the Create Setting dialog box, for Remediation script (optional), click Add script to specify a script that removes the SMSID when it is found on Mac computers. 10. In the Create Remediation Script dialog box, enter the following Shell Script: defaults delete com.microsoft.ccmclient SMSID
1219

11. Click OK to close the Create Remediation Script dialog box. 12. On the Compliance Rules page of the wizard, click New, and then in the Create Rule dialog box, specify the following information: Name: Remove SMSID for Mac Selected setting: Click Browse and then select the discovery script that you specified previously. In the following values field, enter The domain/default pair of (com.microsoft.ccmclient, SMSID) does not exist. Enable the option Run the specified remediation script when this setting is noncompliant.

13. Complete the Create Configuration Item Wizard. 14. Create a configuration baseline that contains the configuration item that you have just created and deploy this to the device collection that you created in step 1. For more information about how to create and deploy configuration baselines, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager and How to Deploy Configuration Baselines in Configuration Manager. 15. On Mac computers that have the SMSID removed, run the following command to install a new certificate: sudo ./CMEnroll -s <enrollment_proxy_server_name> ignorecertchainvalidation -u <'user name'> [-p <password>] 16. Restart the Mac computer.

Use a Certificate Request and Installation Method that is Independent from Configuration Manager
When you do not use Configuration Manager enrollment but instead, request and install the client certificate independently from Configuration Manager, the configuration steps are slightly different: 1. Perform steps 1, 2, 4, 6 (optional), and 8. 2. Do not perform steps 3, 5, 7, and 9. 3. Install the client by using the following instructions. To install the client certificate independently from Configuration Manager and install the client 1. To install the client certificate independently from Configuration Manager, use the instructions that accompany your chosen certificate deployment method to request and install the client certificate on the Mac computer. 2. To make sure that this certificate is accessible to Configuration Manager, on the Mac computer, open a terminal window and make the following changes: a. Enter the command sudo /Applications/Utilities/Keychain\
1220

Access.app/Contents/MacOS/Keychain\ Access b. In the Keychain Access dialog box, in the Keychains section, click System, and then, in the Category section, click Keys. c. Expand the keys to view the client certificates. When you have identified the certificate with a private key that you have just installed, double-click the key.

d. On the Access Control tab, select Allow all applications to access this item. e. Click Save Changes and close the Keychain Access dialog box. 3. Navigate to the folder where you extracted the contents of the macclient.dmg file that you downloaded from the Microsoft Download Center. 4. Enter the following command-line: sudo ./ccmsetup MP <management point Internet FQDN> -SubjectName <certificate subject value> Important The certificate subject value is case-sensitive, so type it exactly as it appears in the certificate details. Example: If the Internet FQDN in the site system properties is server03.contoso.com and the Mac client certificate has the FQDN of mac12.contoso.com as a common name in the certificate subject, type: sudo ./ccmsetup MP server03.contoso.com SubjectName mac12.contoso.com 5. Wait until you see the Completed installation message and then restart the Mac computer.

Verify that the client installation is successful by opening the Configuration Manager item in System Preferences on the Mac computer. You can also update and view the All Systems collection to confirm that the Mac computer now appears in this collection as a managed client.

Renewing the Mac Client Certificate

Use the following procedure before you renew the computer certificate on Mac computers. This procedure removes the SMSID, which is required for the client to use a new or renewed certificate on the Mac computer. Because Configuration Manager does not support a certificate selection criteria for Mac computers, either request the new certificate with a different Subject value, or use the same Subject value but delete the original certificate from the keychain store. Important When you remove and replace the client SMSID, any stored client history such as inventory is deleted after you delete the client from the Configuration Manager console. To renew the Mac client certificate 1. Create a device collection for the Mac computers that must renew the computer certificates, and then add the Mac computers to the collection. 2. In the Assets and Compliance workspace, start the Create Configuration Item
1221

Wizard. 3. On the General page of the wizard, specify the following information: Name: Remove SMSID for Mac Type: Mac OS X

4. On the Supported Platforms page of the wizard, ensure that all Mac OS X versions are selected. 5. On the Settings page of the wizard, click New and then, in the Create Setting dialog box, specify the following information: Name: Remove SMSID for Mac Setting type: Script Data type: String

6. In the Create Setting dialog box, for Discovery script, click Add script to specify a script that discovers Mac computers with an SMSID configured. 7. In the Edit Discovery Script dialog box, enter the following Shell Script: defaults read com.microsoft.ccmclient SMSID 8. Click OK to close the Edit Discovery Script dialog box. 9. In the Create Setting dialog box, for Remediation script (optional), click Add script to specify a script that removes the SMSID when it is found on Mac computers. 10. In the Create Remediation Script dialog box, enter the following Shell Script: defaults delete com.microsoft.ccmclient SMSID 11. Click OK to close the Create Remediation Script dialog box. 12. On the Compliance Rules page of the wizard, click New, and then in the Create Rule dialog box, specify the following information: Name: Remove SMSID for Mac Selected setting: Click Browse and then select the discovery script that you specified previously. In the following values field, enter The domain/default pair of (com.microsoft.ccmclient, SMSID) does not exist. Enable the option Run the specified remediation script when this setting is noncompliant.

13. Complete the Create Configuration Item Wizard. 14. Create a configuration baseline that contains the configuration item that you have just created and deploy this to the device collection that you created in step 1. For more information about how to create and deploy configuration baselines, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager and How to Deploy Configuration Baselines in Configuration Manager. 15. After you have installed a new certificate on Mac computers that have the SMSID removed, run the following command to configure the client to use the new certificate: sudo defaults write com.microsoft.ccmclient SubjectName string <Subject_Name_of_New_Certificate>
1222

16. Restart the Mac computer.

See Also
Configuring Client Deployment in Configuration Manager

How to Install Clients on Linux and UNIX Computers in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. Before you can manage a Linux or UNIX server with Configuration Manager, you must install the Configuration Manager client for Linux and UNIX on each Linux or UNIX computer. You can accomplish this manually or by use of a shell script that installs the client remotely. Configuration Manager does not support the use of client push installation for Linux or UNIX servers. Optionally you can configure a Runbook for System Center 2012 Orchestrator to automate the install of the client on the Linux or UNIX server. The install script for the Configuration Manager client for Linux and UNIX supports command line properties. Some command line properties are required, while others are optional. For example, when you install the client, you must specify a management point from the site that is used by the Linux or UNIX server for its initial contact with the site. For the complete list of command line properties, see Command Line Properties for Installing the Client on Linux and UNIX Servers. After you install the client, you specify Client Settings in the Configuration Manager console to configure the client agent in the same way you would windows-based clients. For more information, see the Client Settings for Linux and UNIX Servers section in the Operations for Linux and UNIX Servers for Configuration Manager topic.

Install the Client on Linux and UNIX Servers

To install the client for Linux and UNIX, you run a script on each Linux or UNIX computer. The script is named install and supports command line properties that modify the installation behavior and reference the client installation package. The install script and client installation package must be located on the client. The client installation package contains the Configuration Manager client files for a specific Linux or UNIX operating system: The client installation package contains all the necessary files to complete the client installation and unlike Windows-based computers, does not download additional files from a management point or other source location.

1223

After you install the Configuration Manager client for Linux and UNIX, you do not need to reboot the computer. As soon as the software installation is complete, the client is operational. If you reboot the computer, the Configuration Manager client restarts automatically. Following is the command format: ./install -mp <computer> -sitecode <sitecode> <property #1> <property #2> <client installation package>
Command line Actions

./install mp smsmp.contoso.com sitecode S01 ccm-RHEL5x86.tar

install is the name of the script file that installs the client for Linux and UNIX. This file is provided with the client software. -mp smsmp.contoso.com specifies the initial management point that is used by the client. -sitecode S01 specifies the client is assigned to the site with the site code of S01. ccm-RHEL5x86.tar is the name of the client installation .tar package for this computer operating system, version, and CPU architecture.

You can insert additional command line properties before the command line property that specifies the client installation .tar file. The client installation .tar file must be specified last. For a list of command line options, see Command Line Properties for Installing the Client on Linux and UNIX Servers. Use the following procedure as an example of how to install the client for Linux and UNIX. Note The following example procedure installs the client for Linux and UNIX on a Red Hat Enterprise Linux 5 (RHEL5) x86 computer. To adjust this procedure for the operating systems that you use, replace the client installation file ( ccm-RHEL5x86.tar) with the appropriate file each operating system. Also plan to use additional command line properties to meet your requirements. To install the Configuration Manager Client on Linux and UNIX servers 1. Copy the install script and the client installation .tar file to a folder on the RHEL 5 x86 based computer. 2. On the RHEL5 computer, use root credentials to run the following command to enable the script to run as a program: chmod +x install 3. Next, with root credentials, run the following command to install the Configuration Manager client: ./install mp <hostname> -sitecode <code> ccmRHEL5x86.tar
1224

When you enter this command, use additional command-line properties you require. 4. After the script runs, validate the install by reviewing the /var/opt/microsoft/scxcm.log file. Additionally, you can confirm that the client is installed and communicating with the site by viewing details for the client in the Devices node of the Assets and Compliance workspace in the Configuration Manager console.

Command Line Properties for Installing the Client on Linux and UNIX Servers
When you install the client for Linux and UNIX on a Linux or UNIX computer, you run the install script with command-line properties that specify the following: The clients assigned site. The management point with which the client initially communicates The client installation .tar file for the computers operating system Additional configurations you require

The properties described in the following table are available to modify the installation behavior. Note Use the property -h to display this list of supported properties.
Property Required or optional More information

-mp <server FQDN>

Required

Specifies by FQDN, the management point server that the client will use as an initial point of contact. Important This property does not specify the management point to which the client will become assigned after installation. Note When you use the -mp property to specify a management point that is configured to accept only HTTPS client connections, you must also use the UsePKICert property.
1225

Property

Required or optional

More information

Specify the management point by FQDN. -sitecode <sitecode> Required Specifies the Configuration Manager primary site to assign the Configuration Manager client to. Example: -sitecode S01 -dir <directory> Optional Specifies an alternate location to install the Configuration Manager client files. By default, the client installs to the following location: /opt/microsoft. -nostart Optional Prevents the automatic start of the Configuration Manager client service, ccmexec.bin, after the client installation completes. After the client installs, you must start the client service manually. By default, the client service starts after the client installation completes, and each time the computer restarts. -clean Optional Specifies the removal of all client files and data from a previously installed client for Linux and UNIX, before the new installation starts. This removes the clients database and certificate store. Specifies that the local client database is retained, and reused when you reinstall a client. By default, when you reinstall a client this database is deleted. Specifies the full path and file name to a X.509 PKI certificate in the Public Key Certificate Standard (PKCS#12) format.
1226

-keepdb

Optional

-UsePKICert <parameter>

Optional

Property

Required or optional

More information

This certificate is used for client authentication. When you use -UsePKICert, you must also supply the password associated with the PKCS#12 file by use of the certpw command line parameter. If the certificate is not valid, or cannot be found, the client falls back to use HTTP and a selfsigned certificate. If you do not use this property to specify a PKI certificate, the client uses a self-signed certificate and all communications to site systems are over HTTP. Note You must specify this property when you install a client and use the -mp property to specify a management point that is configured to accept only HTTPS client connections. Example: -UsePKICert <Full path and filename> -certpw <password> -certpw <parameter> Optional Specifies the password associated with the PKCS#12 file that you specified by use of the -UsePKICert property. Example: -UsePKICert <Full path and filename> -certpw <password> -NoCRLCheck Optional Specifies that a client should not check the certificate revocation
1227

Property

Required or optional

More information

list (CRL) when it communicates over HTTPS by use of a PKI certificate. When this option is not specified, the client checks the CRL before establishing an HTTPS connection by use of PKI certificates. For more information about client CRL checking, see Planning for PKI Certificate Revocation. Example: -UsePKICert <Full path and filename> -certpw <password> -NoCRLCheck -rootkeypath <file location> Optional Specifies the full path and file name to the Configuration Manager trusted root key. This property applies to clients that use HTTP and HTTPS client communication. For more information, see Planning for the Trusted Root Key. Example: -rootkeypath <Full path and filename> -httpport Optional Specifies the port that is configured on management points that the client uses when communicating to management points over HTTP. If the port is not specified, the default value of 80 is used. Example: -httpport 80 -httpsport Optional Specifies the port that is configured on management points that the client uses when communicating to management points over HTTPS. If the port is not specified, the default value of 443 is used. Example: -UsePKICert <Full
1228

Property

Required or optional

More information

path and certificate name> httpsport 443 -ignoreSHA256validation Optional Specifies that client installation skips SHA-256 validation. Use this option when installing the client on operating systems that did not release with a version of OpenSSL that supports SHA256. For more information, see the About Linux and UNIX Operating Systems That do not Support SHA-256 section in the Planning for Client Deployment for Linux and UNIX Servers topic. Specifies the full path and .cer file name of the exported selfsigned certificate on the site server. This certificate is stored in the SMS certificate store and has the Subject name Site Server and the friendly name Site Server Signing Certificate. This certificate is used by the client for all HTTP and HTTPS communications with management points and distribution points. Example: -signcertpath=<Full path and file name> -rootcerts Optional If multiple root certificates exist in the Configuration Manager environment, you can specify additional root certificates that the client might need to validate site system servers. Example: -rootcerts=<Full path and file name>,<Full path and
1229

-signcertpath <file location>

Optional

Property

Required or optional

More information

file name>

Uninstalling the Client from Linux and UNIX Servers

To uninstall the Configuration Manager client for Linux and UNIX you use the uninstall utility, uninstall. By default, this file is located in the /opt/microsoft/configmgr/bin/ folder on the client computer. This file does not support any command line parameters and will remove all files related to the client software from the server. To uninstall the client, use the following command line: /opt/microsoft/configmgr/bin/uninstall You do not have to reboot the computer after you uninstall the Configuration Manager client for Linux and UNIX.

Configure Request Ports for the Client for Linux and UNIX
Similar to Windows-based clients, the Configuration Manager client for Linux and UNIX uses HTTP and HTTPS to communicate with Configuration Manager site systems. The ports that the Configuration Manager client uses to communicate are referred to as a request ports. When you install the Configuration Manager client for Linux and UNIX, you can change the clients default request ports by specifying the -httpport and -httpsport installation properties. When you do not specify the installation property and a custom value, the client uses the default values. The default values are 80 for HTTP traffic and 443 for HTTPS traffic. After you install the client, you cannot change its request port configuration. Instead, to change the port configuration you must reinstall the client and specify the new port configuration. When you reinstall the client to change the request port numbers, run the install command similar to the new client install, but use the additional command line property of -keepdb. This switch instructs the installation to retain the client database and files including the clients GUID and certificate store. For more information about client communication port numbers, see How to Configure Client Communication Port Numbers in Configuration Manager.

Configure the Client for Linux and UNIX to Locate Management Points
When you install the Configuration Manager client for Linux and UNIX, you must specify a management point to use as an initial point of contact. The Configuration Manager client for Linux and UNIX contacts this management point at the time the client installs. If the client fails to contact the management point, the client software continues to retry until successful.
1230

For more information about how clients locate management points, see the section Locating Management Points section in the How to Assign Clients to a Site in Configuration Manager topic.

How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager
When you enroll mobile devices by using System Center 2012 Configuration Manager, this action installs the System Center 2012 Configuration Manager client to provide management capabilities that include hardware inventory, software deployment for required applications, settings, and remote wipe. Mobile device clients are automatically assigned to the Configuration Manager site that enrolls them. These mobile device clients install as Internet-only clients, which means that they will communicate with the site system roles (management points and distribution points) in their assigned site when you configure these site system roles to allow client connections from the Internet. They do not communicate with site system roles outside their assigned site. To enroll these mobile devices, you must use Microsoft Certificate Services with an enterprise certification authority (CA) and the Configuration Manager enrollment point and enrollment proxy point site system roles. During and after enrollment, public key infrastructure (PKI) certificates secure the communication between the mobile device and the Configuration Manager site. When the certificate on the mobile device is due for renewal, users are automatically prompted to renew their certificate. When they confirm the prompt, Configuration Manager automatically re-enrolls their mobile device. Note If you no longer want a mobile device to be enrolled for System Center 2012 Configuration Manager, you must wipe the mobile device. You can also block the client from communicating with the Configuration Manager hierarchy. If you remove the enrollment site system roles, any mobile devices that were enrolled continue to be managed by Configuration Manager, unless they are wiped. Use the following steps and the supplemental procedures to install the client and enroll mobile devices in Configuration Manager. After you complete these steps, you can monitor the mobile devices that are enrolled by viewing the collections that display mobile devices, and by using the reports for mobile devices. To manage the settings for these mobile devices, create mobile device configuration items and deploy them in a configuration baseline. For more information, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager.

1231

Steps to Install the Client and Enroll Mobile Devices

Use the following table for the steps, details, and more information about how to install the client and enroll mobile devices. Important Before you perform these steps, make sure that you have all the prerequisites to install and enroll clients on mobile devices. For more information, see Prerequisites for Windows Client Deployment in Configuration Manager.
Steps Details More information

Step 1: Deploy a web server certificate to site system servers.

Deploy a web server certificate to the computers that host the following site system roles: Management point Distribution point Enrollment point Enrollment proxy point

For information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example deployment that creates and installs this web server certificate, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-byStep Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. Important Make sure that you specify the Internet FQDN in the web server certificate for the management point, the distribution point, and the enrollment proxy point. For information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example deployment that
1232

Additionally, if you want to allow users to wipe their own mobile devices, configure Internet Information Services (IIS) with a web server certificate on the computers that host the Application Catalog website point and the Application Catalog web service point. Important The web server certificate must contain the Internet FQDN that is specified in the site system properties. Step 2: Deploy a client authentication certificate to site system servers. Deploy a client authentication certificate to the following computers that host the following site system roles: Management point

Steps

Details

More information

Distribution point

creates and installs the client certificate for management points, see the Deploying the Client Certificate for Computers section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. For an example deployment that creates and installs the client certificate for distribution points, see the Deploying the Client Certificate for Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Step 3: Create and issue a certificate template for mobile device enrollment.

The certificate template must have Read and Enroll permissions for the users that have mobile devices to enroll.

See the Deploying the Enrollment Certificate for Mobile Devices section in the Step-byStep Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. For more information about how to create a DNS alias, consult your DNS documentation.

Step 4: Optional but recommended: Configure automatic discovery for the enrollment service.

Create a DNS alias (CNAME record) named configmgrenroll that references the site system server on which you will install the enrollment proxy point. Configure management points for the following options: HTTPS Allow client connections from the Internet Allow mobile devices

Step 5: Configure the management point and distribution point.

See the following procedure in this topic: Step 5: Configuring Management Points and Distribution Points for Mobile Devices.

1233

Steps

Details

More information

Although distribution points are not required during the enrollment process, you must configure them to allow client connections from the Internet if you want to deploy software to these mobile devices after they are enrolled by Configuration Manager. Step 6: Configure the enrollment proxy point and the enrollment point. You must install both these site system roles in the same site but you do not have to install them on the same site system server, or in the same Active Directory forest. For more information about site system role placement and considerations, see the Planning Where to Install Sites System Roles in the Hierarchy section in the Planning for Site Systems in Configuration Manager topic. To configure the enrollment proxy point and the enrollment point, see the following procedure in this topic: Step 6: Installing and Configuring the Enrollment Site Systems. Step 7: Optional: Install the Application Catalog web service point and the Application Catalog website point. Install the Application Catalog web service point and the Application Catalog website point if you want to allow users to wipe their own mobile devices. Install the reporting services point if you want to run reports for mobile devices. For more information about how to install and configure these site system roles, see Configuring the Application Catalog and Software Center in Configuration Manager. For more information about how to install and configure the reporting services point, see Configuring Reporting in Configuration Manager. For more information about client settings, see About Client Settings in Configuration Manager. For information about how to configure these client settings,
1234

Step 8: Optional: Install the reporting services point.

Step 9: Configure client settings for mobile device enrollment.

Configure the default client settings if you want all users to be able to enroll mobile devices. Or, as a best practice, configure custom client settings to restrict the users

Steps

Details

More information

who can enroll mobile devices. If required, change the default values for the client polling schedule and hardware inventory client settings. Step 10: Enroll mobile devices. Use the web browser on the mobile device to start enrollment.

see the following procedure in this topic: Step 9: Configuring the Client Settings for Mobile Device Enrollment.

See the following procedure in this topic: Step 10: Enrolling Mobile Devices.

Supplemental Procedures to Install the Client and Enroll Mobile Devices

Use the following information when the steps in the preceding table require supplemental procedures.

Step 5: Configuring Management Points and Distribution Points for Mobile Devices
This procedure configures existing management points and distribution points to support mobile devices that are enrolled by Configuration Manager. Before you start this procedure, make sure that the site system server that runs the management point and distribution point is configured with an Internet FQDN. In addition, these site system roles must be in a primary site. To configure management points and distribution points for mobile devices 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that hosts the site system roles to configure. 3. In the details pane, right-click Management point, click Role Properties, and in the Management Point Properties dialog box, configure the following options, and then click OK: a. Select HTTPS. b. Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties. c. Select Allow mobile devices to use this management point (Configuration Manager with no service pack) or Allow mobile devices and Mac computers to use this management point (Configuration Manager SP1).

4. In the details pane, right-click Distribution point, click Role Properties, and in the Distribution Point Properties dialog box, configure the following options, and then click
1235

OK: a. Select HTTPS. b. Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties. c. Click Import certificate, browse to the exported client distribution point certificate file, and then specify the password.

5. Repeat steps 2 through 4 in this procedure for all management points and distribution points in primary sites that you will use with mobile devices.

Step 6: Installing and Configuring the Enrollment Site Systems

These procedures configure the site system roles for mobile device enrollment. Choose one of these procedures, depending on whether you will install a new site system server for mobile device enrollment or use an existing site system server: To install and configure the enrollment site systems: New site system server To install and configure the enrollment site systems: Existing site system server To install and configure the enrollment site systems: New site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and click Servers and Site System Roles 3. On the Home tab, in the Create group, click Create Site System Server. 4. On the General page, specify the general settings for the site system, and then click Next. Important Make sure that you specify the Internet FQDN, even if it is the same value as the intranet FQDN. Mobile devices that are enrolled by Configuration Manager always connect to the Internet FQDN, even when they are on the intranet. 5. On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of available roles, and then click Next. 6. On the Enrollment Proxy Point page, review the settings and make any changes that you require, and then click Next. 7. On the Enrollment Point Settings page, review the settings and make any changes that you require, and then click Next. 8. Complete the wizard. To install and configure the enrollment site systems: Existing site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that you want to use for mobile device
1236

enrollment. 3. On the Home tab, in the Create group, click Add Site System Roles. 4. On the General page, specify the general settings for the site system, and then click Next. Important Make sure that you specify the Internet FQDN, even if it is the same value as the intranet FQDN. Mobile devices that are enrolled by Configuration Manager always connect to the Internet FQDN, even when they are on the intranet. 5. On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of available roles, and then click Next. 6. On the Enrollment Proxy Point page, review the settings and make any changes that you require, and then click Next. 7. On the Enrollment Point Settings page, review the settings and make any changes that you require, and then click Next. 8. Complete the wizard.

Step 9: Configuring the Client Settings for Mobile Device Enrollment

The first procedure in this step configures the default client settings for mobile device enrollment and will apply to all users in hierarchy. If you want these settings to apply to only some users, create a custom user setting and assign it to a collection that contains users who you will allow to enroll their mobile devices. The second procedure in this step configures the default client settings for the mobile device polling interval and hardware inventory to apply to all mobile devices in the hierarchy that Configuration Manager enrolls. The hardware inventory settings also apply to client computers. If you want these settings to apply to only mobile devices or to selected mobile devices, create a custom device setting and assign it to a collection that contains the enrolled mobile devices that you want to configure with these settings. For more information about how to create custom client settings, see How to Create and Assign Custom Client Settings. To configure the default client settings for mobile device enrollment 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties. 5. Select the Mobile Devices (Configuration Manager with no service pack) or Enrollment (Configuration Manager SP1) section, and then configure the following user settings: For Configuration Manager with no service pack:
1237

i. ii. i. ii.

Allow users to enroll mobile devices: True Mobile device enrollment profile: Click Set Profile. Allow users to enroll mobile devices and Mac computers: Yes Enrollment profile: Click Set Profile.

For Configuration Manager SP1:

6. In the Mobile Device Enrollment Profile dialog box, click Create. 7. In the dialog box, enter a name for this mobile device enrollment profile, and then configure the Management site code. Select the System Center 2012 Configuration Manager primary site that contains the management points that will manage these mobile devices. Note If you cannot select the site, check that at least one management point in the site is configured to support mobile devices. 8. Click Add. 9. In the Add Certification Authority for Mobile Devices dialog box, select the certification authority (CA) server that will issue certificates to mobile devices, and then click OK. 10. In the Create Mobile Device Enrollment Profile dialog box (Configuration Manager with no service pack) or Create Enrollment Profile dialog box (Configuration Manager SP1), select the mobile device certificate template that you created in Step 3, and then click OK. 11. Click OK to close the dialog box, and then click OK to close the Default Client Settings dialog box. Devices will be configured with these user settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic. To configure the default client settings for the mobile device polling interval and hardware inventory 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties. 5. To configure the client polling interval: For Configuration Manager with no service pack: Select the Mobile Devices section, and configure the device setting for the polling interval. For Configuration Manager SP1: Select the Client Policy section, and configure the device setting for the client policy polling interval.

6. Select the Hardware Inventory section, and then configure the following device settings that apply to mobile devices that are enrolled by Configuration Manager:
1238

a. Enable hardware inventory on clients b. Hardware inventory schedule c. Hardware inventory classes Note For more information about hardware inventory, see Hardware Inventory in Configuration Manager 7. Click OK to close the Default Client Settings dialog box.

Step 10: Enrolling Mobile Devices

This procedure installs the Configuration Manager client on a mobile device, requests and installs a certificate for the mobile device, and assigns the client to the enrollment site in Configuration Manager. To enroll mobile devices To install the client and enroll a mobile device, open a web browser on the mobile device, and then type the following, where the FQDN is the Internet FQDN of a site system server that runs the enrollment proxy point: https://<FQDN>/EnrollmentServer Note You can provide this hyperlink to users in an email message or on a web page. If you have created the DNS alias of configmgrenroll, you can use this in your link instead of the server name. The benefit of using the alias in the link is that if the server changes, you must only update DNS rather than the link that you provided to users, and when you have more than one enrollment proxy server, DNS round robin provides some fault tolerance and load balancing. The mobile device enrollment process prompts to enter a company email address and password. These credentials are required to authenticate the user to Active Directory Domain Services, which then authorizes the user to access the mobile device enrollment certificate template. Tip If the user does not have a company email account that is integrated with Active Directory Domain Services (for example, in a test environment), you can enter the UPN for the email address (or use domain\user name) format, and enter the password for the Active Directory account. However, the initial page does not accept the domain\user name format. To use this format, enter any value that is in the [email protected] format, wait for this to fail the validation check, and then you can use the domain\user name format. To verify that enrollment succeeded, update and view the collections that display mobile devices in the Assets and Compliance workspace, and view the reports for mobile devices.

1239

See Also
Configuring Client Deployment in Configuration Manager

How to Configure Client Status in Configuration Manager

Before you can monitor System Center 2012 Configuration Manager client status and remediate problems that are found, you must configure your site to specify the parameters that are used to mark clients as inactive and configure options to alert you if client activity falls below a specified threshold. You can also disable computers from automatically remediating any problems that client status finds. Use the procedures in this topic to help you configure client status in System Center 2012 Configuration Manager. To Configure Client Status To Configure the Schedule for Client Status To Configure Alerts for Client Status To Exclude Computers from Automatic Remediation To Configure Client Status 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Client Status, then, in the Home tab, in the Client Status group, click Client Status Settings. 3. In the Client Status Settings Properties dialog box, specify the following values to determine client activity: Note If none of the settings are met, the client will be marked as inactive. Client policy requests during the following days: Specify the number of days since a client requested policy. The default value is 7 days. Heartbeat discovery during the following days: Specify the number of days since the client computer sent a heartbeat discovery record to the site database. The default value is 7 days. Hardware inventory during the following days: Specify the number of days since the client computer has sent a hardware inventory record to the site database. The default value is 7 days. Software inventory during the following days: Specify the number of days since the client computer has sent a software inventory record to the site database. The default value is 7 days. Status messages during the following days: Specify the number of days since the
1240

client computer has sent status messages to the site database. The default value is 7 days. 4. In the Client Status Settings Properties dialog box, specify the following value to determine how long client status history data is retained: Retain client status history for the following number of days: Specify how long you want the client status history to remain in the site database. The default value is 31 days.

5. Click OK to save the properties and to close the Client Status Settings Properties dialog box. To Configure the Schedule for Client Status 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Client Status, then, in the Home tab, in the Client Status group, click Schedule Client Status Update. 3. In the Schedule Client Status Update dialog box, configure the interval at which you want client status to update and then click OK. Note When you change the schedule for client status updates, the update will not take effect until the next scheduled client status update (for the previously configured schedule). To Configure Alerts for Client Status 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Device Collections. 3. In the Device Collections list, select the collection for which you want to configure alerts and then, in the Home tab, in the Properties group, click Properties. Note You cannot configure alerts for user collections. 4. On the Alerts tab of the <Collection Name> Properties dialog box, click Add. Note The Alerts tab is only visible if the security role you are associated with has permissions for alerts. 5. In the Add New Collection Alerts dialog box, choose the alerts that you want generated when client status thresholds fall below a specific value, then click OK. 6. In the Conditions list of the Alerts tab, select each client status alert and then specify the following information. Alert Name Accept the default name or enter a new name for the alert. Alert Severity From the drop-down list, choose the alert level that will be displayed in the Configuration Manager console.
1241

Raise alert Specify the threshold percentage for the alert.

7. Click OK to close the <Collection Name> Properties dialog box. To Exclude Computers from Automatic Remediation 1. Open the registry editor on the client computer for which you want to disable automatic remediation. Warning If you use the Registry Editor incorrectly, you might cause serious problems that could require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using the Registry Editor incorrectly. Use the Registry Editor at your own risk. 2. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\CCM\CcmEval\NotifyOnly. 3. Enter one of the following values for this registry key: True The client computer will not automatically remediate any problems that are found. However, you will still be alerted in the Monitoring workspace about any problems with this client. False The client computer will automatically remediate problems when they are found and you will be alerted in the Monitoring workspace. This is the default setting.

4. Close the registry editor. You can also install clients using the CCMSetup NotifyOnly installation property to exclude them from automatic remediation. For more information about this client installation property, see About Client Installation Properties in Configuration Manager.

See Also
Configuring Client Deployment in Configuration Manager

Operations and Maintenance for Client Deployment in Configuration Manager

Use the following information to help you manage and monitor devices in the System Center 2012 Configuration Manager hierarchy.

Operations and Maintenance Topics

How to Manage Mobile Devices by Using the Exchange Server Connector in Configuration Manager

1242

How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager How to Manage Clients in Configuration Manager How to Monitor Clients in Configuration Manager How to Manage Linux and UNIX Clients in Configuration Manager How to Monitor Linux and UNIX Clients in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Deploying Clients for System Center 2012 Configuration Manager

How to Manage Mobile Devices by Using the Exchange Server Connector in Configuration Manager
Use the Exchange Server connector in System Center 2012 Configuration Manager when you want to manage mobile devices that connect to Exchange Server (on-premise or online) by using the Exchange ActiveSync protocol, and you cannot enroll them by using Configuration Manager. When you manage mobile devices by using the Exchange Server connector, this does not install the Configuration Manager client on the mobile devices, which means that some management functions are limited. For example, you cannot install software on them or use configuration items to configure them. For more information about the different management capabilities that you can use with Configuration Manager for mobile devices, see Determine How to Manage Mobile Devices in Configuration Manager. Important Before you install the Exchange Server connector, confirm that the version of Exchange that you are using is supported by Configuration Manager. For more information, see Supported Configurations for Configuration Manager. When you use the Exchange Server connector, the mobile devices can be managed by the settings that you configure in Configuration Manager instead of being managed by the default Exchange ActiveSync mailbox policies. Define the settings that you want to use in the following group settings: General, Password, Email Management, Security, and Application. For example, in the Password group setting, you can configure that mobile devices require a password, the minimum password length, password complexity, and whether password recovery is allowed. When you configure at least one setting in the group, Configuration Manager manages all settings in the group for mobile devices. If you do not configure any setting in a group, Exchange Server continues to manage the mobile device for those settings. Any Exchange ActiveSync
1243

mailbox policies that are configured on the Exchange Server and assigned to users will still be applied. You can also configure the Exchange Server connector to manage the Exchange Server access rules and allow or block, or quarantine mobile device. You can remotely wipe a mobile device by using the Configuration Manager console and users can remotely wipe their mobile devices by using the Application Catalog. A users mobile device appears in the Application Catalog automatically when it is managed by the Exchange Server connector and the Exchange Server is on-premise. When you configure the Exchange Server connector for Exchange Online, you must manually configure user device affinity for the users mobile device to appear in the Application Catalog. For more information about how to manually configure user device affinity, see How to Manage User Device Affinity in Configuration Manager in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Tip If you manage a mobile device by using the Exchange Server connector and the mobile device is transferred to another user, delete the mobile device from the Configuration Manager console before the new owner of the mobile device configures their Exchange account on this transferred mobile device.

Required Security Permissions

You must have the following security permissions to configure the Exchange Server connector: To add, modify, and delete the Exchange Server connector: Modify permission for the Site object. To configure the mobile device settings: ModifyConnectorPolicy permission for the Site object.

The Full Administrator security role includes the required permissions to configure the Exchange Server connector. You must have the following security permissions to manage mobile devices: To wipe a mobile device: Delete resource for the Collection object. To cancel a wipe command: Modify resource for the Collection object. To allow and block mobile devices: Modify resource for the Collection object.

The Operations Administrator security role includes the required permissions to manage mobile devices by using the Exchange Server connector. For more information about how to configure security permissions, see Configure Role-Based Administration.

1244

Installing and Configuring an Exchange Server Connector

Use the following procedure to install and configure an Exchange Server connector to manage mobile devices. Configuration Manager supports one connector only in an Exchange organization. After you complete these steps, you can monitor the mobile devices that are found and managed by the connector when you view the collections that display mobile devices, and by using the reports for mobile devices. Note Configuration Manager generates names for the mobile devices that it finds by using the format UserName_DeviceType. If a user has more than one mobile device that has the same device type, Configuration Manager displays the same name for these mobile devices in the console and in reports. To install and configure an Exchange Server connector 1. Decide which account will connect to the Exchange Client Access server to manage the mobile devices. The account can be the computer account of the site server or a Windows user account. Then configure this account to run the following Exchange Server cmdlets: Clear-ActiveSyncDevice Get-ActiveSyncDevice Get-ActiveSyncDeviceAccessRule Get-ActiveSyncDeviceStatistics Get-ActiveSyncMailboxPolicy Get-ActiveSyncOrganizationSettings Get-ExchangeServer Get-Recipient Set-ADServerSettings Set-ActiveSyncDeviceAccessRule Set-ActiveSyncMailboxPolicy Set-CASMailbox New-ActiveSyncDeviceAccessRule New-ActiveSyncMailboxPolicy Remove-ActiveSyncDevice Note The following Exchange Server management roles include these cmdlets: Recipient Management; View-Only Organization Management; and Server Management. For more information about management role groups in Exchange Server 2010, see Understanding Management Role Groups.
1245

2. In the Configuration Manager console, click Administration. 3. In the Administration workspace, expand Hierarchy Configuration, and then click Exchange Server Connectors. 4. On the Home tab, in the Create group, click Add Exchange Server. 5. Complete the Add Exchange Server wizard. For the Exchange Server Connector Account, specify the account that you configured in step 1. Tip If you also enroll mobile devices with Configuration Manager, enable the option External mobile device management to ensure that these mobile devices continue to receive email from Exchange after they are enrolled by Configuration Manager.

See Also
Operations and Maintenance for Client Deployment in Configuration Manager

How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. Note This topic appears in the Deploying Clients for System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. System Center 2012 Configuration Manager SP1 lets you manage Windows Phone 8, Windows RT, iOS, and Android devices by using the Windows Intune service over the Internet. Although you use the Windows Intune service, management tasks are completed by using the Configuration Manager console. You can use the Windows Intune connector site system role in the Configuration Manager console to connect to the Windows Intune service. Many employees do work-related tasks, such as viewing their email, on their personal mobile devices. This trend is referred to as Bring Your Own Device (BYOD). Bring your own device is a scenario where employees perform work-related tasks on their user-owned mobile devices. Companies that embrace bringing your own device can provide more than just email for mobile devices. Companies can now provide and manage mobile apps to let employees perform workrelated tasks. While providing apps to user-owned devices, companies can protect company data
1246

by exercising control over mobile device enrollment and security settings. With Configuration Manager SP1, you have control over which users can enroll their mobile devices and which users can access your companys data and apps. Use the following sections to help you manage mobile devices by using the Windows Intune connector. Actions Available to Users Management Options Available to Administrators Prerequisites The Windows Intune Subscription The Windows Intune Connector Site System Role Mobile Device Enrollment Device Life-cycle Management Compliance Settings for Mobile Devices App Management for Mobile Devices Hardware Inventory

For a checklist about how to configure Configuration Manager to manage mobile devices, see Administrator Checklist: Configuring Configuration Manager to Manage Mobile Devices by Using Windows Intune.

Actions Available to Users

When employees use their own devices they expect to have some control over the apps they download, in addition to privacy for their personal data. The Bring Your Own Device scenario lets you balance employee concerns with company constraints. Users can manage their devices by using the company portal. The company portal is a self-service portal that lets users control what apps are installed on their devices. Also, the company portal is customized for that platform so that users will only see apps available for their device type. The following table lists what actions users can control on their devices by using the company portal.
Company portal actions available to users From Windows RT From Windows Phone 8 From iOS From Android

Enroll device. Retire local device. Wipe mobile devices remotely. Install line-of-

Yes Yes

Yes Yes

Yes No

No No

Yes

No

No

No

Yes

Yes

Yes

Yes
1247

Company portal actions available to users

From Windows RT

From Windows Phone 8

From iOS

From Android

business apps. Install apps from Yes the store that the device connects to for Windows Store, Windows Phone Store, App Store, or Google Play. Yes Yes Yes

Management Options Available to Administrators

The Windows Intune connector gives administrators the ability to manage apps, compliance settings, and device life cycle. Before you can install the Windows Intune connector, you first have to subscribe to the Windows Intune service and configure your Windows Intune subscription. Your subscription lets you choose which user collection can enroll mobile devices. Also, your subscription lets you configure a portal that will host your company apps and then lets users manage their devices. You use the subscription to publish your privacy statement so that your employees understand what is being monitored on their mobile devices. The company portal lets users view and download the apps that your company provides. After you have configured the subscription, you can install the Windows Intune connector. The Windows Intune connector lets you deploy apps to mobile devices by using a distribution point hosted by the Windows Intune service. This distribution point, manage.microsoft.com, is available after you install the Windows Intune connector. When you deploy an app by using the Windows Intune connector, the app appears in the company portal where users can view and download the app. You can either deploy a link to an app that exists in an app store or you can deploy a line-of-business app by using sideloading. Sideloading lets you distribute an app directly to a device without using the Windows Store, Windows Phone Store, App Store, or Google Play. You can sideload an app for Windows Phone 8, Windows RT, iOS, and Android. The Windows Intune connector also lets you manage compliance settings and collect inventory on Windows Phone 8, Windows RT, and iOS devices. You can manage the life cycle of mobile devices, which includes actions such as wipe, retire, and block. The Windows Intune service uses the management client that is built into the Windows RT and Windows Phone 8 platforms. For mobile devices that run iOS, Windows Intune uses the iOS APIs for management. The following table lists the kinds of management tasks that are available for each mobile device platform.

1248

Management tasks

Windows RT

Windows Phone 8

iOS

Android

Device life cycle Yes management such as the ability to retire, wipe, remote wipe, remove, and block devices. Compliance settings that include settings for password settings, email management, security, roaming, encryption, and wireless communication. Line-of-business app management. App installation from the store that the device connects to (Windows Store, Windows Phone Store, App Store, Google Play). Hardware inventory. Yes

Yes

Yes

No

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Prerequisites
Use the following information to determine the prerequisites for managing mobile devices.

Dependencies External to Configuration Manager

External dependencies More information

Sign up for a Windows Intune organizational account.

Sign up for an account at Windows Intune. For more information, see Windows Intune organizational account and Acceptable Use Policy for Windows Intune in the
1249

External dependencies

More information

Documentation Library for Windows Intune. Add a public company domain. All user accounts must have a publicly registered UPN that can be verified by Windows Intune. Before you synchronize the Active Directory user account, you must verify that user accounts have a public domain UPN. For more information, see Add User Principal Name Suffixes in the Active Directory documentation library.

Verify users have a public domain UPN.

Deploy and configure directory synchronization. Directory synchronization lets you populate Windows Intune with synchronized user accounts. The synchronized users and security groups are added to Windows Intune. For more information, see Configure directory synchronization in the Active Directory documentation library. For single sign-on you must deploy AD FS. For more information, see Configure single sign-on in the Active Directory documentation library. Create a DNS alias. Create a DNS alias (CNAME record type). You have to configure a CNAME in DNS that redirects EnterpriseEnrollment.<company domain name>.com to manage.microsoft.com. For example, if Melissa's email address is [email protected], you have to create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to manage.microsoft.com. The CNAME record is used as part of the enrollment process. Obtain certificates or keys. For more information, see Obtain Certificates or Keys to Meet Prerequisites per Platform in this topic.

Obtain Certificates or Keys to Meet Prerequisites per Platform

The following table lists the certificates or keys that you must have to enroll mobile platforms.
1250

Platform

Certificates or keys

How you obtain certificates or keys

Windows Phone 8

Code signing certificate: All sideloaded apps must be code-signed. Sideloading keys: Windows RT devices have to be provisioned with sideloading keys to enable the installation of sideloaded apps. All sideloaded apps must be code-signed.

Buy a code signing certificate from Symantec.

Windows RT

Buy sideloading keys from Microsoft. All apps must be code-signed by using your companys certification authority or an external certification authority.

iOS

Apple Push Notification service certificate.

Request an Apple Push Notification service certificate from Apple. For more information, see the Prerequisites for Enrolling iOS Devices in this topic. Not applicable.

Android

None.

Prerequisites for Enrolling Windows Phone 8 Devices

To manage Windows Phone 8 devices, you have to deploy the Windows Phone 8 company portal app. The company portal app must be code-signed with a certificate that is trusted by the Windows Phone 8 devices. 1. Obtain a Windows Phone Dev Center Publisher ID from the Windows Phone Dev Center. 2. Retrieve a certificate from the Symantec website by using your Publisher ID. 3. Download the Windows Phone 8 company portal app. 4. Download the SignTool app from the Windows Phone 8 SDK. To deploy an app to -users, the app must be signed by a certification authority that is trusted by Windows Phone 8 devices. Use the SignTool app to sign your apps with the Symantec certificate. 5. Sign the company portal app by using the SignTool app and the certificate that you downloaded from Symantec. 6. Deploy the Windows Phone 8 company portal app to the manage.microsoft.com distribution point. For more information, see To deploy an application to mobile devices in this topic. 7. Sign all apps that you plan to deploy to Windows Phone 8.

1251

Prerequisites for Enrolling Windows RT Devices

To configure app management on a mobile device that runs iOS, you must follow these steps. 1. Obtain sideloading keys. Before you can run sideloaded line-of-business apps on Windows RT, you must obtain and activate sideloading keys from Microsoft. For more information about sideloading product activation keys, see Microsoft Volume Licensing. 2. Sign all apps. For sideloaded apps to run on Windows RT, you must use a certificate to sign all apps.

Prerequisites for Enrolling iOS Devices

To enroll iOS devices, you must follow these steps. 1. Download a Certificate Signing Request from Windows Intune. This certificate signing request lets you apply to Apples certification authority for an App le Push Notification service certificate. 2. Request an Apple Push Notification service certificate from the Apple website. To Download a Certificate Signing Request from Windows Intune 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and click Windows Intune Subscriptions. 3. On the Home tab, in the Create group, click Create APNs certificate request. 4. In the Request Apple Push Notification Service Certificate Signing Request dialog box, click Browse to specify a location to download the Certificate Signing Request, specify your choice of file name, and then click Download. 5. On the Windows Intune sign in page, enter your organizational account and password. After you sign in, the certificate signing request is downloaded to the location that you specified. To Request an Apple Push Notification Service Certificate 1. Connect to the Apple Push Certificates Portal. 2. Sign in and complete the wizard. Note Make sure that you use a company account to obtain the Apple Push Notification service certificate. When you have to go back to the site to renew the certificate, make sure that you use the same account. 3. Upload the Certificate Signing Request that you downloaded from Windows Intune.

Dependencies in Configuration Manager

1252

Dependencies in Configuration Manager

More information

Create the Windows Intune subscription.

For more information, see The Windows Intune Subscription in this topic. For more information, see The Windows Intune Connector Site System Role in this topic.

Add the Windows Intune connector.

The Windows Intune Subscription

The Windows Intune subscription lets you specify your configuration settings for the Windows Intune service; this includes specifying which users can enroll their devices and defining which mobile device platforms to manage. When you have created your subscription, you can then install the Windows Intune connector site system role, which lets you connect to the Windows Intune service. This connector site system role will push settings and applications to the Windows Intune service. Windows Intune will then make apps available to users on their mobile devices by using the company portal. The Windows Intune subscription performs the following actions: Retrieves the certificate that the Windows Intune connector requires to connect to the Windows Intune service. Defines the user collection that enables users to enroll mobile devices. Defines and configures the mobile platforms that you want to support. To create the Windows Intune subscription 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and click Windows Intune Subscriptions. 3. On the Home tab, in the Create group, click Create Windows Intune Subscription. 4. On the Introduction page of the Create Windows Intune Subscription Wizard, review the text and click Next. 5. On the Subscription page, click Sign in and sign in by using your Windows Intune organizational account. Select the Allow the Configuration Manager console to manage this subscription check box. When you select this setting, you will only be able to manage mobile devices by using the Configuration Manager console. To continue with your subscription, you must select this option. 6. Click the privacy links to review them, and then click Next. 7. On the General page, specify the following options, and then click Next. Collection: Specify a user collection that contains users who will enroll their mobile devices. Note If a user is removed from the collection, the users device will continue to be
1253

managed for up to 24 hours until the user record is removed from the user database. Company name: Specify your company name. URL to company privacy documentation: If you publish your company privacy information to a link that is accessible from the Internet, provide the link so that users can access it from the company portal. Privacy information can clarify what information users are sharing with your company. Color scheme for company portal: Optionally, change the default color of blue for the company portals. Configuration Manager site code: Specify a site code for a primary site to manage the mobile devices. Although you can change the site code at any time, if you do this, existing users will have to retire their mobile devices and then re-enrolled to the new site.

8. On the Platforms page, select the device types that you want to manage and review the platform requirements, and then click Next. For each device type that you selected, you must configure additional options. Use the following procedures for more information. After you have configured these additional options, click Next and complete the wizard.

iOS Devices
On the iOS page, click Browse to specify the Apple Push Notification service certificate that you received from Apple. For more information about how to obtain an Apple Push Notification service certificate, see the Prerequisites for Enrolling iOS Devices section in this topic.

Windows Phone 8 Devices

On the Windows Phone 8 page, specify the code-signing certificate to use for all Windows Phone apps and then specify the location of the signed Windows Phone 8company portal app.

For more information about how to obtain the certificate, see the Prerequisites for Enrolling Windows Phone 8 Devices section in this topic.

Windows RT Devices
Windows RT devices require that all sideloaded apps be signed with a trusted code-signing certificate. 1. On the Windows RT Configuration page, if you have a certificate from your companys certification authority, click Browse to specify the code-signing certificate that you want to use for all Windows 8 apps. Note

1254

All apps must be code-signed. This field is for your companys certificate. If you have purchased a certificate from an external certification authority, you can leave this field blank. 2. Click Add to enter your sideloading keys. For more information about how to obtain the certificate, see the Prerequisites for Enrolling Windows RT Devices section in this topic.

The Windows Intune Connector Site System Role

The Windows Intune connector sends settings and software deployment information to Windows Intune and retrieves status and inventory messages from mobile devices. The Windows Intune service acts as a gateway that communicates with mobile devices and stores settings.

To configure the Windows Intune Connector role 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles. 3. Add the Windows Intune Connector role to a new or existing site system server by using the associated step: New site system server: On the Home tab, in the Create group, click Create Site System Server to start the Create Site System Server Wizard. Existing site system server: Click the server on which you want to install the Windows Intune connector role. Then, on the Home tab, in the Server group, click Add Site System Roles to start the Add Site system Roles Wizard.

4. On the System Role Selection page, select Windows Intune Connector, and click Next. 5. Complete the wizard.

Mobile Device Enrollment

Enrollment establishes a relationship between the user, the device, and the Windows Intuneservice. Users enroll their own mobile devices. Android devices are not enrolled, but can be managed by using the Exchange Server connector. The following sections describe enrollment for Windows Phone 8, Windows RT, and iOS.

Windows Phone 8 Enrollment

For Windows Phone 8, users start enrollment from the Windows Phone 8 device by going to system settings and selecting company apps. The following processes then occur: 1. Users are asked to provide their Active Directory credentials for service. Users enroll their own mobile devices. Android devices are not enrolled, but can be managed by using the
1255

Exchange Server connector. The following sections describe enrollment for r authentication. When authentication is successful, Windows Intune establishes a relationship between the user and the Windows Phone 8 device. 2. A certificate is installed on the device for authentication between the device and the Windows Intune service. 3. Users must select Install company app or Hub to let their device be managed. Important If users do not select this option, they cannot download the company portal. If the Windows Phone 8 company portal is not installed during enrollment, or if users uninstall the company portal, users must retire their mobile device and re-enroll it. Or, you can make the company portal file available by sending users a link in an email. 4. The company portal is installed on the device. Inventory is collected; management settings are applied, and users now have access to line-of-business apps that you make available to them.

Windows RT Enrollment
For Windows RT, users start enrollment from the Windows RT device. The following processes occur: 1. On the Windows RT device, users select Start, and type System Configuration, and open the Company Apps dialog box. 2. The users enter their company credentials and are authenticated. A relationship between the users, the Windows RT device and the Windows Intune service is established. 3. Windows Intune collects inventory and applies management settings. Users now have access to line-of-business apps and direct links to the app store through the company portal.

iOS Enrollment
For iOS, enrollment is as follows: 1. You begin enrollment by sending an email invitation to the user. The email invitation includes a link to the enrollment portal, manage.microsoft.com. 2. The users are asked for their company credentials to begin the enrollment process. 3. As soon as authentication is successful, a relationship between the user, the iOS device and the Windows Intune service is established. 4. Windows Intune collects inventory and applies management settings. The user now has access to line-of-business apps and direct links to the app store through the company portal.

Device Life-cycle Management

You can retire, block, wipe, or delete devices. The following table lists the management functions for each platform and compares these to the management functions that the Exchange Server connector supports. Because you cannot enroll Android devices by using the Windows Intune
1256

connector, you must use the Exchange Server connector to remove, block, wipe, or delete these devices. For more information about how to manage mobile devices by using the Exchange Server connector, see How to Manage Mobile Devices by Using the Exchange Server Connector in Configuration Manager.
Management function Windows Phone 8 Windows RT iOS Exchange Server connector

Retire: Removes the device from Configuration Manager and leaves personal settings and data unchanged on the device.

Yes Line-of-business apps are uninstalled, which includes the company portal app. User settings are retained.

Yes Removes the Windows RT sideloading keys. Without the sideloading keys, sideloaded apps will no longer run. User settings are retained. Note When an RT device is retired, users can still use company apps until the next update. The update occurs every 24 hours for Windows RT devices.

Yes Installed apps will still run.

Yes Installed apps will still run. User settings are removed.

Block: Blocks the client from communicating with the hierarchy. Clients can be unblocked. Wipe: Deletes all data, and reverts to the manufacturers

Yes

Yes

Yes

Not available

Yes

Not available

Yes

Exchange ActiveSync mailbox

1257

Management function

Windows Phone 8

Windows RT

iOS

Exchange Server connector

defaults. You can issue a remote wipe command by using the Configuration Manager console. Or, the user can wipe the device by using the Application Catalog or any company portal except the Windows Phone 8 company portal. Delete: Deletes the Yes mobile device permanently from the hierarchy so that the device is no longer managed. No data is removed from the device. After the device is deleted, the user has to re-enroll. Yes Yes

removal only

Not available

To retire, block, or wipe a mobile device 1. In the Configuration Manager console, click Assets and Compliance and select Devices. 2. Select a device and then select the action that you want to take.

Compliance Settings for Mobile Devices

You can control compliance settings, such as password policy, for mobile devices by using the Windows Intune connector.

1258

Applying Compliance Settings by Using the Windows Intune Connector

Create configuration items to define configurations that you want to manage and assess for compliance on mobile devices. The steps you have to take to manage compliance settings are as follows.
Step Description

Step 1: Create a configuration item for mobile devices.

To create configuration items for mobile devices that you enroll by using the Windows Intune connector, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager. For more information about how to create the configuration baseline, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager. After a configuration baseline is created, you can apply it to a user or device collection. If you apply the settings to a user collection, the compliance settings are applied to all the enrolled devices for those users. For more information, see How to Deploy Configuration Baselines in Configuration Manager.

Step 2: Create a configuration baseline.

Step 3: Deploy the configuration baseline.

Compliance Settings for Devices That Are Enrolled by the Windows Intune Connector
You can ensure that users comply with basic security settings by using compliance settings. The following table lists the compliance settings available to Windows Phone 8, Windows RT, and iOS devices. For Android devices, you can use the Exchange server connector for basic security settings.
Compliance setting Windows Phone 8 Windows RT iOS

Require password settings on mobile devices Minimum password length (characters)

Yes

No

Yes

Yes

Yes

Yes

1259

Compliance setting

Windows Phone 8

Windows RT

iOS

Idle time before mobile device is locked Number of passwords remembered Password expiration in days Password complexity Number of failed logon attempts before device is wiped Removable storage Camera File encryption on mobile device

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes

No Yes

Yes Yes

Yes No Yes

No No No

No Yes No

App Management for Mobile Devices

Mobile apps that you deploy appear in the company portal. Users can decide whether to download the apps to their devices. Use the information in the following sections to help you create and deploy applications to mobile devices.

Create an application for Windows Phone 8 devices

For Windows Phone 8 devices, you can deploy apps or you can deploy links to apps in the Windows Phone Store. To deploy apps to Windows Phone 8, you must select Windows Phone 8 devices when you configure the Windows Intune subscription. To create an application for a line-of-business app for Windows Phone 8 devices 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type drop-down list, select Windows Phone app package (*.xap file). 6. Click Browse to select the Windows Phone app package you want to import, and then
1260

click Next. 7. On the General Information page of the wizard, enter the descriptive text and category information that you want users to see in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace. To create an application containing a link to the Windows Phone Store for Windows Phone 8 devices 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type drop-down, select Windows Phone app package (in the Windows Phone Store) 6. Click Browse to open the Windows Phone Store, select the app you want to include, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace.

Create an application for Windows RT devices

For Windows RT devices, you can deploy line-of-business apps or you can deploy links to apps in the Windows Store. To deploy apps to Windows RT devices, you must specify Windows RT devices in the Create Windows Intune Subscription Wizard. To create an application for sideloading a line-of-business app for Windows RT 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type drop-down, select Windows app package (*.appx file). 6. Click Browse, select the signed .appx program file that you want to include, and then click Next.
1261

7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace.

Create an application containing a link to the Windows Store for Windows RT devices
To create a link to the Windows Store for Windows RT, the app must be installed on a Windows 8 computer. You must first configure WinRM for HTTPS on the Windows 8 computer. Configure WinRM for HTTPS for the Windows 8 computer that has the app installed 1. Create an HTTPS-based listener by running winrm qc Transport:HTTPS. 2. Run the command enable-psremoting to allow PowerShell remoting. 3. Run the command winrm delete winrm/config/Listener?Address=*+Transport=HTTP to remove the HTTP-based listener that was automatically created by the enablepsremoting command. 4. Open Windows Firewall and add an inbound rule for port 5986, which is the default HTTPS port for Windows Remote Management (WinRM). To create an application containing a link to the Windows Store for Windows RT 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type dropdown, select Windows app package (in the Windows Store) 6. Click Browse and then, in the Browse Windows App Packages dialog box, connect to a computer that runs Windows 8 and that has the required app installed, select the app, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace.

Create an application for iOS devices

For devices that run iOS, you can deploy line-of-business apps or you can deploy links to apps on the App store.
1262

To create an application for sideloading a line-of-business app for iOS devices 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, select Create group, and then click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type drop-down list, select App Package for iOS (*.ipa file). 6. Click Browse, select the signed application (*.ipa) file that you want to include, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace. To create an application containing a link to the App Store for iOS devices 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type dropdown, select App Package for iOS from App Store . 6. Click Browse, select the app you want to include, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace.

Create an application for Android devices

For Android devices, you can deploy apps or you can deploy links to Google Play by using the company portal. To create an application for sideloading a line-of-business app for Android devices 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click
1263

Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type drop-down, select App Package for Android (*.apk file). 6. Click Browse, select the .apk program file you want to include, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal. Note If you create more than one deployment type for the same app, only the deployment type with the highest priority will be displayed in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace. To create an application containing a link to Google Play 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type drop-down, select App Package for Android in Google Play. 6. Click Browse, select the app you want to include, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace.

Supercedence
Supersedence works the same for mobile apps as it does for other apps. For more information about superseding applications, see How to Use Application Supersedence in Configuration Manager. Note For Windows Phone 8 devices, if you update the company portal app, you must update to the most recent company portal app in the Windows Subscription Wizard after you supersede the older version of the company portal with a new version.
1264

Approval for Apps

A user can only request approval to download an app from a Windows-based computer or a Windows RT device. If you deploy an app that requires approval from an administrative user, the user must request approval from the Application Catalog on a Windows-based computer. As soon as the user requests approval, the app appears in the company portal.

Requirement Rules
Requirements rules specify conditions that must be met before a deployment type can be installed on a client device. The requirements that are specific to mobile devices are listed in the following table:
Platform Requirements available

Windows Phone 8 Windows RT

Not available Windows 8 operating system version and language requirements are supported. Important If you create a deployment type for a Windows app package (*.appx file) file with any additional requirements, you will not be able to deploy the app to Windows RT devices.

iOS

iOS operating system, language requirements, and chassis (iPad or iPhone) are supported. Not available

Android

For more information about requirements, see the Step 6: Specify Requirements for the Deployment Type section in the How to Create Deployment Types in Configuration Manager topic.

Deploying an Application to Mobile Devices

After you have created a deployment type, you can deploy the app to mobile devices. Deploying the app will make the app available to users on the company portal. To deploy an application to mobile devices 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Applications list, select the application that you want to deploy, on the Home tab,
1265

in the Deployment group, click Deploy. 4. On the General page of the Deploy Software Wizard, specify the following information: a. Software To display the applications that you want to deploy. You can click Browse to select a different application to deploy. b. Collection Click Browse and select the collection that you selected for enablement in the Windows Intune Subscription Wizard. Important Selecting the device collection All Mobile Devices will not deploy apps to iOS, Android, Windows Phone 8, or Windows RT. You must select the same user collection or a subset of the user collection that you selected in the Windows Intune Subscription Wizard. 5. Click Next. 6. On the Content page of the wizard, select Manage.Microsoft.com as your distribution point. Click Next. 7. On the Deployment Settings page of the Deploy Software Wizard, specify the following information: a. Action From the drop-down list, select Install to install the application. b. Purpose From the drop-down list, select Available. When you manage mobile devices by using the Windows Intune connector, apps must be configured as Available and do not support Required. 8. Complete the wizard by specifying your preferred setting for the alerts and scheduling pages. The User Experience page is not relevant to mobile devices.

Expired Certificates for Mobile Device Apps

On iOS, Windows Phone 8, and Windows RT, if the certificate that is used to sign apps expires, apps are no longer available for users to download.
Platform Expired certificate consequences Resolution

iOS

Users can no longer install apps

Renew the APNs certificate and locate the Windows Intune Subscription iOS page to upload the new certificate. The new certificate must be created by using the same ID as the original certificate or devices have to be enrolled again.

Windows Phone 8

Users can no longer install

Renew the code signing

1266

Platform

Expired certificate consequences

Resolution

apps

certificate and go the Windows Intune Subscription page to upload the certificate. All apps signed with the previous certificate and the new certificate will run. Renew the code signing certificate and open the Windows Intune Subscription Wizard Windows RT page to upload the new certificate.

Windows RT

Users can no longer install apps

Hardware Inventory
You can inventory the following hardware properties by using the Windows Intune connector. For information about how to configure hardware inventory, see How to Configure Hardware Inventory in Configuration Manager.
Hardw are Invent ory Class Windows Phone 8 Windows RT iOS Avail able by usin g the Exch ange Serv er conn ector

Name

Device_ComputerSyste m.DeviceName Device_ComputerSyste m.DeviceClientID

Device_ComputerSystem. DeviceName Device_ComputerSystem. DeviceName

Device_ComputerSystem. DeviceName Device_ComputerSystem. UDID

Yes

Uniqu e Devic e ID Serial Numb

Yes

Not applicable

Not applicable

Device_ComputerSystem. SerialNumber

No

1267

Hardw are Invent ory Class

Windows Phone 8

Windows RT

iOS

Avail able by usin g the Exch ange Serv er conn ector

er Email Addre ss Opera ting Syste m Type Opera ting Syste m Versio n Build Versio n Servic e Pack Major Versio n Servic e Pack Minor Versio Device_Email.OwnerE mailAddress Device_Email.OwnerEmai lAddress Device_Email.OwnerEmail Address Yes

Device_OSInformation. Platform

CCM_OperatingSystem .SystemType

Not applicable

Yes

Device_ComputerSyste m.SoftwareVersion

Win32_OperatingSystem. Version

evice_OSInformation.OSV ersion

Yes

Not applicable

Win32_OperatingSystem. BuildNumber

Not applicable

No

Not applicable

Win32_OperatingSystem. ServicePackMajorVersion

Not applicable

No

Not applicable

Win32_OperatingSystem. ServicePackMinorVersion

Not applicable

Yes

1268

Hardw are Invent ory Class

Windows Phone 8

Windows RT

iOS

Avail able by usin g the Exch ange Serv er conn ector

n Opera ting Syste m Langu age Device_OSInformation. Language Not applicable Not applicable No

Total Not applicable Storag e Space Free Not applicable Storag e Space Intern Not applicable ational Mobile Equip ment Identit y or IMEI (IMEI) Mobile Not applicable Equip ment Identifi er

Win32_PhysicalMemory.C Device_Memory.DeviceCa apacity pacity

No

Win32_OperatingSystem. FreePhysicalMemory

Device_Memory.Available DeviceCapacity

No

Not applicable

Device_ComputerSystem.I Yes MEI

Not applicable

Device_ComputerSystem. MEID

No

1269

Hardw are Invent ory Class

Windows Phone 8

Windows RT

iOS

Avail able by usin g the Exch ange Serv er conn ector

(MEID ) Manuf acture r Model Device_ComputerSyste m.DeviceManufacturer Win32_ComputerSystem. Manufacturer Not applicable No

Device_ComputerSyste m.DeviceModel Not applicable

Win32_ComputerSystem. Model Not applicable

ModelName

Yes

Phone Numb er Subsc riber Carrie r Cellul ar Techn ology Wi-Fi MAC

Device_ComputerSystem. PhoneNumber

Yes

Not applicable

Not applicable

Device_ComputerSystem. SubscriberCarrierNetwork

Yes

Not applicable

Not applicable

Device_ComputerSystem. CellularTechnology

No

Not applicable

Win32_NetworkAdapter.M ACAddress

Device_WLAN.WiFiMAC

No

See Also
Operations and Maintenance for Client Deployment in Configuration Manager

1270

How to Manage Clients in Configuration Manager

When a System Center 2012 Configuration Manager client is installed and successfully assigned to a Configuration Manager site, you will see the device in the Assets and Compliance workspace in the Devices node, and in one or more collections in the Device Collections node. When you select the device or collection that contains the device, you can select various management operations. However, there are also other ways to manage the client, which might involve other workspaces in the console, or tasks that dont use the Configuration Manager console. Use this topic for overview information for the tasks that can manage a Configuration Manager client from the Assets and Compliance workspace, as well as more detailed information about additional tasks to help you manage the Configuration Manager client. For information about how to configure the client, see How to Configure Client Settings in Configuration Manager. Managing the Client from the Assets and Compliance Workspace Managing Clients from the Devices Node Managing Clients from the Device Collections Node Configure the Client Cache for Configuration Manager Clients Uninstall the Configuration Manager Client Manage Conflicting Records for Configuration Manager Clients Initiate Policy Retrieval for a Configuration Manager Client

Additional Tasks for Managing the Client

Managing the Client from the Assets and Compliance Workspace

Use the information in the following tables for an overview of the management tasks that you can perform for client devices in the Assets and Compliance workspace: Managing Clients from the Devices Node Managing Clients from the Device Collections Node Note A Configuration Manager client might be installed but not displayed in the Configuration Manager console. This scenario can happen if the client hasnt yet successfully assigned to a site, or the console must be refreshed or a collection membership updated. Additionally, a device can also display in the console when the Configuration Manager client is not installed. This scenario can happen if the device is discovered but the Configuration Manager client is not installed and assigned. Mobile devices that are managed by using the Exchange Server connector do not install the Configuration

1271

Manager client. Additionally, devices that are enrolled by Windows Intune do not install the Configuration Manager client. Use the Client column in the Configuration Manager console to determine whether the Configuration Manager client is installed so that you can manage it from the Configuration Manager console.

Managing Clients from the Devices Node

Use the following procedure and table to manage one or more devices from the Devices node in the Assets and Compliance workspace. Important Depending on the device type, some of these options might not be available. To manage clients from the Devices node 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices. 3. Select one or more devices, and then select one of the available client management tasks from the ribbon, or by right-clicking the device.
Task More information

Manage user device affinity information

Allows you to configure the associations between users and devices, which enables you to efficiently deploy software to users. See How to Manage User Device Affinity in Configuration Manager

Add the device to a new or existing collection

Use these collection-related actions to quickly add the selected device to a collection, by using a direct rule. Operations and Maintenance for Collections in Configuration Manager

Install and reinstall the client by using the Client Push wizard

The Client Push wizard offers an efficient way to install and reinstall the Configuration Manager client to repair it or to reconfigure it on computers that run Windows with site configuration options and with any additional client.msi properties that you have specified for client push installation. Tip There are many different ways
1272

to install (and reinstall) the Configuration Manager client. Although the Client Push wizard offers a convenient client installation method because you can run it from the console, this client installation method has many dependencies and is not suitable for all environments. If you cannot successfully install the client by using client push, there are many other client installation methods that you can use. For more information about the dependencies, see Prerequisites for Computer Clients. For more information about the other client installation methods, see Determine the Client Installation Method to Use for Windows Computers in Configuration Manager. See How to Install Configuration Manager Clients by Using Client Push. Remotely administer the client You can run Resource Explorer to see the hardware and software inventory information from a Windows client, and remotely administer it by using Remote Control, Remote Assistance, or Remote Desktop. See How to Use Resource Explorer to View Hardware Inventory in Configuration Manager. See How to Remotely Administer a Client Computer by Using Configuration Manager. Approve a client When the client communicates with site systems by using HTTP and a self-signed certificate, you must approve these clients to identify them as trusted computers. By
1273

default, the site configuration automatically approves clients from the same Active Directory forest and trusted forests so you do not have to manually approve each client. However, you must manually approve workgroup computers that you trust and any other computers that you trust but are not approved. Warning Although some management functions might work for unapproved clients, this is an unsupported scenario for Configuration Manager. You do not have to approve clients that always communicate to site systems by using HTTPS rather than HTTP, or clients that use a PKI certificate when they communicate to site systems by using HTTP. These clients establish trust with Configuration Manager by using the PKI certificates. Block or unblock a client Block a client that you no longer trust, to prevent it from receiving client policy and to prevent Configuration Manager site systems from communicating with it. Warning Blocking a client only prevents communication from the client to Configuration Manager site systems and does not prevent communication to other devices. In addition, when the client communicates to site systems by using HTTP instead of HTTPS, there are some security limitations. If you later change your mind, you can unblock a client that has been blocked. However, if you unblock an Intel AMTbased computer that was provisioned for
1274

AMT when it was blocked, you must take additional steps before you can manage that computer again out of band. See Determine Whether to Block Clients in Configuration Manager. Manage the client out of band For Intel AMT-based computers that are provisioned by Configuration Manager, you can manage these computers out of band by using power actions from the console and by connecting to them by using the Out of Band Management console. See How to Manage AMT-based Computers Out of Band in Configuration Manager. Clear a required PXE deployment Use this option to redeploy any required PXE deployments for the selected computer. See How to Deploy Operating Systems by Using PXE in Configuration Manager Manage the client properties You can view the discovery data and deployments targeted for the client. You can also configure any variables that task sequences use to deploy an operating system to the device. Warning Do not delete a client if you want to uninstall the Configuration Manager client or remove it from a collection. The Delete action manually deletes the client record from the Configuration Manager database and typically, you should not use this action unless it is for troubleshooting scenarios. If you delete the client record and the Configuration Manager client is still installed and communicating with Configuration Manager, Heartbeat Discovery will recreate the client record and it will reappear in the Configuration Manager console, although the client
1275

Delete the client

history and any previous associations will be lost. Note When you delete a mobile device client that was enrolled by Configuration Manager, this action also revokes the PKI certificate that was issued to the mobile device and this certificate is then rejected by the management point, even if IIS does not check the CRL. Certificates on mobile device legacy clients are not revoked when you delete these clients. To uninstall the client, see Uninstall the Configuration Manager Client. To assign the client to a new primary site, see How to Assign Clients to a Site in Configuration Manager. To remove the client from a collection, reconfigure the collection properties. See How to Manage Collections in Configuration Manager. Wipe a mobile device You can wipe mobile devices that have the Configuration Manager client installed and mobile devices that are managed by using the Exchange Server connector. This action permanently removes all data on the mobile device, which includes personal settings and personal data. Typically, this action resets the mobile device back to factory defaults. Wipe a mobile device when the mobile device is no longer trusted; for example, it has been lost or stolen. Tip Check the manufacturers documentation for more information about how the
1276

mobile device processes a remote wipe command. When you send a wipe request, there is often a delay until the mobile device receives the wipe command: If the mobile device is enrolled by Configuration Manager, the client receives the wipe command when it next downloads its client policy. If the mobile device is managed by the Exchange Server connector, the mobile device receives the wipe command when it next synchronizes with Exchange.

You can use the Wipe Status column to monitor when the mobile device receives the wipe command. Until the mobile device sends a wipe acknowledgment to Configuration Manager, you can cancel the wipe command. Retire a mobile device For Configuration Manager SP1 only: The Retire option is supported only by mobile devices that are enrolled by Windows Intune.

Managing Clients from the Device Collections Node

Use the following procedure and table to manage devices in a collection from the Device Collections node in the Assets and Compliance workspace. Many of the client management tasks that you can perform when you select a single device or multiple devices from the Devices node can also be performed at the collection level. This has the advantage of automatically applying the management task to all eligible devices in the collection. Although this can be a convenient method to manage multiple clients at the same time, it can also generate a lot of network packets and increase the CPU usage on the site server. There are also some client management tasks that can only be performed at the collection level, which are listed in the following table. Before you perform collection-level client management tasks, consider how many devices are in the collection, whether they are connected by low-bandwidth network connections, and how long the task will take to complete for all the devices. When you perform a client management task, you cannot stop it from the console.
1277

To manage clients from the Device Collections node 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Device Collections. 3. Select a collection, and then select one of the available client management tasks from the ribbon, or by right-clicking the collection.
Task More information

Scan computers for malware and download antimalware definition files.

See Operations and Maintenance for Endpoint Protection in Configuration Manager.

Deploy software, For more information about configuration baselines, and deploying software and task sequences. configuration baselines, see the following: Deploying Software and Operating Systems in System Center 2012 Configuration Manager Compliance Settings in Configuration Manager

Configure power management settings.

See How to Create and Apply Power Plans in Configuration Manager. Power plans can only be used with computers that run Windows. Configure this option when the site has been configured to provision Intel AMT-based computers so that you can manage them out of band. See Displaying the AMT Status and Enabling AMT provisioning

Enable AMT provisioning.

Notify computers to download policy as soon as possible.

For Configuration Manager SP1 only: Use client notification to notify the selected Windows clients to download computer policy as soon as possible outside the configured client policy polling
1278

interval. Client notification tasks are displayed in the Client Operations node in the Monitoring workspace.

Additional Tasks for Managing the Client

In addition to the management tasks that are available in the Assets and Compliance workspace, you can also manage the Configuration Manager client by using the following tasks: Configure the Client Cache for Configuration Manager Clients Uninstall the Configuration Manager Client Manage Conflicting Records for Configuration Manager Clients Initiate Policy Retrieval for a Configuration Manager Client

Configure the Client Cache for Configuration Manager Clients

You can configure the location and amount of disk space that Windows Configuration Manager clients use to store temporary files for when they install applications and programs. Software updates also use the client cache, but software updates are not restricted by the configured cache size and will always attempt to download to the cache. You can configure the client cache settings when you install the Configuration Manager client manually, when you use client push installation, or after the client is installed. The default location for the Configuration Manager client cache is %windir%\ccmcache and the default disk space is 5120 MB. Important Do not encrypt the folder used for the client cache. Configuration Manager cannot download content to an encrypted folder. Note More information about the client cache: The Configuration Manager client downloads the content for required software soon after it receives the deployment but waits to run it until the deployment scheduled time. At the scheduled time, the Configuration Manager client checks to see whether the content is available in the cache. If content is in the cache and it is the correct version, the client always uses this cached content. However, when the required version of the content has changed or if the content was deleted to make room for another package, the content is downloaded to the cache again. If the client attempts to download content for a program or application that is greater than the size of the cache, the deployment fails because of insufficient cache size and
1279

Configuration Manager generates status message ID 10050. If the cache size is increased later, the download retry behavior is different for a required program and a required application: For a required program: The client does not automatically retry to download the content. You must redeploy the package and program to the client. For a required application: Because an application deployment is state-based, the client automatically retries to download the content when it next downloads its client policy. If the client attempts to download a package that is less than the size of the cache but the cache is currently full, all required deployments keep retrying until the cache space is available, until the download times out, or until the retry limit is reached for the cache space failure. If the cache size is increased later, the Configuration Manager client attempts to download the package again during the next retry interval. The client tries to download the content every four hours until it has tried 18 times. Cached content is not automatically deleted but remains in the cache for at least one day after the client used that content. If you configure the package properties with the option to persist content in the client cache, the client does not automatically delete the package content from the cache. If the client cache space is used by packages that have been downloaded within the last 24 hours and the client must download new packages, you can either increase the client cache size or choose the delete option to delete persisted cache content. Use the following procedures to configure the client cache during manual client installation, or after the client is installed. To configure the client cache when you install clients by using manual client installation Run the CCMSetup.exe command from the install source location and specify the following properties that you require, and separated by spaces: DISABLECACHEOPT: SMSCACHEDIR: SMSCACHEFLAGS: SMSCACHESIZE: Note For more information about these command line properties for CCMSetup.exe, see About Client Installation Properties in Configuration Manager. To configure the client cache folder when you install clients by using client push installation 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. In the Sites list, select the site for which you want to configure automatic site-wide client push installation.
1280

4. On the Home tab, in the Settings group, click Client Installation Settings, and then click the Installation Properties tab. 5. On the Installation Properties tab, specify the following properties that you require, and separate them by using spaces: DISABLECACHEOPT: SMSCACHEDIR: SMSCACHEFLAGS: SMSCACHESIZE: Note For more information about these command line properties for CCMSetup.exe, see About Client Installation Properties in Configuration Manager. 6. Click OK to save the properties that you have specified. To configure the client cache folder without reinstalling the client 1. On the client computer, navigate to Configuration Manager in Control Panel, and then double-click to open the properties. 2. Click the Cache tab. 3. Specify the disk space to reserve for the client cache. 4. To change the location of the client cache folder, click Change Location, and then specify the new location. The default location is %windir%\ccmcache. 5. To delete the files currently stored in the client cache folder, click Delete Files. 6. Click OK to close Configuration Manager Properties.

Uninstall the Configuration Manager Client

You can uninstall the Windows Configuration Manager client software from a computer by using CCMSetup.exe with the /Uninstall property. Run CCMSetup.exe on an individual computer from the command prompt or deploy a package and program to uninstall the client for a collection of computers. Warning You cannot uninstall the Configuration Manager client from a mobile device. If you must remove the Configuration Manager client from a mobile device, you must wipe the device, which deletes all data on the mobile device. Use the following procedure to uninstall the Configuration Manager client from computers. To uninstall the Configuration Manager client from the command prompt 1. Open a Windows command prompt and change the folder to the location in which CCMSetup.exe is located.
1281

2. Type Ccmsetup.exe /uninstall, and then press Enter. Note The uninstall process is silent and displays no results on the screen. To verify that client uninstallation has succeeded, examine the log file CCMSetup.log in the folder %windir%\ ccmsetup folder on the client computer.

Manage Conflicting Records for Configuration Manager Clients

Configuration Manager uses the hardware ID to attempt to identify clients that might be duplicates and alert you to the conflicting records. For example, if you reinstall a computer, the hardware ID would be the same but the GUID used by Configuration Manager might be changed. When Configuration Manager can resolve a conflict by using Windows authentication of the computer account or a PKI certificate from a trusted source, the conflict is automatically resolved for you. However, when Configuration Manager cannot resolve the conflict, it uses a hierarchy setting that either automatically merges the records when it detects duplicate hardware IDs (the default setting), or allows you to decide when to merge, block, or create new client records. If you decide to manually manage duplicate records, you must manually resolve the conflicting records by using the Configuration Manager console. To change the hierarchy setting for managing conflicting records 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. In the Sites group, click Hierarchy Settings, and then click the Client Approval and Conflicting Records tab. 4. Click either Automatically resolve conflicting records to automatically merge conflicting records, or click Manually resolve conflicting records, and then click OK. Note When Configuration Manager can resolve the conflict by using the computer account or a PKI certificate, this setting is ignored and the conflict is automatically resolved. To manually resolve conflicting records 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand System Status, and then click Conflicting Records. 3. In the results pane, select one or more conflicting records, and then click Conflicting Record. 4. In the Conflicting Record dialog box, select one of the following, and then click OK: Merge to combine the newly detected record with the existing client record, creating
1282

one unified record. New to create a new record for the conflicting client record. Block to create a new record for the conflicting client record, but mark it as blocked.

Initiate Policy Retrieval for a Configuration Manager Client

A Windows Configuration Manager client downloads its client policy on a schedule that you configure as a client setting. However, there might be occasions when you want to initiate ad-hoc policy retrieval from the clientfor example, in a troubleshooting scenario or when you are testing. Use the following procedures to initiate ad-hoc policy retrieval from the client outside its scheduled polling interval, either by using the Actions tab on the Configuration Manager client or by running a script on the computer. You must be logged on to the client computer with local administrative rights to perform these procedures. Note For Configuration Manager SP1 only: You can use client notification to initiate client policy retrieval outside the scheduled client policy polling interval. You can manage clients that run Linux and UNIX. For information about policy retrieval for clients that run Linux and UNIX, see the Computer Policy for Linux and UNIX Servers section in the How to Manage Linux and UNIX Clients in Configuration Manager topic. To initiate client policy retrieval by using client notification (Configuration Manager SP1 only) 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Device Collections. 3. Select the device collection containing the computers that you want to download policy and then, in the Home tab, in the Collections group, click Client Notification and then click Download Computer Policy. Note You can also use client notification to initiate policy retrieval for one of more selected devices that are displayed in a temporary collection node under the Devices node. To manually initiate client policy retrieval by using the Actions tab on the Configuration Manager client 1. Select Configuration Manager in the Control Panel of the computer. 2. Click the Actions tab. 3. Click Machine Policy Retrieval & Evaluation Cycle to initiate the computer policy, and then click Run Now.
1283

4. Click OK to confirm the prompt. 5. Repeat steps 3 and 4 for any other actions that you require, such as User Policy Retrieval & Evaluation Cycle for user client settings. 6. Click OK to close Configuration Manager Properties. To manually initiate client policy retrieval by using a script 1. Open a text editor, such as Notepad. 2. Copy and insert the following into the file: on error resume next

dim oCPAppletMgr 'Control Applet manager object. dim oClientAction 'Individual client action. dim oClientActions 'A collection of client actions.

'Get the Control Panel manager object. set oCPAppletMgr=CreateObject("CPApplet.CPAppletMgr")

if err.number <> 0 then Wscript.echo "Couldn't create control panel application manager" WScript.Quit end if

'Get a collection of actions. set oClientActions=oCPAppletMgr.GetClientActions if err.number<>0 then wscript.echo "Couldn't get the client actions" set oCPAppletMgr=nothing WScript.Quit end if

'Display each client action name and perform it. For Each oClientAction In oClientActions

if oClientAction.Name = "Request & Evaluate Machine Policy" then

1284

wscript.echo "Performing action " + oClientAction.Name oClientAction.PerformAction end if next

set oClientActions=nothing set oCPAppletMgr=nothing 3. Save the file with a .vbs extension. 4. On the client computer, run the file using one of the following methods: Navigate to the file by using Windows Explorer, and double-click the script file. Open a command prompt, and type: cscript <path\filename.vbs>.

5. Click OK in the Windows Script Host dialog box.

See Also
Operations and Maintenance for Client Deployment in Configuration Manager

How to Monitor Clients in Configuration Manager

There are various tasks that you can use to verify that System Center 2012 Configuration Manager clients have been successfully installed and assigned to a site. There are further tasks that you can use to ensure that clients remain managed. Use the following procedures to help you monitor Configuration Manager clients and devices: To use reports to verify Configuration Manager client deployment To use client status to monitor Configuration Manager client computers that run Windows

For information about how to configure client status, see How to Configure Client Status in Configuration Manager. Important Some client reports require that clients are assigned to a fallback status point. For more information about the fallback status point, see Determine Whether You Require a Fallback Status Point. Client status information is updated, by default, one time a day. You can modify this interval in the Schedule Client Status Update dialog box. For more information, see How to Configure Client Status in Configuration Manager.

1285

Note For Configuration Manager SP1 only: For information about using reports to view information clients that run Linux and UNIX, see the How to use Reports to View Information for Linux and UNIX Servers section in the How to Monitor Linux and UNIX Clients in Configuration Manager topic. To use reports to verify Configuration Manager client deployment 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting, and then click Reports. 3. In the Reports pane, click the Category heading to order the reports by type: For client deployment, use the Client Information and Client Push folders For client status, use the Client Status folder. For mobile devices, use the Mobile Devices folder

4. Click the report that you want to run, and then on the Home tab, in the Report Group group, click Run. 5. In the report name pane, click View Report. To use client status to monitor Configuration Manager client computers that run Windows 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Client Status. 3. In the Client Status node, review the following information: Overall Client Status Displays high-level information about computers in your hierarchy that might be experiencing problems. You can click any item on the list to create a temporary collection under the Devices node of the Assets and Compliance workspace. When you click the temporary collection, a list of computers with the status you selected is displayed together with further information that can help you to troubleshoot problems. Most Frequent Client Check Errors Displays a graph that shows the most frequent reasons why client computers failed client checks. Client activity for all devices Displays a chart showing active computers, inactive computers and computers with no Configuration Manager client installed. Click a section of the pie chart to create a temporary collection under the Devices node of the Assets and Compliance workspace. When you click the temporary collection, a list of computers with the status you selected is displayed together with further information that can help you to troubleshoot problems. Client activity trend for all clients Displays a graph showing client activity over a specified period. You can configure the time period to display from the Client activity period drop-down list.

4. In the Client Activity node, review the following information:

1286

Note If you want to build an accurate Trends graph, do not configure the client status update recurrence interval to be longer than 1 day. 5. In the Client Check node, review the following information: Client check results for all devices Displays a chart showing computers that passed client check, computers that failed client check, computers that have not reported results and computers with no Configuration Manager client installed. Click a section of the pie chart to create a temporary collection under the Devices node of the Assets and Compliance workspace. When you click the temporary collection, a list of computers with the status you selected is displayed together with further information that can help you to troubleshoot problems and you can click the Client Check Detail tab in the details pane to discover any remediation actions that Configuration Manager took. Note Client status does not summarize or display data for computers that have been marked as obsolete in the Configuration Manager database. Client check trend for all active clients Displays a graph showing client computers that passed client check over a specified period. You can configure the time period to display from the Client check period drop-down list.

Additionally, you can use Configuration Manager reports to find out more information about the status of clients in your hierarchy. Client status reports have the category of Client Status. For more information about how to run reports, see Reporting in Configuration Manager.

See Also
Operations and Maintenance for Client Deployment in Configuration Manager

How to Manage Linux and UNIX Clients in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. When you manage Linux and UNIX servers with System Center 2012 Configuration Manager, you can configure collections, maintenance windows, and client settings to help manage the servers. In addition, although the Configuration Manager client for Linux and UNIX does not have a user interface, you can force the client to manually poll for client policy. The following sections provide more information about these configurations.
1287

Collections of Linux and UNIX Servers Maintenance Windows for Linux and UNIX Servers Client Settings for Linux and UNIX Servers Computer Policy for Linux and UNIX Servers How to Manage Certificates on the Client for Linux and UNIX

Collections of Linux and UNIX Servers

You use collections to manage groups of Linux and UNIX servers in the same way you use collections to manage other client types. Collections can be direct membership collections or query based collections that identify client operating systems, hardware configurations, or other details about the client that are stored in the site database. For example, you can use collections that include Linux and UNIX servers to manage the following: Client settings Software deployments Enforce maintenance windows

Before you can identify a Linux or UNIX client by its operating system or distribution, you must successfully collect hardware inventory from the client. For information about collecting hardware inventory, see Hardware Inventory for Linux and UNIX in Configuration Manager. The default client settings for hardware inventory include information about a client computers operating system. You can use the Caption property of the Operating System class to identify the operating system of a Linux or UNIX server. You can view details about computers that run the Configuration Manager client for Linux and UNIX in the Devices node of the Assets and Compliance workspace in the Configuration Manager console. In the Asset and Compliance workspace of the Configuration Manager console, you can view the name of each computers operating system in the Operating System column. By default, Linux and UNIX servers are members of the All Systems collection. It is recommended that you build custom collections that include only Linux and UNIX servers, or a subset of them. This enables you to manage operations such as deploying software or assigning client settings to groups of applicable computers. For example, if you deploy software for RHEL6 x64 computers to a collection that contains both Windows and Linux computers, the status for the deployment will show partial success. Instead, when you deploy software to a collection that contains only RHEL6 x64 computers, you can use status messages and reports to accurately identify the success of the deployment. When you build a custom collection for Linux and UNIX servers, include membership rule queries that include the Caption attribute for the Operating System attribute. For information about creating collections, see How to Create Collections in Configuration Manager.

1288

Maintenance Windows for Linux and UNIX Servers

The Configuration Manager client for Linux and UNIX servers supports the use of maintenance windows. This support is unchanged from that for Windows-based clients. For more information about how to use maintenance windows, see How to Use Maintenance Windows in Configuration Manager.

Client Settings for Linux and UNIX Servers

You can configure client settings that apply to Linux and UNIX servers the same way you configure settings for other clients. By default, the Default Client Agent Settings apply to Linux and UNIX servers. You can also create custom client settings and deploy them to collections that contain specific client operating systems, or a mix of client operating systems. There are no additional client settings that apply only to Linux and UNIX clients. However, there are default client settings that do not apply to Linux and UNIX clients. The client for Linux and UNIX only applies settings for functionality that it supports, and any configurations for unsupported functionality are ignored. For example, you create custom client device setting that specify a hardware inventory schedule and then assign it to a collection that includes Linux computers. The result is that the hardware inventory schedule is enforced on the Linux and UNIX servers. Next, you create a custom client device setting that enables and configures remote control settings, and assign it to that same collection. The result is that the remote control settings are ignored by the Linux and UNIX servers. This is because the client for Linux and UNIX does not support remote control in Configuration Manager. For information about configuring client settings, see How to Configure Client Settings in Configuration Manager.

Computer Policy for Linux and UNIX Servers

The Configuration Manager client for Linux and UNIX servers periodically polls its site for computer policy to learn about requested configurations, and to check for deployments. You can also force the client on a Linux or UNIX server to immediately poll for computer policy. To poll immediately, use root credentials on the server to run the following command: /opt/microsoft/configmgr/bin/ccmexec -rs policy Details about the computer policy poll are entered into the shared client log file, scxcm.log. Note The Configuration Manager client for Linux and UNIX never requests nor processes user policy.

1289

How to Manage Certificates on the Client for Linux and UNIX

After you install the client for Linux and UNIX, you can use the certutil tool to update the client with a new PKI certificate, and to import a new Certificate Revocation list (CRL). When you install the client for Linux and UNIX, this tool is placed in the following location: /opt/microsoft/configmgr/bin/certutil To manage certificates, on each client run the following commands: To update the certificate on a client: certutil -importPFX <Path to the PKCS#12 certificate> -password <Certificate password> [-rootcerts <comma-separated list of certificates>] To update the CRL on the client: certutil -importcrl <comma separated CRL file paths>

How to Monitor Linux and UNIX Clients in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. You can view information from Linux and UNIX servers in the Configuration Manager console using the same methods you use to view information from Windows-based clients. The information you can view includes: Status details from clients, in the Configuration Manager console dashboards Details about clients in the default Configuration Manager reports Inventory details in the Resource Explorer

The following sections provide information about using the resource explorer and reports to view details about your Linux and UNIX servers.

How to use Resource Explorer to View Inventory for Linux and UNIX Servers
You can view hardware and installed software details on Linux and UNIX servers by using Resource Explorer. After a Configuration Manager client submits hardware inventory to the Configuration Manager site, you can use Resource Explorer to view this information. The Configuration Manager client for Linux and UNIX does not add new classes or views for inventory to the Resource Explorer. The Linux and UNIX inventory data maps to existing WMI classes. You can view the inventory details for your Linux and UNIX servers in the Windows-based classifications using Resource Explorer.
1290

For example, you can collect the list of all natively installed programs found on your Linux and UNIX servers. Examples of natively installed programs include .rpms in Linux or .pkgs in Solaris. After inventory has been submitted by a Linux or UNIX client, you can view the list of all the natively installed Linux or UNIX programs in Resource Explorer in the Configuration Manager console. For information about how to use Resource Explorer, see How to Use Resource Explorer to View Hardware Inventory in Configuration Manager.

How to use Reports to View Information for Linux and UNIX Servers
Reports for Configuration Manager include information from Linux and UNIX servers along with information from Windows-based computers. No additional configurations are required to integrate the Linux and UNIX data in the reports. For example, if you run the report named Count of Operating System Versions, it displays the list of the different operating systems and the number of clients that are running each operating system. The report is based on the hardware inventory information that was sent by the different Configuration Manager clients that run on the different operating systems. It is also possible to create custom reports that are specific to Linux and UNIX server data. The Caption property of the hardware inventory class Operating System is a useful attribute that you can use to identify specific Operating Systems in the report query. For information about reports in Configuration Manager, see Reporting in Configuration Manager.

Security and Privacy for Clients in Configuration Manager

Note This topic appears in the Deploying Clients for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This section contains security and privacy information for clients in System Center 2012 Configuration Manager and for mobile devices that are managed by the Exchange Server connector: Security Best Practices for Configuration Manager Clients and for Mobile Devices that are Managed by the Exchange Server Connector Security Issues for Configuration Manager Clients Privacy Information for Configuration Manager Clients Privacy Information for Mobile Devices that are Managed by Using the Exchange Server Connector
1291

Security Best Practices for Configuration Manager Clients and for Mobile Devices that are Managed by the Exchange Server Connector
When Configuration Manager accepts data from devices that run the Configuration Manager client, this introduces the risk that the clients could attack the site. For example, they could send malformed inventory, or attempt to overload the site systems. Deploy the Configuration Manager client only to devices that you trust. In addition, use the following security best practices to help protect the site from rogue or compromised devices:
Security best practice More information

Use public key infrastructure (PKI) certificates for client communications with site systems that run IIS:

These certificates are required for mobile device clients and for client computer connections on the Internet, and, with the exception of distribution As a site property, configure Site points, are recommended for all client connections system settings for HTTPS only. on the intranet. Install clients with the /UsePKICert CCMSetup property Use a certificate revocation list (CRL) and make sure that clients and communicating servers can always access it. For more information about the PKI certificate requirements and how they are used to help protect Configuration Manager, see PKI Certificate Requirements for Configuration Manager.

Automatically approve client computers from trusted domains and manually check and approve other computers

Approval identifies a computer that you trust to be managed by Configuration Manager when you cannot use PKI authentication. You can configure approval for the hierarchy as manual, automatic for computers in trusted domains, or automatic for all computers. The most secure approval method is to automatically approve clients that are members of trusted domains, and then manually check and approve all other computers. Automatically approving all clients is not recommended unless you have other access controls to prevent untrustworthy computers from accessing your network. For more information about how to manually approve computers, see Managing Clients from the Devices Node.

Do not rely on blocking to prevent clients from accessing the

Blocked clients are rejected by the Configuration Manager infrastructure so that they cannot
1292

Security best practice

More information

Configuration Manager hierarchy

communicate with site systems to download policy, upload inventory data, or send state or status messages. However, do not rely on blocking to protect the Configuration Manager hierarchy from untrusted computers when site systems accept HTTP client connections. In this scenario, a blocked client could re-join the site with a new self-signed certificate and hardware ID. Blocking is designed to be used to block lost or compromised boot media when you deploy an operating system to clients and when all site systems accept HTTPS client connections. If you use a public key infrastructure (PKI) and it supports a certificate revocation list (CRL), always consider certificate revocation to be the primary line of defense against potentially compromised certificates. Blocking clients in Configuration Manager offers a second line of defense to protect your hierarchy. For more information, see Determine Whether to Block Clients in Configuration Manager.

Use the most secure client installation methods that are practical for your environment: For domain computers, Group Policy client installation and software update-based client installation methods are more secure than client push installation. Imaging and manual installation can be very secure if you apply access controls and change controls.

Of all the client installation methods, client push installation is the least secure because of the many dependencies it has, which includes local administrative permissions, the Admin$ share, and many firewall exceptions. These dependencies increase your attack surface. For more information about the different client installation methods, see Determine the Client Installation Method to Use for Windows Computers in Configuration Manager. In addition, wherever possible, select a client installation method that requires the least security permissions in Configuration Manager, and restrict the administrative users that are assigned security roles that include permissions that can be used for purposes other than client deployment. For example, automatic client upgrade requires the Full Administrator security role, which grants an administrative user all security permissions. For more information about the dependencies and
1293

Security best practice

More information

security permissions required for each client installation method, see Installation Method Dependencies in the Prerequisites for Computer Clients section in the Prerequisites for Windows Client Deployment in Configuration Manager topic. If you must use client push installation, take additional steps to secure the Client Push Installation Account Although this account must be a member of the local Administrators group on each computer that will install the Configuration Manager client software, never add the Client Push Installation Account to the Domain Admins group. Instead, create a global group and add that global group to the local Administrators group on your client computers. You can also create a Group Policy object to add a Restricted Group setting to add the Client Push Installation Account to the local Administrators group. For additional security, create multiple Client Push Installation Accounts, each with administrative access to a limited number of computers so that if one account is compromised, only the client computers to which that account has access are compromised. Remove certificates prior to imaging client computer If you plan to deploy clients by using imaging technology, always remove certificates such as PKI certificates that include client authentication and self-signed certificates prior to capturing the image. If you do not remove these certificates, clients might impersonate each other and you would not be able to verify the data for each client. For more information about using Sysprep to prepare a computer for imaging, see your Windows deployment documentation.. Ensure that the Configuration Manager computer clients get an authorized copy of these certificates: The Configuration Manager trusted root key The site server signing certificate Trusted root key: If you have not extended the Active Directory schema for Configuration Manager, and clients do not use PKI certificates when they communicate with management points, clients rely on the Configuration Manager trusted root key to authenticate valid management points. In this scenario, clients have no way to verify that
1294

Security best practice

More information

the management point is a trusted management point for the hierarchy unless they use the trusted root key. Without the trusted root key, a skilled attacker could direct clients to a rogue management point. When clients cannot download the Configuration Manager trusted root key from the Global Catalog or by using PKI certificates, preprovision the clients with the trusted root key to make sure that they cannot be directed to a rogue management point. For more information, see the Planning for the Trusted Root Key section in the Planning for Security in Configuration Manager topic. Site server signing certificate: Clients use the site server signing certificate to verify that the site server signed the client policy that they download from a management point. This certificate is self-signed by the site server and published to Active Directory Domain Services. When clients cannot download the site server signing certificate from the Global Catalog, by default they download it from the management point. When the management point is exposed to an untrusted network (such as the Internet), manually install the site server signing certificate on clients to make sure that they cannot run client policies that have been tampered with from a compromised management point. To manually install the site server signing certificate, use the CCMSetup client.msi property SMSSIGNCERT. For more information, see About Client Installation Properties in Configuration Manager. Do not use automatic site assignment if the client will download the trusted root key from the first management point it contacts This security best practice is linked to the preceding entry. To avoid the risk of a new client downloading the trusted root key from a rogue management point, use automatic site assignment in the following
1295

Security best practice

More information

scenarios only: The client can access Configuration Manager site information that is published to Active Directory Domain Services. You pre-provision the client with the trusted root key. You use PKI certificates from an enterprise certification authority to establish trust between the client and the management point.

For more information about the trusted root key, see the Planning for the Trusted Root Key section in the Planning for Security in Configuration Manager topic. Install client computers with the CCMSetup Client.msi option SMSDIRECTORYLOOKUP=NoWINS The most secure service location method for clients to find sites and management points is to use Active Directory Domain Services. If this is not possible, for example, because you cannot extend the Active Directory schema for Configuration Manager, or because clients are in an untrusted forest or a workgroup, you can use DNS publishing as an alternative service location method. If both these methods fail, clients can fall back to using WINS when the management point is not configured for HTTPS client connections. Because publishing to WINS is less secure than the other publishing methods, configure client computers to not fall back to using WINS by specifying SMSDIRECTORYLOOKUP=NoWINS. If you must use WINS for service location, use SMSDIRECTORYLOOKUP=WINSSECURE (the default setting), which uses the Configuration Manager trusted root key to validate the self-signed certificate of the management point. Note When the client is configured for SMSDIRECTORYLOOKUP=WINSSECURE and finds a management point from WINS, the client checks its copy of the Configuration Manager trusted root key that is in WMI. If the signature on the
1296

Security best practice

More information

management point certificate matches the clients copy of the trusted root key, the certificate is validated, and the client communicates with the management point that it found by using WINS. If the signature on the management point certificate does not match the clients copy of the trusted root key, the certificate is not valid and the client will not communicate with the management point that it found by using WINS.

Make sure that maintenance windows are large enough to deploy critical software updates

You can configure maintenance windows for device collections to restrict the times that Configuration Manager can install software on these devices. If you configure the maintenance window to be too small, the client might not be able to install critical software updates, which leaves the client vulnerable to the attack that is mitigated by the software update. When write filters are enabled on Windows Embedded devices, any software installations or changes are made to the overlay only and do not persist after the device restarts. If you use Configuration Manager to temporarily disable the write filters to persist software installations and changes, during this period, the embedded device is vulnerable to changes to all volumes, which includes shared folders. Although Configuration Manager locks the computer during this period so that only local administrators can log on, whenever possible, take additional security precautions to help protect the computer. For example, enable additional restrictions on the firewall and disconnect the device from the network. If you use maintenance windows to persist changes, plan these windows carefully to minimize the time that write filters might be disabled but long enough to allow software installations and restarts to complete.
1297

For Windows embedded devices that have write filters, take additional security precautions to reduce the attack surface if Configuration Manager disables the write filters to persist software installations and changes

Security best practice

More information

If you use software update-based client installation and install a later version of the client on the site, update the software update that is published on the software update point so that clients receive the latest version

If you install a later version of the client on the site, for example, you upgrade the site, the software update for client deployment that is published to the software update point is not automatically updated. You must republish the Configuration Manager client to the software update point and click Yes to update the version number. For more information, see the procedure To publish the Configuration Manager client to the software update point in the How to Install Configuration Manager Clients by Using Software Update-Based Installation section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic.

Configure the Computer Agent client device setting Suspend BitLocker PIN entry on restart to be Always only for computers that you trust and that have restricted physical access

When you set this client setting to Always, Configuration Manager can complete the installation of software to help to ensure that critical software updates are installed and that services are resumed. However, if an attacker intercepts the restart process, she could take control of the computer. Use this setting only when you trust the computer and when physical access to the computer is restricted. As an example, this setting might be appropriate for servers in a data center. This client setting allows the Configuration Manager client to run unsigned PowerShell scripts, which could allow malware to run on client computers. If you must select this option, use a custom client setting and assign it to only the client computers that must run unsigned PowerShell scripts. This role separation helps to protect the enrollment point from attack. If the enrollment point is compromised, an attacker could obtain certificates for authentication and steal the credentials of users who enroll their mobile devices.

Do not configure the Computer Agent client device setting PowerShell execution policy to be Bypass.

For mobile devices that you enroll with Configuration Manager and will support on the Internet: Install the enrollment proxy point in a perimeter network and the enrollment point in the intranet For mobile devices: Configure the password settings to help protect mobile devices from unauthorized

For mobile devices that are enrolled by Configuration Manager: Use a mobile device configuration item to configure the password
1298

Security best practice

More information

access

complexity to be the PIN and at least the default length for the minimum password length. For mobile devices that do not have the Configuration Manager client installed but that are managed by the Exchange Server connector: Configure the Password Settings for the Exchange Server connector such that the password complexity is the PIN and specify at least the default length for the minimum password length.

For mobile devices: Help prevent tampering of inventory information and status information by allowing applications to run only when they are signed by companies that you trust and do not allow unsigned files to be installed

For more mobile devices that are enrolled by Configuration Manager: Use a mobile device configuration item to configure the security setting Unsigned applications as Prohibited and configure Unsigned file installations to be a trusted source. For mobile devices that do not have the Configuration Manager client installed but that are managed by the Exchange Server connector: Configure the Application Settings for the Exchange Server connector such that Unsigned file installation and Unsigned applications are configured as Prohibited. For more mobile devices that are enrolled by Configuration Manager: Use a mobile device configuration item to configure the password setting Idle time in minutes before mobile device is locked. For mobile devices that do not have the Configuration Manager client installed but that are managed by the Exchange Server connector: Configure the Password Settings for the Exchange Server connector to configure Idle time in minutes before mobile device is locked.

For mobile devices: Help prevent elevation of privilege attacks by locking the mobile device when it is not used

For mobile devices: Help prevent elevation of privileges by restricting the users who can enroll their mobile devices.

Use a custom client setting rather than default client settings to allow only authorized users to enroll their mobile devices.

For mobile devices: Do not deploy A user device affinity relationship is created during applications to users who have mobile enrollment, which maps the user who performs
1299

Security best practice

More information

devices enrolled by Configuration Manager or Windows Intune in the following scenarios: When the mobile device is used by more than one person. When the device is enrolled by an administrator on behalf of a user. When the device is transferred to another person without retiring and then re-enrolling the device.

enrollment to the mobile device. If another user uses the mobile device, they will be able to run the applications that you deploy to the original user, which might result in an elevation of privileges. Similarly, if an administrator enrolls the mobile device for a user, applications deployed to the user will not be installed on the mobile device and instead, applications that are deployed to the administrator might be installed. Unlike user device affinity for Windows computers, you cannot manually define the user device affinity information for mobile devices that are enrolled by Windows Intune. If you transfer ownership of a mobile device that is enrolled by Windows Intune, retire the mobile device from Windows Intune to remove the user device affinity, and then ask the current user to enroll the device again.

For mobile devices: Make sure that users enroll their own mobile devices for Windows Intune.

Because a user device affinity relationship is created during enrollment, which maps the user who performs enrollment to the mobile device, if an administrator enrolls the mobile device for a user, applications deployed to the user will not be installed on the mobile device and instead, applications that are deployed to the administrator might be installed. Use IPsec if the Exchange Server is on-premise; hosted Exchange automatically secures the connection by using SSL.

For the Exchange Server connector: Make sure that the connection between the Configuration Manager site server and the Exchange Server computer is protected

For the Exchange Server connector: For a list of the minimum cmdlets that the Exchange Use the principle of least privileges for Server connector requires, see How to Manage the connector Mobile Devices by Using the Exchange Server Connector in Configuration Manager. For Mac computers in Configuration Manager SP1: Independently from Configuration Manager, monitor and track the validity period of the To ensure business continuity, monitor and track the validity period of the certificates that you use for Mac computers. Configuration Manager SP1 does not support automatic renewal of this certificate or
1300

Security best practice

More information

certificate that enrolled to users

warn you that the certificate is about to expire. A typical validity period is 1 year. For information about how to renew the certificate, see the Renewing the Mac Client Certificate sections in the How to Install Clients on Mac Computers in Configuration Manager topic.

Security Issues for Configuration Manager Clients

The following security issues have no mitigation: Status messages are not authenticated No authentication is performed on status messages. When a management point accepts HTTP client connections, any device can send status messages to the management point. If the management point accepts HTTPS client connections only, a device must obtain a valid client authentication certificate from a trusted root certification authority, but could also then send any status message. If a client sends an invalid status message it will be discarded. There are a few potential attacks against this vulnerability. An attacker could send a bogus status message to gain membership in a collection that is based on status message queries. Any client could launch a denial of service against the management point by flooding it with status messages. If status messages are triggering actions in status message filter rules, an attacker could trigger the status message filter rule. An attacker could also send status message that would render reporting information inaccurate. Policies can be retargeted to non-targeted clients There are several methods that attackers could use to make a policy targeted to one client apply to an entirely different client. For example, an attacker at a trusted client could send false inventory or discovery information to have the computer added to a collection it should not belong to, and then receive all the deployments to that collection. While controls exist to help prevent attackers from modifying policy directly, attackers could take an existing policy to reformat and redeploy an operating system and send it to a different computer, creating a denial of service. These types of attacks would require precise timing and extensive knowledge of the Configuration Manager infrastructure. Client logs allow user access All the client log files allow users Read access and Interactive Users Write access. If you enable verbose logging, attackers might read the log files to look for information about compliance or system vulnerabilities. Processes such as software installation that are performed in a user's context must be able to write to logs with a low-rights user account. This means an attacker could also write to the logs with a low rights account.

1301

The most serious risk is that an attacker could remove information in the log files that an administrator might need for auditing and intruder detection. A computer could be used to obtain a certificate that is designed for mobile device enrollment When Configuration Manager process an enrollment request, it cannot verify that the request originated from a mobile device rather than from a computer. If the request is from a computer, it can install a PKI certificate that then allows it to register with Configuration Manager. To help prevent an elevation of privilege attack in this scenario, only allow trusted users to enroll their mobile devices and carefully monitor enrollment activities. The connection from a client to the management point is not dropped if you block a client and the blocked client could continue to send client notification packets to the management point, as keep-alive messages For Configuration Manager SP1 only: When you block a client that you no longer trust, and it has established a client notification communication, Configuration Manager does not disconnect the session. The blocked client can continue to send packets to its management point until the client disconnects from the network. These packets are only small, keep-alive packets and these clients cannot be managed by Configuration Manager until they are unblocked. When you use automatic client upgrade and the client is directed to a management point to download the client source files, the management point is not verified as a trusted source For Configuration Manager SP1 only: If you use automatic client upgrade in a Configuration Manager hierarchy where some sites run Configuration Manager SP1 and some site run Configuration Manager with no service pack, a client in a Configuration Manager site with no service pack is directed to download the client source files from its assigned management point rather than from distribution points. This ensures that clients that are assigned to sites that run Configuration Manager with no service pack do not install Configuration Manager SP1 client source files, which would result in the client being unmanaged. In this scenario, the management point is not verified by the clients as a trusted source and it is possible to redirect clients to a rogue management point for the client installation files. However, this risk is low because clients will reject any client installation files that are not signed by Microsoft. Clients always verify trust before they download client policy from management points. If you use the options to commit changes on Windows Embedded devices in Configuration Manager SP1, accounts might be locked out sooner than expected If the Windows Embedded device is running an operating system that is prior to Windows 7 and a user attempts to log on while the write filters are disabled to commit changes made by Configuration Manager SP1, the number of incorrect logon attempts that are allowed before the account is locked out is effectively halved. For example, if the Account Lockout Threshhold is configured as 6 and a user mistypes their password 3 times, the account is locked out, effectively creating a denial of service situation. If users must log on to embedded devices in this scenario, caution them about the potential for a reduced lockout threshold.
1302

Privacy Information for Configuration Manager Clients

When you deploy the Configuration Manager client, you enable client settings so you can use Configuration Manager management features. The settings that you use to configure the features can apply to all clients in the Configuration Manager hierarchy, regardless of whether they are directly connected to the corporate network, connected through a remote session, or connected to the Internet but supported by Configuration Manager. Client information is stored in the Configuration Manager database and is not sent to Microsoft. The client information is stored in the Configuration Manager database. Information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Discovery Data every 90 days. You can configure the deletion interval. Before you configure the Configuration Manager client, consider your privacy requirements.

Privacy Information for Mobile Device Clients that are Enrolled by Configuration Manager
For privacy information for when you enroll a mobile device by Configuration Manager, see Microsoft System Center 2012 Configuration Manager Privacy Statement - Mobile Device Addendum.

Client Status
Configuration Manager monitors the activity of clients and periodically evaluates and can remediate the Configuration Manager client and its dependencies. Client status is enabled by default, and it uses server-side metrics for the client activity checks, and client-side actions for self-checks, remediation, and for sending client status information to the Configuration Manager site. The client runs the self-checks according to a schedule that you can configure. The client sends the results of the checks to the Configuration Manager site. This information is encrypted during transfer. Client status information is stored in the Configuration Manager database and is not sent to Microsoft. The information is not stored in encrypted format in the site database. This information is retained in the database until it is deleted according to the value that is configured for the Retain client status history for the following number of days client status setting. The default value for this setting is every 31 days. Before you install the Configuration Manager client with client status checking, consider your privacy requirements.

1303

Privacy Information for Mobile Devices that are Managed by Using the Exchange Server Connector
The Exchange Server Connector finds and manages devices that connect to Exchange Server (on-premise or hosted) by using the ActiveSync protocol. The records found by the Exchange Server Connector are stored in the Configuration Manager database. The information is collected from Exchange Server. It does not contain any additional information from what the mobile devices send to Exchange Server. The mobile device information is not sent to Microsoft. The mobile device information is stored in the Configuration Manager database. Information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Discovery Data every 90 days. You can configure the deletion interval. Before you install and configure the Exchange Server connector, consider your privacy requirements.

See Also
Deploying Clients for System Center 2012 Configuration Manager

Technical Reference for Client Deployment in Configuration Manager

This section contains technical reference information for client deployment in System Center 2012 Configuration Manager.

Technical Reference Topics

About Client Settings in Configuration Manager About Client Installation Properties in Configuration Manager About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager Administrator Checklist: Deploying Clients in Configuration Manager Windows Firewall and Port Settings for Client Computers in Configuration Manager Example Scenario for Deploying and Managing Configuration Manager Clients on Windows Embedded Devices Technical Reference for the Configuration Manager Client for Linux and UNIX Administrator Checklist: Configuring Configuration Manager to Manage Mobile Devices by Using Windows Intune
1304

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Deploying Clients for System Center 2012 Configuration Manager

About Client Settings in Configuration Manager

All client settings in System Center 2012 Configuration Manager are managed in the Configuration Manager console from the Client Settings node in the Administration workspace. A set of default settings is supplied with Configuration Manager. When you modify the default client settings, these settings are applied to all clients in the hierarchy. You can also configure custom client settings, which override the default client settings when you assign these to collections. For information about how to configure client settings, see How to Configure Client Settings in Configuration Manager. Many of the client settings are self-explanatory. Use the following sections for more information about the client settings that might require some information before you configure them. Client settings for devices: Background Intelligent Transfer Client Policy Compliance Settings Computer Agent Computer Restart Endpoint Protection Hardware Inventory Metered Internet Connections Network Access Protection (NAP) Power Management Remote Tools Software Deployment Software Inventory Software Updates User and Device Affinity Mobile Devices Enrollment User and Device Affinity

Client settings for users:

1305

Client Settings for Devices

Use the following sections for information about client device settings.

Background Intelligent Transfer

Setting name More information

Limit the maximum network bandwidth for BITS background transfers

If this option is configured as True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1), then BITS bandwidth throttling will be used by Configuration Manager clients. Specify the start time in local time that the BITS throttling window will begin. Specify the end time in local time that the BITS throttling window will end. If this value is the same as the Throttling window start time, BITS throttling is always enabled. Specify the maximum transfer rate in (Kbps) that can be used by Configuration Manager clients during the specified BITS throttling window. Select this option to allow BITS downloads outside of the throttling window. This option allows Configuration Manager clients to use separate BITS settings outside of the specified window. Specify the maximum transfer rate in (Kbps) that will be used by Configuration Manager clients when outside of the specified BITS throttling window. This option can be configured only when you have selected to allow BITS throttling outside of the specified window.

Throttling window start time

Throttling window end time

Maximum transfer rate during throttling window (Kbps)

Allow BITS downloads outside the throttling window

Maximum transfer rate outside the throttling window (Kbps)

Client Policy
Setting name More information

Client policy polling interval (minutes)

For Configuration Manager with no service

1306

Setting name

More information

pack: Specify how frequently client computers download client policy. For Configuration Manager SP1 only: Specify how frequently the following Configuration Manager clients download client policy: Enable user policy polling on clients Windows computers (for example, desktops, servers, laptops) Mobile devices that are enrolled by Configuration Manager Mac computers Computers that run Linux or UNIX

When you configure this setting as True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1), and Configuration Manager has discovered the user, Configuration Manager clients on computers receive applications and programs that are targeted to the logged on user. For more information about how to discover users, see the Configure Active Directory Discovery for Computers, Users, or Groups section in the Configuring Discovery in Configuration Manager topic. Because the Application Catalog receives the list of available software for users from the site server, this setting does not have to be configured as True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1) for users to see and request applications from the Application Catalog. However, if this setting is False (Configuration Manager with no service pack) or No (Configuration Manager SP1), the following will not work when users use the Application Catalog: In Configuration Manager SP1 only, users cannot install the applications that they see in the Application Catalog. Users will not see notifications about their application approval requests. Instead, they
1307

Setting name

More information

must refresh the Application Catalog and check the approval status. Users will not receive revisions and updates for applications that are published to the Application Catalog. However, they will see changes to application information in the Application Catalog. If you remove an application deployment after the client has installed the application from the Application Catalog, clients continue to check that the application is installed for up to 2 days.

In addition, when this setting is False (Configuration Manager with no service pack) or No (Configuration Manager SP1), users will not receive required applications that you deploy to users or any other management operations that are contained in user policies. This setting applies to users when their computer is on the intranet and the Internet; it must be configured as True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1) if you also want to enable user policies on the Internet. Enable user policy requests from Internet clients When the client and site is configured for Internet-based client management and you configure this option as True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1) and both of the following conditions apply, users receive user policy when their computer is on the Internet: The Enable user policy polling on clients client setting is configured as True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1). The Internet-based management point successfully authenticates the user by using Windows authentication (Kerberos or NTLM).

If you leave this option as False (Configuration Manager with no service pack) or No
1308

Setting name

More information

(Configuration Manager SP1), or if either of the conditions fails, a computer on the Internet will receive computer policies only. In this scenario, users can still see, request, and install applications from an Internet-based Application Catalog. If this setting is False (Configuration Manager with no service pack) or No (Configuration Manager SP1) but the Enable user policy polling on clients is configured as True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1), users will not receive user policies until the computer is connected to the intranet. For more information about managing clients on the Internet, see the Planning for InternetBased Client Management section in the Planning for Communications in Configuration Manager topic. Note

Compliance Settings
Setting name More information

Schedule compliance evaluation

Click Schedule to create the default schedule that will be displayed to users when they deploy a configuration baseline. This value can be configured for each baseline in the Deploy Configuration Baseline dialog box. For Configuration Manager SP1 only: Select Yes if you want to deploy user data and profiles configuration items to Windows 8 computers in your hierarchy. For more information about user data and profiles, see How to Create User Data and Profiles Configuration Items in Configuration Manager.
1309

Enable User Data and Profiles

Computer Agent
Setting name More information

Default Application Catalog website point

Configuration Manager uses this setting to connect users to the Application Catalog from Software Center. You can specify a server that hosts the Application Catalog website point by its NetBIOS name or FQDN, specify automatic detection, or specify a URL for customized deployments. In most cases, automatic detection is the best choice because it offers the following benefits: Clients are automatically given an Application Catalog website point from their site, if their site contains an Application Catalog website point. Protection against a rogue server because Application Catalog website points on the intranet that are configured for HTTPS are given preference over Application Catalog website points that are not configured for HTTPS. When clients are configured for intranet and Internet-based client management, they will be given an Internet-based Application Catalog website point when they are on the Internet and an intranetbased Application Catalog website point when they are on the intranet.

Automatic detection does not guarantee that clients will be given an Application Catalog website point that is closest to them. You might decide not to use Automatically detect for the following reasons: You want to manually configure the closest server for clients or ensure that they do not connect to a server across a slow network connection. You want to control which clients connect to which server. This might be for testing, performance, or business reasons. You do not want to wait up to 25 hours or for a network change for clients to be
1310

Setting name

More information

configured with a different Application Catalog website point. If you specify the Application Catalog website point rather than use automatic detection, specify the NetBIOS name rather than the intranet FQDN to help reduce the likelihood that users will be prompted for credentials when they connect to the Application Catalog on the intranet. To use the NetBIOS name, the following conditions must apply: The NetBIOS name is specified in the Application Catalog website point properties. You use WINS or all clients are in the same domain as the Application Catalog website point. The Application Catalog website point is configured for HTTP client connections or it is configured for HTTPS client connections and the web server certificate contains the NetBIOS name.

Typically, users are prompted for credentials when the URL contains an FQDN but not when the URL is a NetBIOS name. Expect users to be always prompted when they connect from the Internet, because this connection must use the Internet FQDN. When users are prompted for credentials when they are on the Internet, ensure that the server that runs the Application Catalog website point can connect to a domain controller for the users account so that the user can be authenticated by using Kerberos. Note How automatic detection works: The client makes a service location request to a management point. If there is an Application Catalog website point in the same site as the client, this server is given to the client as the Application Catalog server to use. When there is more than one available
1311

Setting name

More information

Application Catalog website point in the site, an HTTPS-enabled server takes precedence over a server that is not enabled for HTTPS. After this filtering, all clients are given one of the servers to use as the Application Catalog; Configuration Manager does not loadbalance between multiple servers. When the clients site does not contain an Application Catalog website point, the management point nondeterministically returns an Application Catalog website point from the hierarchy. When the client is on the intranet, if the selected Application Catalog website point is configured with a NetBIOS name for the Application Catalog URL, clients are given this NetBIOS name instead of the intranet FQDN. When the client is detected to be on the Internet, only the Internet FQDN is given to the client. The client makes this service location request every 25 hours or whenever it detects a network change. For example, if the client moves from the intranet to the Internet, and the client can locate an Internet-based management point, the Internet-based management point gives Internetbased Application Catalog website point servers to clients. Add default Application Catalog website to Internet Explorer trusted sites zone If this option is configured as True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1), the current default Application Catalog website URL is automatically added to the trusted sites zone in Internet Explorer on clients. This setting ensures that the Internet Explorer
1312

Setting name

More information

setting for Protected Mode is not enabled. If Protected Mode is enabled, the Configuration Manager client might not be able to install applications from the Application Catalog. By default, the trusted sites zone also supports user logon for the Application Catalog, which requires Windows authentication. If you leave this option as False, Configuration Manager clients might not be able to install applications from the Application Catalog unless these Internet Explorer settings are configured in another zone for the Application Catalog URL that clients use. Note Whenever Configuration Manager adds a default Application Catalog to the trusted sites zone, Configuration Manager removes a previous default Application Catalog URL that Configuration Manager added before it adds a new entry. Configuration Manager cannot add the URL if it is already specified in one of the security zones. In this scenario, you must either remove the URL from the other zone, or manually configure the required Internet Explorer settings. Allow Silverlight applications to run in elevated trust mode Applies to Configuration Manager SP1 only: This setting must be configured as Yes if users run the Configuration Manager SP1 client and use the Application Catalog. If you change this setting, it takes effect when users next load their browser or refresh their currently opened browser window. For more information about this setting, see the Certificates for Silverlight 5 and Elevated Trust Mode Required for the Application Catalog section in the Security and Privacy for Application Management in Configuration
1313

Setting name

More information

Manager topic. Organization Name displayed in Software Center Type the name that users see in Software Center. This branding information helps users to identify this application as a trusted source. Configure how users can initiate the installation of software, software updates, and task sequences: All Users: Users logged on to a client computer with any permission except Guest can initiate the installation of software, software updates, and task sequences. Only Administrators: Users logged on to a client computer must be a member of the local Administrators group to initiate the installation of software, software updates, and task sequences. Only Administrators and primary users: Users logged on to a client computer must be a member of the local Administrators group or a primary user of the computer to initiate the installation of software, software updates, and task sequences. No Users: No users logged on to a client computer can initiate the installation of software, software updates, and task sequences. Required deployments for the computer are always installed at the deadline and users cannot initiate the installation of software from the Application Catalog or Software Center.

Install Permissions

Suspend BitLocker PIN entry on restart

If the BitLocker PIN entry is configured on computers, this option can bypass the requirement to enter a PIN when the computer restarts after a software installation. Always: Configuration Manager temporarily suspends the BitLocker requirement to enter a PIN on the next computer startup after it has installed software that requires a restart and initiated a restart of the computer. This setting
1314

Setting name

More information

applies only to computer restarts that are initiated by Configuration Manager and does not suspend the requirement to enter the BitLocker PIN when the user restarts the computer. The BitLocker PIN entry requirement is resumed after Windows startup. Never: Configuration Manager does not suspend the BitLocker requirement to enter a PIN on the next computer startup after it has installed software that requires a restart. In this scenario, the software installation cannot finish until the user enters the PIN to complete the standard startup process and load Windows.

Agent extensions manage the deployment of applications and software updates (Configuration Manager with no service pack) Additional software manages the deployment of applications and software updates (Configuration Manager SP1)

Enable this option only if one of the following conditions apply: You use a vendor solution that requires this setting to be enabled. You use the System Center 2012 Configuration Manager software development kit (SDK) to manage client agent notifications and the installation of applications and software updates. Warning If you select this option when neither of these conditions apply, software updates and required applications will not install on clients. This setting does not prevent users from installing applications from the Application Catalog, or prevent packages and programs, and task sequences from being installed on client computers.

PowerShell execution policy

Configure how Configuration Manager clients can run Windows PowerShell scripts. These scripts are often used for detection in configuration items for compliance settings, but can also be sent in a deployment as a standard script. Bypass: The Configuration Manager client
1315

Setting name

More information

bypasses the Windows PowerShell configuration on the client computer so that unsigned scripts can run. Restricted: the Configuration Manager client uses the current Windows PowerShell configuration on the client computer, which determines whether unsigned scripts can run. All Signed (Configuration Manager SP1 only): The Configuration Manager client runs scripts only if they are signed by a trusted publisher. This restriction applies independently from the current Windows PowerShell configuration on the client computer.

This option requires at least Windows PowerShell version 2.0 and the default is Restricted in Configuration Manager with no service pack, and All Signed in Configuration Manager SP1. Tip If unsigned scripts fail to run because of this client setting, Configuration Manager reports this error in the following ways: Error ID 0X87D00327 and the description of Script is not signed as a deployment status error in the Monitoring workspace of the Configuration Manager console. Error codes and descriptions of 0X87D00327 and Script is not signed or 0X87D00320 and The script host has not been installed yet with the error type of Discovery Error in reports, such as Details of errors of configuration items in a configuration baseline for an asset. The message Script is not signed (Error: 87D00327; Source: CCM) in the DcmWmiProvider.log file.

Disable deadline randomization

For System Center 2012 Configuration Manager SP1 only.

1316

Setting name

More information

This setting determines whether the client uses an activation delay of up to two hours to install required software updates and required applications when the deadline is reached. By default, the activation delay is disabled. For virtual desktop infrastructure (VDI) scenarios, this delay can help to distribute the CPU processing and data transfer for a computer that has multiple virtual machines that run the Configuration Manager client. Even if you do not use VDI, if many clients install the same software at the same time, this can negatively increase CPU usage on the site server, slow down distribution points, and significantly reduce the available network bandwidth. If required software updates and required applications must install without delay when the configured deadline is reached, select No for this setting.

Computer Restart
When you specify these computer restart settings, ensure that the value for the restart temporary notification interval and the value for the final countdown interval are shorter in duration than the shortest maintenance window that is applied to the computer. For more information about maintenance windows, see How to Use Maintenance Windows in Configuration Manager.

Endpoint Protection
Setting name More information

Manage Endpoint Protection client on client computers

Select True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1) if you want to manage existing Endpoint Protection clients on computers in your hierarchy. Select this option if you have already installed the Endpoint Protection client and want to
1317

Setting name

More information

manage it with Configuration Manager. Additionally, select this option if you want to create a script to uninstall an existing antimalware solution, install the Endpoint Protection client, and deploy this script by using a Configuration Manager application or package and program. Install Endpoint Protection client on client computers Select True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1) to install and enable the Endpoint Protection client on client computers where it is not already installed. Note If the Endpoint Protection client is already installed, selecting False (Configuration Manager with no service pack) or No (Configuration Manager SP1) will not uninstall the Endpoint Protection client. To uninstall the Endpoint Protection client, set the Manage Endpoint Protection client on client computers client setting to False (Configuration Manager with no service pack) or No (Configuration Manager SP1), and then deploy a package and program to uninstall the Endpoint Protection client. Automatically remove previously installed antimalware software before Endpoint Protection is installed Select True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1) to uninstall existing antimalware software. Note Endpoint Protection uninstalls the following antimalware software only: Symantec AntiVirus Corporate Edition version 10 Symantec Endpoint Protection version 11 Symantec Endpoint Protection Small
1318

Setting name

More information

Business Edition version 12 McAfee VirusScan Enterprise version 8 Trend Micro OfficeScan Microsoft Forefront Codename Stirling Beta 2 Microsoft Forefront Codename Stirling Beta 3 Microsoft Forefront Client Security v1 Microsoft Security Essentials v1 Microsoft Security Essentials 2010 Microsoft Forefront Endpoint Protection 2010 Microsoft Security Center Online v1

If you try to install the Endpoint Protection client on a computer and the uninstall of an existing antimalware solution is not supported, then the Endpoint Protection client installation will fail. In this case, you can use application management to uninstall the existing antimalware solution, install the Endpoint Protection client and then use the Manage Endpoint Protection client on client computers client setting to let Configuration Manager manage the newly installed Endpoint Protection client. For Windows Embedded devices with write filters, commit Endpoint Protection client installation (requires restart) For System Center 2012 Configuration Manager SP1 only. Select Yes to disable the write filter on the Windows Embedded device and restart the device. This commits the installation on the device. If No is specified, the client is installed on a temporary overlay that is cleared when the device is restarted. In this scenario, the Endpoint Protection client is not committed until another installation commits changes to the device. This is the default setting. Suppress any required computer restarts after the Endpoint Protection client is installed Select True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1) to suppress a computer restart if
1319

Setting name

More information

it is required after the Endpoint Protection client is installed. Important If the Endpoint Protection client requires a computer restart and this setting is configured as False, the restart will occur regardless of any maintenance windows that have been configured. Allowed period of time users can postpone a required restart to complete the Endpoint Protection installation (hours) Specify the number of hours that users can postpone a computer restart if this is required after the Endpoint Protection client is installed. This option can only be configured if the Suppress any required computer restarts after the Endpoint Protection client is installed option is set to False. Select True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1) if you want Configuration Manager to only install the initial definition update on client computers. This setting can be helpful to avoid unnecessary network connections and reduce network bandwidth during the initial installation of the definition update.

Disable alternate sources (such as Windows Update, Microsoft Windows Server Update Services or UNC shares) for the initial definition update on client computers

Hardware Inventory
Setting name More information

Maximum custom MIF file size (KB)

Specify the maximum size, in kilobyte (KB), allowed for each custom Management Information Format (MIF) file that will be collected from a client during a hardware inventory cycle. If any MIF files exceed this size, they will not be processed by Configuration Manager hardware inventory. You can specify a size between 1 and 5,000
1320

Setting name

More information

KB. By default, this value is set to 250 KB. This setting does not affect the size of the regular hardware inventory data file. Note This setting is only available in the default client settings. Hardware inventory classes In System Center 2012 Configuration Manager, you can extend the hardware information that you collect from clients without manually editing the sms_def.mof file. Click Set Classes if you want to extend Configuration Manager hardware inventory. For more information, see How to Extend Hardware Inventory in Configuration Manager. Use this setting to specify whether to collect Managed Information Format (MIF) files from System Center 2012 Configuration Manager clients during hardware inventory. For a MIF file to be collected by hardware inventory, it must be located in the correct location on the client computer. By default, the files should be located as follows: IDMIF files should be located in the Windows\System32\CCM\Inventory\Idmif folder. NOIDMIF files should be located in the Windows\System32\CCM\Inventory\Noidmif folder. Note This setting is only available in the default client settings.

Collect MIF files

Metered Internet Connections

For Configuration Manager SP1 only, you can manage how Windows 8 client computers communicate with Configuration Manager sites when they use metered Internet connections.

1321

Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. Note The configured client setting is not applied to Windows 8 client computers in the following scenarios:. The computer is on a roaming data connection: The Configuration Manager client does not perform any operations that require data to be transferred to Configuration Manager sites. The Windows network connection properties is configured as non-metered: The Configuration Manager client behaves as if this is a non-metered Internet connection and so transfers data to the Configuration Manager sites.
More information

Setting name

Specify how clients communicate on metered network connections (Configuration Manager SP1)

From the drop-down list, choose one of the following for Windows 8 client computers: Allow: All client communications are allowed over the metered Internet connection unless the client device is using a roaming data connection. Limit: Only the following client communications are allowed over the metered Internet connection: Client policy retrieval Client state messages to send to the site Software installation requests by using the Application Catalog Required deployments (when the installation deadline is reached) Important If a user initiates a software installation from Software Center or the Application Catalog, these are always permitted, regardless of the metered Internet connection settings. If the data transfer limit is reached for the metered Internet connection, the client no longer attempts to communicate with Configuration Manager sites. Block: The Configuration Manager client
1322

Setting name

More information

does not attempt to communicate with Configuration Manager sites when it is on a metered Internet connection. This is the default value.

Network Access Protection (NAP)

Setting name More information

Enable Network Access Protection on clients

When you set this option to True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1), Configuration Manager clients that support Network Access Protection (NAP) evaluate software updates for their statement of health and send the results to a System Health Validator point. Tip Before you set this option to True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1), make sure that clients have the Windows Network Access Protection Agent service started and set to automatic, and that the Windows Network Access Protection infrastructure is in place. The default setting is False.

Require a new scan for each evaluation

When you set this option to True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1), this is the most secure configuration, but it will result in a delay for connecting clients as they wait for their NAP evaluation to complete. If this option is set to False, clients return the cached results from their most recent NAP evaluation. How current that cached information is depends on the NAP re-evaluation schedule client setting. The default setting is False. By default, NAP-capable clients re-evaluate
1323

NAP re-evaluation schedule

Setting name

More information

their statement of health with a simple schedule of every day. You can change this behavior if you click Schedule and configure the frequency and interval or a custom schedule. Important If you do change the default schedule, make sure that you configure a value that is lower than the configured statement of health validity period on the System Health Validator point. If the compliance evaluation on the client occurs less frequently than the validity period, clients will be found noncompliant by the System Health Validator point. In this scenario, remediation will instruct clients to re-evaluate their compliance and produce a current statement of health. This process might take a few minutes to complete, so if you configure the NAP health policy server to enforce compliance with limited network access, computers will not be able to access network resources during this re-evaluation time.

Power Management
Setting Name More Information

Allow users to exclude their device from power management

From the drop down list, select True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1) to allow users of Software Center to exclude their computer from any configured power management settings. For Configuration Manager SP1 only: Specify Yes to supplement the sites Wake On
1324

Enable wake-up proxy

Setting Name

More Information

LAN setting when it is configured for unicast packets. For more information about wake-up proxy, see the Planning How to Wake Up Clients section in the Planning for Communications in Configuration Manager topic. Warning Do not enable wake-up proxy in a production network without first understanding how it works and evaluating it in a test environment. Wake-up proxy port number (UDP) For Configuration Manager SP1 only: Keep the default value for the port number that manager computers use to send wake-up packets to sleeping computers, or change the number to a value of your choice. The port number specified here is automatically configured for clients that run Windows Firewall when you configure the Windows Firewall exception for wake-up proxy option. If clients run a different firewall, you must manually configure it to allow the UDP port number that is specified for this setting. Wake On LAN port number (UDP) For Configuration Manager SP1 only: Keep the default value of 9, unless you have changed the Wake On LAN (UDP) port number in the site Properties, Ports tab. Important This number must match the number in the site Properties. If you change this number in one place, it does not automatically update in the other place.

Remote Tools

1325

Setting Name

More Information

Enable Remote Control on clients Firewall exception profiles

Select whether Configuration Manager remote control is enabled for all client computers that receive these client settings. Click Configure to enable remote control and optionally configure firewall settings to allow remote control to work on client computers. Important If firewall settings are not configured, remote control might not work correctly. Note Remote control is disabled by default.

Users can change policy or notification settings in Software Center Allow Remote Control of an unattended computer

Select whether users can change remote control options from within Software Center. Select whether an administrator can use remote control to access a client computer that is logged off or locked. Only a logged-on and unlocked computer can be remote controlled when this setting is disabled. Select whether the client computer will display a message asking for the user's permission before allowing a remote control session. Select whether local administrators on the server initiating the remote control connection can establish remote control sessions to client computers. Specify the level of remote control access that will be allowed. Click Set Viewers to open the Configure Client Setting dialog box and specify the names of the Windows users who can establish remote control sessions to client computers. Select this option to display an icon on the taskbar of client computers to indicate that a remote control session is active. Select this option to display a high-visibility session connection bar on client computers to
1326

Prompt user for Remote Control permission

Grant Remote Control permission to local Administrators group

Access level allowed

Permitted viewers

Show session notification icon on taskbar

Show session connection bar

Setting Name

More Information

indicate that a remote control session is active. Play a sound on client Select this option to use sound to indicate when a remote control session is active on a client computer. You can play a sound when the session connects or disconnects, or you can play a sound repeatedly during the session. Select this option to let Configuration Manager manage unsolicited remote assistance sessions. Unsolicited remote assistance sessions are those where the user at the client computer does not request assistance to initiate a session. Manage solicited Remote Assistance settings Select this option to let Configuration Manager manage solicited remote assistance sessions. Solicited remote assistance sessions are those where the user at the client computer sends a request to the administrator for remote assistance. Level of access for Remote Assistance Select the level of access to assign to remote assistance sessions that are initiated in the Configuration Manager console. Note The user at the client computer must always grant permission for a Remote Assistance session to occur. Manage Remote Desktop settings Select this option to let Configuration Manager manage Remote Desktop sessions for computers. Select this option to let users specified in the permitted viewer list to be added to the Remote Desktop local user group on client computers. Select this more secure option if you want to use network-level authentication to establish Remote Desktop connections to client computers that run Windows Vista or later. Network-level authentication requires fewer
1327

Manage unsolicited Remote Assistance settings

Allow permitted viewers to connect by using Remote Desktop connection

Require network level authentication on computers that run Windows Vista operating system and later versions

Setting Name

More Information

remote computer resources initially because it completes user authentication before it establishes a Remote Desktop connection. This method is more secure because it can help protect the computer from malicious users or software, and it reduces the risk from denial-ofservice attacks.

Software Deployment
Setting name More information

Schedule re-evaluation for deployments

Configure a schedule for when Configuration Manager re-evaluates the requirement rules for all deployments. The default value is every 7 days. Important We recommend that you do not change this value to a lower value than the default as this may negatively affect the performance of your network and client computers. You can also initiate this action from a Configuration Manager client computer by selecting the action Application Deployment Evaluation Cycle from the Actions tab of Configuration Manager in Control Panel.

Software Inventory
Setting name More information

Inventory reporting detail

Specify the level of file information to inventory. You can inventory details about the file only, details about the product associated with the file or you can inventory all information about the file.
1328

Setting name

More information

Inventory these file types

If you want to specify the types of file to inventory, click Set Types and then configure the following in the Configure Client Setting dialog box: Note If multiple custom client settings are applied to a computer, the inventory returned by each setting will be merged. Click the New icon to add a new file type to inventory, then specify the following information in the Inventoried File Properties dialog box: Name Provide a name for the file you want to inventory. You can use the * character to represent any string of text and the ? character to represent any single character. For example, if you want to inventory all files with the extension .doc, specify the filename *.doc. Location Click Set to open the Path Properties dialog box. You can configure software inventory to search all client hard disks for the specified file, search a specified path (for example C:\Folder) or a specified variable (for example %windir%) and you can also search all subfolders under the specified path. Exclude encrypted and compressed files When you select this option, any files that have been compressed or encrypted will not be inventoried. Exclude files in the Windows folder When you select this option, any files in the Windows folder and its subfolders will not be inventories. Click OK to close the Inventoried File Properties dialog box. Add all of the files you want to inventory and then, click OK to close the Configure Client Setting dialog box.

Collect files

If you want to collect files from client computers,

1329

Setting name

More information

click Set Files and then configure the following: Note If multiple custom client settings are applied to a computer, the inventory returned by each setting will be merged. In the Configure Client Setting dialog box, click the new icon to add a file to be collected. In the Collected File Properties dialog box, provide the following information: Name Provide a name for the file you want to collect. You can use the * character to represent any string of text and the ? character to represent any single character. Location Click Set to open the Path Properties dialog box. You can configure software inventory to search all client hard disks for the file you want to collect, search a specified path (for example C:\Folder) or a specified variable (for example %windir%) and you can also search all subfolders under the specified path. Exclude encrypted and compressed files When you select this option, any files that have been compressed or encrypted will not be collected. Stop file collection when the total size of the files exceeds (KB) Specify the file size (in KB) after which no more of the files specified under Name will be collected. Note The site server collects the five most recently changed versions of collected files and stores them in the <ConfigMgr installation directory>\Inboxes\Sinv.box\Filecol directory. If a file has not changed since the last software inventory was collected, the file will not be collected again.
1330

Setting name

More information

Files larger than 20 MB are not collected by software inventory. The value Maximum size for all collected files (KB) in the Configure Client Setting dialog box displays the maximum size for all collected files. When this size is reached, file collection will stop. Any files already collected are retained and sent to the site server. Important If you configure software inventory to collect many large files, this might negatively affect the performance of your network and site server. For information about how to view collected files, see How to Use Resource Explorer to View Hardware Inventory in Configuration Manager. Click OK to close the Collected File Properties dialog box. Add all of the files you want to collect and then, click OK to close the Configure Client Setting dialog box.

Set Names

During software inventory, manufacturer names and product names are retrieved from the header information of files installed on clients in the site. Because these names are not always standardized in the file header information, when you view software inventory information in Resource Explorer or run queries, different versions of the same manufacturer or product name can sometimes appear. If you want to standardize these display names, click Set Names and then configure the following in the Configure Client Setting dialog box: Name type: Software inventory collects information about both manufacturers and products. From the drop-down list, select whether you want to configure display
1331

Setting name

More information

names for a Manufacturer or a Product. Display name: Specifies the display name you want to use in place of the names in the Inventoried names list. You can click the New icon to specify a new display name. Inventoried names: - Click the New icon to add a new inventoried name which will be replaced in software inventory by the name selected in the Display name list. You can add multiple names that will be replaced.

Software Updates
Setting name More information

Enable software updates on clients

Use this setting to enable software updates on Configuration Manager clients. If you clear this setting, Configuration Manager removes existing deployment policies from client. When you re-enable this setting, the client downloads the current deployment policy. Important When you clear this setting, NAP and compliance settings policies that rely on the software updates device setting will no longer function.

Software update scan schedule

Use this setting to specify how often the client initiates a software update compliance assessment scan. The compliance assessment scan determines the state for software updates on the client (for example, required or installed). For more information about compliance assessment, see the Software Updates Compliance Assessment section in the Introduction to Software Updates in Configuration Manager topic. By default a simple schedule is used and the compliance scan initiates every 7 days. You can choose to create a custom schedule to
1332

Setting name

More information

specify an exact start day and time, choose whether to use UTC or the local time, and configure the recurring interval for a specific day of the week. Note If you can specify an interval of less than 1 day, Configuration Manager will automatically default to 1 day. Warning The actual start time on client computers is the start time plus a random amount of time up to 2 hours. This prevents client computers from initiating the scan and connecting to Windows Server Update Services (WSUS) on the active software update point server at the same time. Schedule deployment re-evaluation Use this setting to configure how often the Software Updates Client Agent re-evaluates software updates for installation status on Configuration Manager client computers. When software updates that have been previously installed are no longer found on client computers, and still required, they are reinstalled. The deployment re-evaluation schedule should be adjusted based on company policy for software update compliance, whether users have the ability to uninstall software updates, and so on, and with the consideration that every deployment reevaluation cycle results in some network and client computer CPU activity. By default, a simple schedule is used and the deployment reevaluation scan initiates every 7 days. Note Although you can specify an interval of less than 1 day, Configuration Manager will automatically default to 1 day.

1333

Setting name

More information

When any software update deadline is reached, install all other software update deployments with deadline coming within a specified period of time

Use this setting to install all software updates in required deployments that have deadlines that will occur within a specified period of time. When a deadline is reached for a required software update deployment, installation initiates on clients for the software updates in the deployment. This setting determines whether to also initiate the installation for software updates defined in other required deployments that have a configured deadline within the specified period of time. Use this setting to expedite software update installation for required software updates, potentially increase security, potentially decrease display notifications, and potentially decrease system restarts on client computers. By default, this setting is not enabled.

Period of time for which all pending deployments with deadline in this time will also be installed

Use this setting to specify the timeframe for the previous setting. You can enter a value from 1 to 23 hours and from 1 to 365 days. By default, this setting is configured for 7 days.

User and Device Affinity

Setting name More information

User device affinity usage threshold (minutes)

Specify the number of minutes before Configuration Manager creates a user device affinity mapping. Specify the number of days over which the usage based affinity threshold is measured. Note For example, if User device affinity usage threshold (minutes) is specified as 60 minutes and User device affinity usage threshold (days) is specified at 5 days, the user
1334

User device affinity usage threshold (days)

Setting name

More information

must use the device for 60 minutes over a period of 5 days to automatically create a user device affinity. Automatically configure user device affinity from usage data Select True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1) to enable Configuration Manager to automatically create user device affinities based on the usage information that is collected.

Client Settings for Users

Use the following sections for information about user settings on clients.

Mobile Devices
This section applies to Configuration Manager with no service pack only.
Setting name More information

Mobile device enrollment profile

Before you can configure this setting, you must first set to True the mobile device user setting Allow users to enroll mobile devices. Then you can click Set Profile to specify an enrollment profile that contains information about the certificate template to use during the enrollment process, the site that contains an enrollment point and enrollment proxy point, and the site that will manage the device after the enrollment. Important Ensure that you have configured a certificate template to use for mobile device enrollment before you configure this option. For more information about how to enroll mobile devices by using Configuration Manager, see How to Install Clients on Mobile Devices and Enroll Them by Using
1335

Setting name

More information

Configuration Manager.

Enrollment
This section applies to Configuration Manager SP1 only.
Setting name More information

Mobile device enrollment profile

Before you can configure this setting, you must first set to Yes the enrollment user setting Allow users to enroll mobile devices and Mac computers. Then you can click Set Profile to specify an enrollment profile that contains information about the certificate template to use during the enrollment process, the site that contains an enrollment point and enrollment proxy point, and the site that will manage the device after the enrollment. Important Ensure that you have configured a certificate template to use for mobile device enrollment or for Mac client certificate enrollment before you configure this option. For more information about how to enroll mobile devices by Configuration Manager, see How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager. For more information about how to install Mac clients and enroll their certificates, see How to Install Clients on Mac Computers in Configuration Manager.

User and Device Affinity

Setting name More information

Allow user to define their primary devices

Specify whether users are allowed to identify

1336

Setting name

More information

their own primary devices from the Application Catalog, My Devices tab.

See Also
Technical Reference for Client Deployment in Configuration Manager

About Client Installation Properties in Configuration Manager

Use the System Center 2012 Configuration Manager CCMSetup.exe command to manually install the System Center 2012 Configuration Manager client software on computers in your enterprise. The CCMSetup program downloads all the necessary files to complete the client installation from a specified management point or from a specified source location. These files might include the following: The Windows Installer package Client.msi that installs the System Center 2012 Configuration Manager client software. Microsoft Background Intelligent Transfer Service (BITS) installation files, if required. Windows Installer installation files, if required. Updates and fixes for the System Center 2012 Configuration Manager client, if required. Note In System Center 2012 Configuration Manager, you cannot run the Client.msi file directly. CCMSetup.exe provides several command-line properties to customize the installation behavior. Additionally, you can also specify properties to modify the behavior of Client.msi at the CCMSetup.exe command line. Important You must specify all required CCMSetup properties before you specify properties for Client.msi. CCMSetup.exe and its supporting files are located on the System Center 2012 Configuration Manager site server in the Client folder of the System Center 2012 Configuration Manager installation folder. This folder is shared to the network as <Site Server Name>\SMS_<Site Code>\Client. At the command prompt, the CCMSetup.exe command uses the following format: CCMSetup.exe [Ccmsetup properties] [client.msi setup properties]
1337

For example, CCMSetup.exe /mp:SMSMP01 /logon SMSSITECODE=S01 FSP=SMSFSP01 performs the following actions: Specifies the management point named SMSMP01 to request a list of distribution points to download the client installation source files. Specifies that installation should stop if a version of the System Center 2012 Configuration Manager or Configuration Manager 2007 client already exists on the computer. Instructs client.msi to assign the client to the site code S01. Instructs client.msi to use the fallback status point named SMSFP01. Note If a property contains spaces, surround it by quotation marks (""). The properties described in the following table are available to modify the installation behavior of CCMSetup.exe. Important If you have extended the Active Directory schema for System Center 2012 Configuration Manager, many client installation properties are published in Active Directory Domain Services and read automatically by the System Center 2012 Configuration Manager client. For a list of the client installation properties published in Active Directory Domain Services, see About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager.

CCMSetup.exe Command-Line Properties

Property More information

/?

Opens the CCMSetup dialog box showing command-line properties for ccmsetup.exe. Example: ccmsetup.exe /?

/source:<Path>

Specifies the location from which to download installation files. You can use a local or UNC installation path. Files are downloaded by using the server message block (SMB) protocol. Note You can use the /source property multiple times at the command line to specify alternative locations from which to download installation files. Important To use the /source command-line property, the Windows user account that is used for client installation must have Read permissions to the
1338

Property

More information

installation location. Example: ccmsetup.exe /source:"\\computer\folder" /mp:<Computer> Specifies a source management point for computers to connect to so that they can find the nearest distribution point to download the client installation files. If there are no distribution points or computers cannot download the files from the distribution points after 4 hours, clients download the files from the specified management point. Computers download the files over an HTTP or HTTPS connection, depending on the site system role configuration for client connections. The download uses BITS throttling, if BITS throttling is configured. If all distribution points and management points are configured for HTTPS client connections only, you must verify that the client computer has a valid public key infrastructure (PKI) client certificate. Note You can use the /mp command-line property to specify multiple management points so that if the computer fails to connect to the first one, the next is tried, and so on. When you specify multiple management points, separate the values by using commas. Important This property is used only to specify an initial management point for computers to find the closes source to download the client installation files. It does not specify the management point to which the client will become assigned after installation. You can specify any System Center 2012 Configuration Manager management point in any site to provide computers with a list of distribution points from which they can download the client installation files. Example for when you use the computer name: ccmsetup.exe /mp:SMSMP01 Example for when you use the FQDN: ccmsetup.exe /mp:smsmp01.contoso.com Tip
1339

Property

More information

If the client connects to a management point by using HTTPS, typically, you must specify the FQDN for this option rather than the computer name. The value that you specify must be included in the management points PKI certificate Subject or Subject Alternative Name. Although Configuration Manager supports a computer name only in this PKI certificate for connections on the intranet, as a security best practice, an FQDN is recommended. /retry:<Minutes> Specifies the retry interval if CCMSetup.exe fails to download installation files. The default value is 10 minutes. CCMSetup continues to retry until it reaches the limit specified in the downloadtimeout installation property. Example: ccmsetup.exe /retry:20 /noservice Prevents CCMSetup from running as a service. When CCMSetup runs as a service, it runs in the context of the Local System account of the computer, which might not have sufficient rights to access network resources that are required for the installation process. When you specify the /noservice option, CCMSetup.exe runs in the context of the user account that you use to start the installation process. Additionally, if you are use a script to run CCMSetup.exe with the /service property, CCMSetup.exe exits after the service starts and might not report installation details correctly because the CCMSetup service performs the client installation. If this command-line property is not specified, by default, /service will be used. Example: ccmsetup.exe /noservice /service Specifies that CCMSetup should run as a service that uses the local system account. Example: ccmsetup.exe /service /uninstall Specifies that the System Center 2012 Configuration Manager client software should be uninstalled. For more information, see How to Manage Clients in Configuration Manager. Example: ccmsetup.exe /uninstall /logon Specifies that the client installation should stop if any version of the System Center 2012 Configuration Manager or the
1340

Property

More information

Configuration Manager client is already installed. Example: ccmsetup.exe /logon /forcereboot Specifies that CCMSetup should force the client computer to restart if this is necessary to complete the client installation. If this option is not specified, CCMSetup exits when a restart is necessary, and then continues after the next manual restart. Example: CCMSetup.exe /forcereboot /BITSPriority:<Priority> Specifies the download priority when client installation files are downloaded over an HTTP connection. Possible values are as follows: FOREGROUND HIGH NORMAL LOW

The default value is NORMAL. Example: ccmsetup.exe /BITSPriority:HIGH /downloadtimeout:<Minutes> Specifies the length of time in minutes that CCMSetup attempts to download the client installation files before it gives up. The default value is 1440 minutes (1 day). Example: ccmsetup.exe /downloadtimeout:100 /UsePKICert When specified, the client uses a PKI certificate that includes client authentication, if one is available. If a valid certificate cannot be found, the client falls back to using an HTTP connection and a self-signed certificate. When this option is not specified, the client uses a self-signed certificate and all communications to site systems are over HTTP. Note There are some scenarios where you do not have to specify this property when you are installing a client to use a PKI client certificate. These scenarios include installing a client by using client push and software update pointbased client installation. However, you must specify this property whenever you manually install a client and use the /mp property to specify a management point that is configured to accept only HTTPS client connections. You also must specify this property when you install a client for
1341

Property

More information

Internet-only communication, by using the CCMALWAYSINF=1 property (together with the properties for the Internet-based management point and the site code). For more information about Internet-based client management, see Planning for Internet-Based Client Management. Example: CCMSetup.exe /UsePKICert /NoCRLCheck Specifies that a client should not check the certificate revocation list (CRL) when it communicates over HTTPS by using a PKI certificate. When this option is not specified, the client checks the CRL before establishing an HTTPS connection by using PKI certificates. For more information about client CRL checking, see Planning for PKI Certificate Revocation. Example: CCMSetup.exe /UsePKICert /NoCRLCheck /config:<configuration file> Specifies the name of a text file containing client installation properties. Unless you also specify the /noservice CCMSetup property, this file must be located in the CCMSetup folder, which is <%Windir%>\Ccmsetup for 32-bit and 64-bit operating systems. If you specify the /noservice property, this file must be located in the same folder from which you run CCMSetup.exe. Example: CCMSetup.exe /config:<Configuration File Name.txt> Use the mobileclienttemplate.tcf file in the <Configuration Manager directory>\bin\<platform> folder on the site server computer to provide the correct format of the file. This file also contains information in comment form about the sections and how they are used. Specify the client installation properties in the [Client Install] section, after the following text: Install=INSTALL=ALL. Example [Client Install] section entry: Install=INSTALL=ALL SMSSITECODE=ABC SMSLSMSSLP03 SMSCACHESIZE=100 /skipprereq:<filename> Specifies that CCMSetup.exe must not install the specified prerequisite program when the Configuration Manager client is installed.
1342

Property

More information

Examples: CCMSetup.exe /skipprereq:silverlight.exe or CCMSetup.exe /skipprereq:dotnetfx40_client_x86_x64.exe;Silverlight.exe Note This property supports entering multiple values. Use the semicolon character (;) to separate each value. /forceinstall For Configuration Manager SP1 only: Specify that any existing client will be uninstalled and then a new client will be installed.

Client.msi Properties
The properties described in the following table can modify the installation behavior of client.msi. If you use the client push installation method, you can also specify the properties in the Client tab of the Client Push Installation Properties dialog box.
Property More information

CCMALWAYSINF

Set to 1 to specify that the client will always be Internet-based and will never connect to the intranet. The client's connection type displays Always Internet. This property should be used in conjunction with CCMHOSTNAME, which specifies the FQDN of the Internet-based management point. It should also be used in conjunction with the CCMSetup property /UsePKICert and with the site code. For more information about Internet-based client management, see Planning for Internet-Based Client Management. Example: CCMSetup.exe /UsePKICert CCMALWAYSINF=1 CCMHOSTNAME=SERVER3.CONTOSO.COM SMSSITECODE=ABC

CCMCERTISSUERS

Specifies the certificate issuers list, which is a list of trusted root certification (CA) certificates that the Configuration Manager site trusts. For more information about the certificate issuers list and how clients use it during the certificate selection
1343

Property

More information

process, see Planning for PKI Client Certificate Selection. This is a case-sensitive match for subject attributes that are in the root CA certificate. Attributes can be separated by a comma (,) or semi-colon (;). Multiple root CA certificates can be specified by using a separator bar. Example: CCMCERTISSUERS=CN=Contoso Root CA; OU=Servers; O=Contoso, Ltd; C=US | CN=Litware Corporate Root CA; O=Litware, Inc. Tip Reference the mobileclient.tcf file in the <Configuration Manager directory>\bin\<platform> folder on the site server computer to copy the CertificateIssuers=<string> that is configured for the site. CCMCERTSEL Specifies the certificate selection criteria if the client has more than one certificate that can be used for HTTPS communication (a valid certificate that includes client authentication capability). You can search for an exact match in the Subject Name or Subject Alternative Name (use Subject:) or a partial match (use SubjectStr:), in the Subject Name or Subject Alternative Name. Examples: CCMCERTSEL="Subject:computer1.contoso.com" searches for a certificate with an exact match to the computer name "computer1.contoso.com" in either the Subject Name, or the Subject Alternative Name. CCMCERTSEL="SubjectStr:contoso.com" searches for a certificate that contains "contoso.com" in either the Subject Name, or the Subject Alternative Name. You can also use Object Identifier (OID) or distinguished name attributes in the Subject Name or Subject Alternative Name attributes, for example: CCMCERTSEL="SubjectAttr:2.5.4.11 = Computers" searches for the organizational unit attribute expressed as an object identifier, and named
1344

Property

More information

Computers. CCMCERTSEL="SubjectAttr:OU = Computers" searches for the organizational unit attribute expressed as a distinguished name, and named Computers. Important If you use the Subject Name box, the matching process for the Subject: selection criteria value is case-sensitive, and the matching process for the SubjectStr: selection criteria value is case-insensitive. If you use the Subject Alternative Name box, the matching process for both the Subject: selection criteria value and the SubjectStr: selection criteria value is case-insensitive. The complete list of attributes that you can use for certificate selection is listed in Supported Attribute Values for the PKI Certificate Selection Criteria. If more than one certificate matches the search, and the property CCMFIRSTCERT has been set to 1, the certificate with the longest validity period is selected. CCMCERTSTORE Specifies an alternate certificate store name if the client certificate to be used for HTTPS communication is not located in the default certificate store of Personal in the Computer store. Example: CCMSetup.exe /UsePKICert CCMCERTSTORE="ConfigMgr" CCMFIRSTCERT If set to 1, this property specifies that the client should select the PKI certificate with the longest validity period. This setting might be required if you are using Network Access Protection with IPsec enforcement. Example: CCMSetup.exe /UsePKICert CCMFIRSTCERT=1 CCMHOSTNAME Specifies the FQDN of the Internet-based management point, if the client is managed over the Internet. Do not specify this option with the installation property of SMSSITECODE=AUTO. Internet-based clients
1345

Property

More information

must be directly assigned to their Internet-based site. Example: CCMSetup.exe /UsePKICert/ CCMHOSTNAME="SMSMP01.corp.contoso.com" CCMHTTPPORT Specifies the port that the client should use when communicating over HTTP to site system servers. If the port is not specified, the default value of 80 will be used. Example: CCMSetup.exe CCMHTTPPORT=80 CCMHTTPSPORT Specifies the port that the client should use when communicating over HTTPS to site system servers. If the port is not specified, the default value of 443 will be used. Example: CCMSetup.exe /UsePKICert CCMHTTPSPORT=443 SMSPUBLICROOTKEY Specifies the Configuration Manager trusted root key where it cannot be retrieved from Active Directory Domain Services. This property applies to clients that use HTTP and HTTPS client communication. For more information, see Planning for the Trusted Root Key. Example: CCMSetup.exe SMSPUBLICROOTKEY=<key> SMSROOTKEYPATH Used to reinstall the Configuration Manager trusted root key. Specifies the full path and file name to a file containing the trusted root key. This property applies to clients that use HTTP and HTTPS client communication. For more information, see Planning for the Trusted Root Key. Example: CCMSetup.exe SMSROOTKEYPATH=<Full path and filename> RESETKEYINFORMATION If a System Center 2012 Configuration Manager client has the wrong Configuration Manager trusted root key and cannot contact a trusted management point to receive a valid copy of the new trusted root key, you must manually remove the old trusted root key by using this property. This situation commonly occurs when you move a client from one site hierarchy to another. This property applies to clients that use
1346

Property

More information

HTTP and HTTPS client communication. Example: CCMSetup.exe RESETKEYINFORMATION=TRUE CCMDEBUGLOGGING Enables debug logging. Values can be set to 0 (off) or 1 (on). The default value is 0. This causes the client to log low-level information that might be useful for troubleshooting problems. As a best practice, avoid using this property in production sites because excessive logging can occur, which might make it difficult to find relevant information in the log files. CCMENABLELOGGING must be set to TRUE to enable debug logging. Example: CCMSetup.exe CCMDEBUGLOGGING=1 CCMENABLELOGGING Enables logging if this property is set to TRUE. By default, logging is enabled. The log files are stored in the Logs folder in the Configuration Manager Client installation folder. By default, this folder is %Windir%\CCM\Logs. Example: CCMSetup.exe CCMENABLELOGGING=TRUE CCMLOGLEVEL Specifies the amount of detail to write to System Center 2012 Configuration Manager log files. Specify an integer ranging from 0 to 3, where 0 is the most verbose logging and 3 logs only errors. The default is 1. Example: CCMSetup.exe CCMLOGLEVEL=3 CCMLOGMAXHISTORY When a System Center 2012 Configuration Manager log file reaches 250000 bytes in size (or the value specified by the property CCMMAXLOGSIZE), it is renamed as a backup, and a new log file is created. This property specifies how many previous versions of the log file to retain. The default value is 1. If the value is set to 0, no old log files are kept. Example: CCMSetup.exe CCMLOGMAXHISTORY=0 CCMLOGMAXSIZE Specifies the maximum log file size in bytes. When a log grows to the size that is specified, it is renamed as a history file, and a new file is created. This property must be set to at least 10000 bytes. The default value
1347

Property

More information

is 250000 bytes. Example: CCMSetup.exe CCMLOGMAXSIZE=300000 CCMALLOWSILENTREBOOT Specifies that the computer is allowed to restart following the client installation, if this is required. Important The computer will restart without warning even if a user is currently logged on. Example: CCMSetup.exe CCMALLOWSILENTREBOOT DISABLESITEOPT If set to TRUE, disables the ability of end users with administrative credentials on the client computer to change the Configuration Manager Client assigned site by using Configuration Manager in Control Panel of the client computer. Example: CCMSetup.exe DISABLESITEOPT=TRUE DISABLECACHEOPT If set to TRUE, disables the ability of end users with administrative credentials on the client computer to change the client cache folder settings for the Configuration Manager Client by using Configuration Manager in Control Panel of the client computer. Example: CCMSetup.exe DISABLECACHEOPT=TRUE SMSCACHEDIR Specifies the location of the client cache folder on the client computer, which stores temporary files. By default, the location is %Windir \ccmcache. Example: CCMSetup.exe SMSCACHEDIR="C:\Temp" This property can be used in conjunction with the SMSCACHEFLAGS property to further control the client cache folder location. Example: CCMSetup.exe SMSCACHEDIR=Cache SMSCACHEFLAGS=MAXDRIVE installs the client cache folder on the largest available disk drive on the client. SMSCACHEFLAGS Configures the System Center 2012 Configuration Manager cache folder, which stores
1348

Property

More information

temporary files. You can use SMSCACHEFLAGS properties individually or in combination, separated by semicolons. If this property is not specified, the client cache folder is installed according to the SMSCACHEDIR property, the folder is not compressed, and the SMSCACHESIZE value is used as the size in MB of the folder. Specifies further installation details for the client cache folder. The following properties can be specified: PERCENTDISKSPACE: Specifies the folder size as a percentage of the total disk space. If you specify this property, you must also specify the property SMSCACHESIZE as the percentage value to use. PERCENTFREEDISKSPACE: Specifies the folder size as a percentage of the free disk space. If you specify this property, you must also specify the property SMSCACHESIZE as the percentage value to use. For example, if the disk has 10 MB free and SMSCACHESIZE is specified as 50, the folder size is set to 5 MB. You cannot use this property with the PERCENTDISKSPACE property. MAXDRIVE: Specifies that the folder should be installed on the largest available disk. This value will be ignored if a path has been specified with the SMSCACHEDIR property. MAXDRIVESPACE: Specifies that the folder should be installed on the disk drive that has the most free space. This value will be ignored if a path has been specified with the SMSCACHEDIR property. NTFSONLY: Specifies that the folder can be installed only on disk drives formatted with the NTFS file system. This value will be ignored if a path has been specified with the SMSCACHEDIR property. COMPRESS: Specifies that the folder should be held in a compressed form. FAILIFNOSPACE: Specifies that the client software should be removed if there is insufficient space to install the folder.
1349

Property

More information

Note Multiple properties for this property can be specified by separating each with a semicolon. If this property is not specified, the client cache folder will be created according to the SMSCACHEDIR property, will not be compressed and will be the size specified in the SMSCACHESIZE property. Example: CCMSetup.exe SMSCACHEFLAGS=NTFSONLY;COMPRESS Note This setting is ignored when you upgrade an existing client. SMSCACHESIZE Specifies the size of the client cache folder in megabyte (MB) or as a percentage when used with the PERCENTDISKSPACE or PERCENTFREEDISKSPACE property. If this property is not set, the folder defaults to a maximum size of 5120 MB. The lowest value that you can specify is 1 MB. Note If a new package that must be downloaded would cause the folder to exceed the maximum size, and if the folder cannot be purged to make sufficient space available, the package download fails, and the program or application will not run. This setting is ignored when you upgrade an existing client and when the client downloads software updates. Example: CCMSetup.exe SMSCACHESIZE=100 Note If you reinstall a client, you cannot use the SMSCACHESIZE or SMSCACHEFLAGS installation properties to set the cache size to be smaller than it was previously. If you try to do this, your value is ignored and the cache size is automatically set to the last size it was
1350

Property

More information

previously. For example, if you install the client with the default cache size of 5120 MB, and then reinstall the client with a cache size of 100 MB, the cache folder size on the reinstalled client is set to 5120 MB. SMSCONFIGSOURCE Specifies the location and order that the Configuration Manager Installer checks for configuration settings. The property is a string containing one or more characters, each defining a specific configuration source. Use the character values R, P, M, and U, alone or in combination, as shown in the following examples: R: Check for configuration settings in the registry. P: Check for configuration settings in the installation properties provided at the command prompt. M: Check for existing settings when upgrading an older client with the System Center 2012 Configuration Manager client software. U: Upgrade the installed client to a newer version (and use the assigned site code).

By default, the client installation uses PU to check first the installation properties and then the existing settings. Example: CCMSetup.exe SMSCONFIGSOURCE=RP SMSDIRECTORYLOOKUP Specifies whether the client can use Windows Internet Name Service (WINS) to find a management point that accepts HTTP connections. Clients use this method when they cannot find a management point in Active Directory Domain Services or in DNS. This property is independent from whether the client uses WINS for name resolution. You can configure two different modes for this property: NOWINS: This is the most secure setting for this property and prevents clients from finding a management point in WINS . When you use this setting, clients must have an alternative method to
1351

Property

More information

locate a management point on the intranet, such as Active Directory Domain Services or by using DNS publishing. WINSSECURE: In this mode, a client that uses HTTP communication can use WINS to find a management point. However, the client must have a copy of the trusted root key before it can successfully connect to the management point. For more information, see Planning for the Trusted Root Key.

If this property is not specified, the default value of WINSSECURE is used. Example: CCMSetup.exe SMSDIRECTORYLOOKUP=NOWINS SMSSIGNCERT Specifies the full path and .cer file name of the exported self-signed certificate on the site server. This certificate is stored in the SMS certificate store and has the Subject name Site Server and the friendly name Site Server Signing Certificate. Example: CCMSetup.exe /UsePKICert SMSSIGNCERT=<Full path and file name> SMSMP Specifies an initial management point for the Configuration Manager client to use. Important For Configuration Manager with no service pack: If the management point accepts client connections over HTTPS only (does not allow HTTP client connections), you must prefix the management point name with https:// Example: CCMSetup.exe SMSMP=smsmp01.contoso.com Example: CCMSetup.exe SMSMP=smsmp01.contoso.com Example: CCMSetup.exe SMSMP=https://smsmp01.contoso.com SMSSITECODE Specifies the Configuration Manager site to assign the Configuration Manager client to. This can either be a three-character site code or the word AUTO. If AUTO
1352

Property

More information

is specified, or if this property is not specified, the client attempts to determine its Configuration Manager site assignment from Active Directory Domain Services or from a specified management point. Note Do not use AUTO if the client finds a management point by using Domain Name System (DNS), or if you are also specifying the Internet-based management point (CCMHOSTNAME). In both these scenarios, you must directly assign the client to its site. Example: CCMSetup.exe SMSSITECODE=XZY CCMINSTALLDIR Identifies the folder where the Configuration Manager client files are installed. If this property is not set, the client software is installed in the %Windir%\CCM folder. Regardless of where these files are installed, the Ccmcore.dll file is always installed in the %Windir%\System32 folder. In addition, on 64-bit operating systems, a copy of the Ccmcore.dll file is always installed in the %Windir%\SysWOW64 folder to support 32-bit applications that use the 32-bit version of the Configuration Manager client APIs from the Configuration Manager software developer kit (SDK). Example: CCMSetup.exe CCMINSTALLDIR="C:\ConfigMgr" CCMADMINS Specifies one or more Windows user accounts or groups to be given access to client settings and policies. This is useful where the System Center 2012 Configuration Manager administrator does not have local administrative credentials on the client computer. You can specify a list of accounts that are separated by semi-colons. Example: CCMSetup.exe CCMADMINS="Domain\Account1;Domain\Group1" FSP Specifies the fallback status point that receives and processes state messages sent by Configuration Manager client computers. For more information about the fallback status point,
1353

Property

More information

see Determine Whether You Require a Fallback Status Point. Example: CCMSetup.exe FSP=SMSFP01 DNSSUFFIX Specifies the DNS domain for clients to use to locate management points in DNS, when Configuration Manager publishes management points to DNS. For more information about DNS publishing as a service location method for Configuration Manager clients, see Planning for Service Location by Clients. If this property is specified, SMSSITECODE must not be set to AUTO. When this property is specified, clients look for a DNS service location resource record (SRV RR) in DNS that includes this DNS suffix of the management point. Note By default, DNS publishing is not enabled in Configuration Manager. Example: CCMSetup.exe SMSSITECODE=ABC DNSSUFFIX=contoso.com CCMEVALINTERVAL Specifies the frequency when the client health evaluation tool (ccmeval.exe) runs. You can specify a value from 1 through 1440 minutes. If you do not specify this property, or specify an incorrect value, the evaluation will run once a day. Specify the hour when the client health evaluation tool (ccmeval.exe) runs. You can specify a value between 0 (midnight) and 23 (11pm). If you do not specify this property, or specify and incorrect value, the evaluation will run at midnight. Specifies that the existence of the minimum required version of Microsoft Application Virtualization (App-V) is not checked before the client is installed. Important If you install the Configuration Manager client without installing App-V, you cannot deploy virtual applications. Example: CCMSetup.exe
1354

CCMEVALHOUR

IGNOREAPPVVERSIONCHECK

Property

More information

IGNOREAPPVVERSIONCHECK=TRUE NOTIFYONLY Specifies that client status will report, but not remediate problems that are found with the Configuration Manager client. For more information, see How to Configure Client Status in Configuration Manager.

Supported Attribute Values for the PKI Certificate Selection Criteria

Configuration Manager supports the following attribute values for the PKI certificate selection criteria:
OID attribute Distinguished Name attribute Attribute definition

0.9.2342.19200300.100.1.25 1.2.840.113549.1.9.1 2.5.4.3 2.5.4.4 2.5.4.5 2.5.4.6 2.5.4.7 2.5.4.8 2.5.4.9 2.5.4.10 2.5.4.11 2.5.4.12 2.5.4.42 2.5.4.43 2.5.29.17

DC E or E-mail CN SN SERIALNUMBER C L S or ST STREET O OU T or Title G or GN or GivenName I or Initials (no value)

Domain component Email address Common name Subject name Serial number Country code Locality State or province name Street address Organization name Organizational unit Title Given name Initials Subject Alternative Name

See Also
Technical Reference for Client Deployment in Configuration Manager
1355

About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager
When you extend the Active Directory schema for System Center 2012 Configuration Manager and the site is published to Active Directory Domain Services, many client installation properties are published to Active Directory Domain Services. If a computer can locate these client installation properties, it can use them during Configuration Manager client deployment. The advantages of using Active Directory Domain Services to publish client installation properties include the following: Software update point-based client installation and Group Policy client installations do not require setup parameters to be provisioned on each computer. Because this information is automatically generated, the risk of human error associated with manually entering installation properties is eliminated.

Client installation (CCMSetup) uses the client installation properties that are published to Active Directory Domain Services only if no other properties are specified by using any of the following methods: Manual installation Provisioning client installation properties by using Group Policy Note The client installation properties are used to install the client and might be overwritten with new settings from its assigned site after the client is installed and has successfully assigned to a Configuration Manager site. Use the following table to determine which Configuration Manager client installation methods use Active Directory Domain Services to obtain client installation properties.
Installation Method Comments

Client push installation

Client push installation does not use Active Directory Domain Services to obtain installation properties. Instead, you can specify client.msi installation properties in the Client tab of the Client Push Installation Properties dialog box. These options and client-related site settings are stored in a file that the client reads during client installation. Note You do not have to specify any
1356

Installation Method

Comments

CCMSetup properties for client push installation, or the fallback status point, or the trusted root key in the Client tab. These settings are automatically supplied to clients when they are installed by using client push installation. Any client.msi properties that you specify in the Client tab are published to Active Directory Domain Services if the site is published to Active Directory Domain Services. These settings are read by client installations where CCMSetup is run with no installation properties. Software update point-based installation The software update point-based installation method does not support the addition of installation properties to the CCMSetup command line. If no command line properties have been provisioned on the client computer by using Group Policy, CCMSetup searches Active Directory Domain Services for installation properties. Group Policy installation The Group Policy installation method does not support the addition of installation properties to the CCMSetup command line. If no command line properties have been provisioned on the client computer, CCMSetup searches Active Directory Domain Services for installation properties. Manual installation CCMSetup searches Active Directory Domain Services for installation properties under the following circumstances: No command line properties are specified after the CCMSetup.exe command. The computer has not been provisioned with installation properties by using Group Policy.

Logon script installation

CCMSetup searches Active Directory Domain Services for installation properties under the
1357

Installation Method

Comments

following circumstances: No command line properties are specified after the CCMSetup.exe command. The computer has not been provisioned with installation properties by using Group Policy.

Software distribution installation

CCMSetup searches Active Directory Domain Services for installation properties under the following circumstances: No command line properties are specified after the CCMSetup.exe command. The computer has not been provisioned with installation properties by using Group Policy.

Installations for clients that cannot access Active Directory Domain Services for published information: Workgroup computers Clients that are assigned to a Configuration Manager site that is not published to Active Directory Domain Services Clients that are installed when they are on the Internet

These client computers cannot read installation properties from Active Directory Domain Services, and so will not be able to access the published installation properties.

The following client installation properties are published by Configuration Manager to Active Directory Domain Services. For more information about each item, see About Client Installation Properties in Configuration Manager. The Configuration Manager site code. The site server signing certificate. The trusted root key. The client communication ports for HTTP and HTTPS. The fallback status point. If the site has multiple fallback status points, only the first one that was installed will be published to Active Directory Domain Services. A setting to indicate that the client must communicate by using HTTPS only. Settings related to PKI certificates: Whether to use a client PKI certificate. The selection criteria for certificate selection, if this is required because the client has more than one valid PKI certificate that can be used for Configuration Manager.

1358

A setting to determine which certificate to use if the client has multiple valid certificates after the certificate selection process. The certificate issuers list that contains a list of trusted root CA certificates.

Client.msi installation properties that are specified in the Client tab of the Client Push Installation Properties dialog box.

See Also
Technical Reference for Client Deployment in Configuration Manager

Administrator Checklist: Deploying Clients in Configuration Manager

Use the following checklist for Configuration Manager client deployment to help you plan, configure, deploy, and manage Configuration Manager clients in your organization.
Step More information

Review the introductory information for client deployment and if applicable, changes since Configuration Manager 2007 Review the prerequisites for installing Configuration Manager clients and make any required changes Plan for any changes you must make for client deployment and make any required changes Configure your Configuration Manager hierarchy and infrastructure to prepare for client deployment

Introduction to Client Deployment in Configuration Manager

Prerequisites for Windows Client Deployment in Configuration Manager

Planning for Client Deployment in Configuration Manager How to Configure Client Communication Port Numbers in Configuration Manager How to Configure Client Computers to Find Management Points by using DNS Publishing in Configuration Manager How to Prevent the Client Software from Installing on Specific Computers in Configuration Manager

Configure the client settings that will manage the devices when the client is installed Deploy the Configuration Manager client to devices

How to Configure Client Settings in Configuration Manager For Windows computers: How to Install Clients on Windows-Based
1359

Step

More information

Computers in Configuration Manager How to Assign Clients to a Site in Configuration Manager

For Mac computers (Configuration Manager SP1): How to Install Clients on Mac Computers in Configuration Manager

For Linux and UNIX computers (Configuration Manager SP1): How to Install Clients on Linux and UNIX Computers in Configuration Manager How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager

For mobile devices:

Configure client status to monitor clients on Windows computers For Configuration Manager SP1 only: For mobile devices that you want to enroll by using Windows Intune: Configure a Windows Intune subscription and then install the Windows Intune connector

How to Configure Client Status in Configuration Manager How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager

For mobile devices that you want to manage but cannot enroll by using Configuration Manager or Windows Intune: Install and configure the Exchange Server connector

How to Manage Mobile Devices by Using the Exchange Server Connector in Configuration Manager

Manage devices

How to Manage Clients in Configuration Manager How to Monitor Clients in Configuration Manager

Monitor Configuration Manager clients to ensure that they remain managed

See Also
Technical Reference for Client Deployment in Configuration Manager

1360

Windows Firewall and Port Settings for Client Computers in Configuration Manager
Client computers in System Center 2012 Configuration Manager that run Windows Firewall often require you to configure exceptions to allow communication with their site. The exceptions that you must configure depend on the management features that you use with the Configuration Manager client. Use the following sections to identify these management features and for more information about how to configure Windows Firewall for these exceptions.

Modifying the Ports and Programs Permitted by Windows Firewall

Use the following procedure to modify the ports and programs on Windows Firewall for the Configuration Manager client. To modify the ports and programs permitted by Windows Firewall 1. On the computer that runs Windows Firewall, open Control Panel. 2. Right-click Windows Firewall, and then click Open. 3. Configure any required exceptions and any custom programs and ports that you require.

Programs and Ports that Configuration Manager Requires

The following Configuration Manager features require exceptions on the Windows Firewall:

Queries
If you run the Configuration Manager console on a computer that runs Windows Firewall, queries fail the first time that they are run and the operating system displays a dialog box asking if you want to unblock statview.exe. If you unblock statview.exe, future queries will run without errors. You can also manually add Statview.exe to the list of programs and services on the Exceptions tab of the Windows Firewall before you run a query.

Client Push Installation

To use client push to install the System Center 2012 Configuration Manager client, add the following as exceptions to the Windows Firewall: Outbound and inbound: File and Printer Sharing Inbound: Windows Management Instrumentation (WMI)
1361

Client Installation by Using Group Policy

To use Group Policy to install the Configuration Manager client, add File and Printer Sharing as an exception to the Windows Firewall.

Client Requests
For client computers to communicate with Configuration Manager site systems, add the following as exceptions to the Windows Firewall: Outbound: TCP Port 80 (for HTTP communication) Outbound: TCP Port 443 (for HTTPS communication) Important These are default port numbers that can be changed in Configuration Manager. For more information, see How to Configure Client Communication Port Numbers in Configuration Manager. If these ports have been changed from the default values, you must also configure matching exceptions on the Windows Firewall.

Client Notification (Configuration Manager SP1 only)

For the management point to notify client computers about an action that it must take when an administrative user selects a client action in the Configuration Manager console, such as download computer policy or initiate a malware scan, add the following as an exception to the Windows Firewall: Outbound: TCP Port 10123 If this communication does not succeed, Configuration Manager automatically falls back to using the existing client-to-management point communication port of HTTP, or HTTPS: Outbound: TCP Port 80 (for HTTP communication) Outbound: TCP Port 443 (for HTTPS communication) Important These are default port numbers that can be changed in Configuration Manager. For more information, see How to Configure Client Communication Port Numbers in Configuration Manager. If these ports have been changed from the default values, you must also configure matching exceptions on the Windows Firewall.

Network Access Protection

For client computers to successfully communicate with the System Health Validator point, allow the following ports: Outbound: UDP 67 and UDP 68 for DHCP Outbound: TCP 80/443 for IPsec

1362

Remote Control
To use Configuration Manager remote control, allow the following port: Inbound: TCP Port2701

Remote Assistance and Remote Desktop

To initiate Remote Assistance from the Configuration Manager console, add the custom program Helpsvc.exe and the inbound custom port TCP 135 to the list of permitted programs and services in Windows Firewall on the client computer. You must also permit Remote Assistance and Remote Desktop. If you initiate Remote Assistance from the client computer, Windows Firewall automatically configures and permits Remote Assistance and Remote Desktop.

Wake-Up Proxy (Configuration Manager SP1 only)

If you enable the wake-up proxy client setting, a new service named ConfigMgr Wake-up Proxy uses a peer-to-peer protocol to check whether other computers are awake on the subnet and to wake them up if necessary. This communication uses the following ports: Outbound: UDP Port 25536 Outbound: UDP Port 9 These are the default port numbers that can be changed in Configuration Manager by using the Power Management clients settings of Wake-up proxy port number (UDP) and Wake On LAN port number (UDP). If you specify the Power Management: Windows Firewall exception for wake-up proxy client setting, these ports are automatically configured in Windows Firewall for clients. However, if clients run a different firewall, you must manually configure the exceptions for these port numbers. In addition to these ports, wake-up proxy also uses Internet Control Message Protocol (ICMP) echo request messages from one client computer to another client computer. This communication is used to confirm whether the other client computer is awake on the network. ICMP is sometimes referred to as TCP/IP ping commands. Configuration Manager does not configure Windows Firewall for these TCP/IP ping commands and you must manually permit this ICMP traffic for wake-up proxy communication to succeed. Use the following procedure to help you configure Windows Firewall with a custom inbound rule that allows inbound TCP/IP ping commands for wake-up proxy. To configure Windows Firewall to allow TCP/IP ping commands 1. In the Windows Firewall with Advanced Security console, create a new inbound rule. 2. In the New Inbound Rule Wizard, on the Rule Type page, select Custom, and then click Next. 3. On the Program page, keep the default of All programs, and then click Next. 4. On the Protocols and Ports page, click the drop-down for Protocol type, select ICMPv4, and then click the Customize button. 5. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo
1363

Request, and then click OK. 6. In the New Inbound Rule Wizard, click Next. 7. On the Scope page, keep the default settings for any local or remote IP address, and click Next. 8. On the Action page, make sure that Allow the connection is selected, and then click Next. 9. On the Profile page, select the profiles that will use wake-up proxy (for example, Domain), and then click Next. 10. On the Name page, specify a name for this custom rule, and optionally, type a description to help identify that this rule is required for wake-up proxy communication. Then click Finish to close the wizard. For more information about wake-up proxy, see the Planning How to Wake Up Clients section in the Planning for Communications in Configuration Manager topic

Windows Event Viewer, Windows Performance Monitor, and Windows Diagnostics

To access Windows Event Viewer, Windows Performance Monitor, and Windows Diagnostics from the Configuration Manager console, enable File and Printer Sharing as an exception on the Windows Firewall.

Ports Used During Configuration Manager Client Deployment

The following tables list the ports that are used during the client installation process. Important If there is a firewall between the site system servers and the client computer, confirm whether the firewall permits traffic for the ports that are required for the client installation method that you choose. For example, firewalls often prevent client push installation from succeeding because they block Server Message Block (SMB) and Remote Procedure Calls (RPC). In this scenario, use a different client installation method, such as manual installation (running CCMSetup.exe) or Group Policy-based client installation. These alternative client installation methods do not require SMB or RPC. For information about how to configure Windows Firewall on the client computer, see Modifying the Ports and Programs Permitted by Windows Firewall.

Ports that are used for all installation methods

Description UDP TCP

Hypertext Transfer Protocol

--

80 (See note 1, Alternate Port

1364

Description

UDP

TCP

(HTTP) from the client computer to a fallback status point, when a fallback status point is assigned to the client.

Available)

Ports that are used with client push installation

In addition to the ports listed in the following table, client push installation also uses Internet Control Message Protocol (ICMP) echo request messages from the site server to the client computer to confirm whether the client computer is available on the network. ICMP is sometimes referred to as TCP/IP ping commands. ICMP does not have a UDP or TCP protocol number, and so it is not listed in the following table. However, any intervening network devices, such as firewalls, must permit ICMP traffic for client push installation to succeed.
Description UDP TCP

Server Message Block (SMB) between the site server and client computer. RPC endpoint mapper between the site server and the client computer. RPC dynamic ports between the site server and the client computer. Hypertext Transfer Protocol (HTTP) from the client computer to a management point when the connection is over HTTP.

--

445

135

135

--

DYNAMIC

--

80 (See note 1, Alternate Port Available)

Secure Hypertext Transfer -Protocol (HTTPS) from the client computer to a management point when the connection is over HTTPS.

443 (See note 1, Alternate Port Available)

Ports that are used with software update point-based installation

1365

Description

UDP

TCP

Hypertext Transfer Protocol (HTTP) from the client computer to the software update point. Secure Hypertext Transfer Protocol (HTTPS) from the client computer to the software update point. Server Message Block (SMB) between the source server and the client computer when you specify the CCMSetup commandline property /source:<Path>.

--

80 or 8530 (See note 2, Windows Server Update Services) 443 or 8531 (See note 2, Windows Server Update Services)

--

--

445

Ports that are used with Group Policy-based installation

Description UDP TCP

Hypertext Transfer Protocol (HTTP) from the client computer to a management point when the connection is over HTTP. Secure Hypertext Transfer Protocol (HTTPS) from the client computer to a management point when the connection is over HTTPS.

--

80 (See note 1, Alternate Port Available)

--

443 (See note 1, Alternate Port Available)

Server Message Block (SMB) -between the source server and the client computer when you specify the CCMSetup commandline property /source:<Path>.

445

Ports that are used with manual installation and logon scriptbased installation

1366

Description

UDP

TCP

Server Message Block (SMB) between the client computer and a network share from which you run CCMSetup.exe. Note When you install System Center 2012 Configuration Manager, the client installation source files are copied and automatically shared from the <InstallationPath>\Client folder on management points. However, you can copy these files and create a new share on any computer on the network. Alternatively, you can eliminate this network traffic by running CCMSetup.exe locally, for example, by using removable media. Hypertext Transfer Protocol (HTTP) from the client computer to a management point when the connection is over HTTP, and you do not specify the CCMSetup commandline property /source:<Path>. Secure Hypertext Transfer Protocol (HTTPS) from the client computer to a management point when the connection is over HTTPS, and you do not specify the CCMSetup commandline property /source:<Path>. Server Message Block (SMB) between the source server and the client computer when you specify the CCMSetup command-line property /source:<Path>.

--

445

--

80 (See note 1, Alternate Port Available)

--

443 (See note 1, Alternate Port Available)

--

445

1367

Ports that are used with software distribution-based installation

Description UDP TCP

Server Message Block (SMB) between the distribution point and the client computer. Hypertext Transfer Protocol (HTTP) from the client to a distribution point when the connection is over HTTP. Secure Hypertext Transfer Protocol (HTTPS) from the client to a distribution point when the connection is over HTTPS.

--

445

--

80 (See note 1, Alternate Port Available)

--

443 (See note 1, Alternate Port Available)

Notes
1 Alternate Port Available In Configuration Manager, you can define an alternate port for this value. If a custom port has been defined, substitute that custom port when you define the IP filter information for IPsec policies or for configuring firewalls. 2 Windows Server Update Services You can install Windows Server Update Service (WSUS) either on the default Web site (port 80) or a custom Web site (port 8530). After installation, you can change the port. You do not have to use the same port number throughout the site hierarchy. If the HTTP port is 80, the HTTPS port must be 443. If the HTTP port is anything else, the HTTPS port must be 1 higher for example, 8530 and 8531.

See Also
Technical Reference for Client Deployment in Configuration Manager

1368

Example Scenario for Deploying and Managing Configuration Manager Clients on Windows Embedded Devices
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. Note This topic appears in the Deploying Clients for System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. This scenario demonstrates how you can manage write-filter-enabled Windows Embedded devices by using System Center 2012 Configuration Manager SP1. If you have Configuration Manager with no service pack, Configuration Manager cannot automatically disable and reenable the write filters and you must take additional steps to do this before and after you install software. If your embedded devices do not support write filters, they behave as standard Configuration Manager clients and you do not have to take the steps in this scenario that are required to manage write filters. Coho Vineyard & Winery is opening a visitor center and is interested in kiosks that run Windows Embedded to run interactive presentations. The building for the new visitor center is not close to the IT department, so it is important that the kiosks can be managed remotely. In addition to installing the software that runs the interactive presentations, these devices must run up-to-date antimalware protection software to comply with the company security policies. To make sure that the interactive presentations are always available for visitors, the kiosks must run 7 days a week, with no downtime while the visitor center is open. Coho Vineyard & Winery already runs Configuration Manager SP1 to manage devices on their network. Configuration Manager is configured to run Endpoint Protection, and install software updates and applications. However, because the IT team has not managed Windows Embedded devices before, Jane, the Configuration Manager administrator, runs a pilot to manage two kiosks that are in the companys reception lobby. If the pilot is successful in remotely managing these devices, the purchase order for the visitor center kiosks can be approved. To manage these Windows Embedded devices that are write-filter-enabled, Jane performs the following steps to install the Configuration Manager client, protect the client by using Endpoint Protection, and install the interactive presentation software.
Process Reference

Jane reads how Windows Embedded devices uses write filters, and how Configuration Manager SP1 can make this easier by

The Deploying the Configuration Manager Client to Windows Embedded Devices section in the Introduction to Client Deployment in
1369

Process

Reference

automatically disabling and then re-enabling the Configuration Manager topic writer filters, to persist a software installation. Before she installs the Configuration Manager client, Jane creates a new query-based device collection for the Windows Embedded devices. Because the company uses standard naming formats to identify their computers, Jane can uniquely identify Windows Embedded devices by the first six letters of the computer name: WEMDVC. She uses the following WQL query to create this collection: select SMS_R_System.NetbiosName from SMS_R_System where SMS_R_System.NetbiosName like "WEMDVC%" This collection allows her to manage the Windows Embedded devices with different configuration options from the other devices. She will use this collection to control restarts, deploy Endpoint Protection with client settings, and deploy the interactive presentation application. Jane configures the collection for a How to Use Maintenance Windows in maintenance window to ensure that restarts Configuration Manager that might be required for installing the presentation application and any upgrades do not occur during opening hours for the visitor center. Opening hours will be 09:00 through 18:00, Monday through Sunday. She configures the maintenance window for every day, 18:30 through 06:00. Jane then configures a custom device client setting to install the Endpoint Protection client by selecting Yes for the following settings, and then deploys this custom client setting to the Windows Embedded device collection: Install Endpoint Protection client on client computers For Windows Embedded devices with write filters, commit Endpoint Protection
1370

How to Create Collections in Configuration Manager

Step 5: Configure Custom Client Settings for Endpoint Protection in How to Configure Endpoint Protection in Configuration Manager

Process

Reference

client installation (requires restart) Allow Endpoint Protection client installation and restart to be performed outside maintenance windows

When the Configuration Manager client is installed, these settings install the Endpoint Protection client and ensure that it is persisted in the operating system as part of the installation, rather than written to the overlay only. The company security policies require that the antimalware software is always installed and Jane does not want to run the risk of the kiosks being unprotected for even a short period of time if they restart. Note The restarts that are required to install the Endpoint Protection client are a one-time occurrence, which happen during the setup period for the devices and before the visitor center is operational. Unlike the periodic deployment of applications or software definition updates, the next time the Endpoint Protection client is installed on the same device will probably be when the company upgrades to the next version of Configuration Manager. With the configuration settings for the client now in place, Jane prepares to install the Configuration Manager clients. Before she can install the clients, she must manually disable the write filter on the Windows Embedded devices. She reads the OEM documentation that accompanies the kiosks and follows their instructions to disable the write filters. Jane renames the device so it uses the company standard naming format, and then installs the client manually by running CCMSetup with the following command from a mapped drive that holds the client source files:
1371

How to Install Clients on Windows-Based Computers in Configuration Manager How to Assign Clients to a Site in Configuration Manager

Process

Reference

CCMSetup.exe /MP:mpserver.cohovineyardandwinery.com SMSSITECODE=CO1 This command installs the client, assigns the client to the management point that has the intranet FQDN of mpserver.cohovineyardandwinery.com, and assigns the client to the primary site named CO1. Jane knows that it always takes a while for clients to install and send back their status to the site. So she waits before she confirms that the clients successfully install, assign to the site, and appear as clients in the collection that she created for Windows Embedded devices. As additional confirmation, on the Windows Embedded devices, she checks the properties of Configuration Manager in Control Panel and compares them to standard Windows computers that are managed by the site. For example, on the Components tab, the Hardware Inventory Agent displays Enabled, and on the Actions tab, there are 11 available actions, which include Application Deployment Evaluation Cycle and Discovery Data Collection Cycle. Confident that the clients are successfully installed, assigned, and receiving client policy from the management point, Jane then manually enables the write filters by following the instructions from the OEM. Now that the Configuration Manager client is How to Manage Clients in Configuration installed on the Windows Embedded devices, Manager Jane confirms that she can manage them in the same way as she manages the standard Windows clients. For example, from the Configuration Manager console, she can remotely manage them by using remote control, initiate client policy for them, and view client properties and hardware inventory.
1372

Process

Reference

Because these devices are joined to an Active Directory domain, she does not have to manually approve them as trusted clients and confirms from the Configuration Manager console that they are approved. To install the interactive presentation software, Jane runs the Deploy Software Wizard and configures a required application. On the User Experience page of the wizard, in the Write filter handling for Windows Embedded devices section, she accepts the default option that selects Commit changes at deadline or during a maintenance window (requires restarts). Jane keeps this default option for write filters to ensure that the application persists after a restart, so that it is always available to the visitors using the kiosks. The daily maintenance window provides a safe period during which the restarts for installation and any updates can occur. Jane deploys the application to the Windows Embedded devices collection. To configure definition updates for Endpoint Protection, Jane uses software updates and runs the Create Automatic Deployment Rule Wizard. She selects the Definition Updates template to prepopulate the wizard with settings that are appropriate for Endpoint Protection. These settings include the following on the User Experience page of the wizard: Deadline behavior: The Software Installation check box is not selected. Write filter handling for Windows Embedded devices: The Commit changes at deadline or during a maintenance window (requires restarts) check box is not selected. Step 3: Configure Configuration Manager Software Updates to Deliver Definition Updates to Client Computers in How to Configure Endpoint Protection in Configuration Manager How to Deploy Applications in Configuration Manager

Jane keeps these default settings. Together, these two options with this configuration allow
1373

Process

Reference

any software update definitions for Endpoint Protection to be installed in the overlay during the day and not wait to be installed and committed during the maintenance window. This configuration best meets the company security policy for computers to run up-to-date antimalware protection. Note Unlike software installations for applications, software update definitions for Endpoint Protection can occur very frequently, even multiple times a day. They are often small files. For these types of security-related deployments, it can often be beneficial to always install to the overlay rather than wait until the maintenance window. The Configuration Manager client will quickly re-install the software definition updates if the device restarts because this action initiates an evaluation check and does not wait until the next scheduled evaluation. Jane selects the Windows Embedded devices collection for the automatic deployment rule. Jane decides to configure a maintenance task that periodically commits all changes on the overlay. This task is to support the software update definitions deployment, to reduce the number of updates that accumulate and must be installed again, each time the device restarts. In her experience, this helps the antimalware programs run more efficiently. Note These software update definitions would be automatically committed to the image if the embedded devices ran another management task that supported committing the changes. For
1374

How to Manage Task Sequences in Configuration Manager

Process

Reference

example, installing a new version of the interactive presentation software would also commit the changes for software update definitions. Or, installing standard software updates every month that install during the maintenance window could also commit the changes for software update definitions. However, in this scenario, where standard software updates do not run and the interactive presentation software is unlikely to be updated very often, it might be months before the software definition updates are automatically committed to the image. Jane first creates a custom task sequence that has no settings other than the name. She runs the Create Task Sequence Wizard: 1. On the Create a New Task Sequence page, she selects Create a new custom task sequence, and then clicks Next. 2. On the Task Sequence Information page, she enters Maintenance task to commit changes on embedded devices for the task sequence name, and then clicks Next. 3. On the Summary page, she selects Next, and completes the wizard. Jane then deploys this custom task sequence to the Windows Embedded devices collection, and configures the schedule to run every month. As part of the deployment settings, she selects the Commit changes at deadline or during a maintenance window (requires restarts) check box to persist the changes after a restart. To configure this deployment, she selects the custom task sequence that she just created, and then on the Home tab, in the Deployment group, she clicks Deploy to start the Deploy Software Wizard: 1. On the General page, she selects the Windows Embedded devices collection,
1375

Process

Reference

and then clicks Next. 2. On the Deployment Settings page, she selects the Purpose of Required, and then clicks Next. 3. On the Scheduling page, she clicks New to specify a weekly schedule during the maintenance window, and then clicks Next. 4. She completes the wizard without any further changes. For the kiosks to run automatically, Jane writes a script to configure the devices for the following settings: Automatically log on, using a guest account that has no password. Automatically run the interactive presentation software on startup. Packages and Programs in Configuration Manager

Jane uses packages and programs to deploy this script to the Windows Embedded devices collection. When she runs the Deploy Software Wizard, she again selects the Commit changes at deadline or during a maintenance window (requires restarts) check box to persist the changes after a restart. The following morning, Jane checks the Windows Embedded devices. She confirms the following: The kiosk is automatically logged on by using the guest account. The interactive presentation software is running. The Endpoint Protection client is installed and has the latest software update definitions. That the device restarted during the maintenance window. How to Monitor Endpoint Protection in Configuration Manager How to Monitor Applications in Configuration Manager

Jane monitors the kiosks and reports the successful management of them to her manager. As a result, 20 kiosks are ordered for the visitor center. To avoid the manual installation of the Configuration Manager client, which requires manually disabling and then enabling the write filters, Jane ensures that the order includes a customized
1376

image that already includes the installation and site assignment of the Configuration Manager SP1 client. In addition, the devices are named according to the company naming format. The kiosks are delivered to the visitor center a week before it opens. During this time, the kiosks are connected to the network, all device management for them is automatic, and no local administrator is required. Jane confirms that the kiosks are functioning as required: The clients on the kiosks complete site assignment and download the trusted root key from Active Directory Domain Services. The clients on the kiosks are automatically added to the Windows Embedded devices collection and configured with the maintenance window. The Endpoint Protection client is installed and has the latest software update definitions for antimalware protection. The interactive presentation software is installed and runs automatically, ready for visitors.

After this initial setup, any restarts that might be required for updates occur only when the visitor center is closed.

See Also
Technical Reference for Client Deployment in Configuration Manager

Technical Reference for the Configuration Manager Client for Linux and UNIX
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. This topic contains technical information for the Configuration Manager client for Linux and UNIX.

Component Services of the Configuration Manager Client for Linux and UNIX
The following table identifies the client component services of the Configuration Manager client for Linux and UNIX.
File name More information

ccmexec.bin

This service is equivalent to the ccmexc service on a Windows-based client. It is responsible for all communications with Configuration Manager site system roles, and also communicates with
1377

File name

More information

the nwserver.bin service to collect hardware inventory from the local computer. For a list of supported command line arguments, run ccmexec -h nwserver.bin This service is the CIM server. The CIM server provides a framework for pluggable software modules called providers. Providers interact with Linux and UNIX computer resources and collect the hardware inventory data. For example, the process provider for a Linux computer collects data associated with the Linux operating system processes.

The following table lists commands that you can use to start, stop, or restart the client services (ccmexec.bin and nwserver.bin) on each version of Linux or UNIX. When you start or stop the ccmexec service, the nwserver service also starts or stops.
Operating system Commands

Red Hat Enterprise Linux (RHEL)

Start: /etc/init.d/ccmexecd start Stop: /etc/init.d/ccmexecd stop Restart: /etc/init.d/ccmexecd restart

Solaris 9

Start: /etc/init.d/ccmexecd start Stop: /etc/init.d/ccmexecd stop Restart: /etc/init.d/ccmexecd restart

Solaris 10

Start: svcadm enable -s svc:/application/management/ccmexecd Stop: svcadm disable -s svc:/application/management/ccmexecd

SUSE Linux Enterprise Server (SLES)

Start: /etc/init.d/ccmexecd start Stop: /etc/init.d/ccmexecd stop Restart: /etc/init.d/ccmexecd restart

1378

Administrator Checklist: Configuring Configuration Manager to Manage Mobile Devices by Using Windows Intune
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. Use the following checklist to help you configure Configuration Manager SP1 to manage mobile devices by using the Windows Intune service. For additional information about these steps, see How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager.
Step More information

Sign up for a Windows Intune organizational account

Sign up for an account at Windows Intune. For more information, see Windows Intune organizational account in the documentation library for Windows Intune. All user accounts must have a publicly registered UPN that can be verified by Windows Intune. GoDaddy or Symantec are typical examples of companies that provide domain names. Before synchronizing the Active Directory user account, you must verify that user accounts have a public domain UPN. For more information, see Add User Principal Name Suffixes in the Active Directory documentation library. You can create a Configuration Manager custom report to verify that the UPN of the users who are discovered is consistent with the Intune Account Portal by using the following SQL query:
SELECT UserPrincipalName, COUNT(*) AS NumOfOccurances FROM (SELECT RIGHT(User_Principal_Name0, LEN(User_Principal_Name0)-PATINDEX('%@%',

Make sure that you have a publicly registered domain name

Verify that users have a public domain UPN

1379

Step

More information
User_Principal_Name0)) AS UserPrincipalName FROM CM_EC1.dbo.v_R_User) AS sub GROUP BY UserPrincipalName

Optional, but strongly recommended: Deploy and configure Active Directory Federated Services (AD FS)

When you set up single sign-on, your users can sign in with their corporate credentials to access the services in Windows Intune. For more information, see the following topics: Prepare for single sign-on Plan for and deploy AD FS 2.0 for use with single sign-on

Deploy and configure directory synchronization

Directory synchronization lets you populate Windows Intune with synchronized user accounts. The synchronized user accounts and security groups are added to Windows Intune. For more information, see Configure directory synchronization in the Active Directory documentation library. If you are not using AD FS, you must set a Microsoft Online password for each user.

Optional, not recommended: If you are not using AD FS, reset users Microsoft Online passwords Create a DNS alias

Create a DNS alias (CNAME record type). You have to configure a CNAME in DNS that redirects EnterpriseEnrollment.<company domain name>.com to manage.microsoft.com. For example, if Melissa's email address is [email protected], you have to create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to manage.microsoft.com. The CNAME record is used as part of the enrollment process.

Obtain the required certificates or keys for mobile device platforms

For Windows RT devices: Prerequisites for Enrolling Windows RT Devices Prerequisites for Enrolling Windows Phone 8 Devices

For Windows Phone 8 devices:

1380

Step

More information

For iOS devices: Create the Windows Intune subscription Add the Windows Intune connector site system role Prerequisites for Enrolling iOS Devices

How to create the Windows Intune subscription How to configure the Windows Intune Connector role

Verify that Configuration Manager is successfully connecting to the Windows Intune service

Check the Cloudusersync.log to verify that user accounts are successfully synchronized. Check the Sitecomp.log to verify that the Windows Intune connector was created successfully.

See Also
Technical Reference for Client Deployment in Configuration Manager

Deploying Software and Operating Systems in System Center 2012 Configuration Manager
The Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide provides documentation to help you plan, configure, and manage the deployment of software and operating systems in Microsoft System Center 2012 Configuration Manager. If you are new to Configuration Manager, read Getting Started with System Center 2012 Configuration Manager before you read this guide.

Deploying Software and Operating System Topics

Use the following topics to help you deploy applications, software updates, operating systems, and to manage content in System Center 2012 Configuration Manager: Content Management in Configuration Manager Application Management in Configuration Manager Software Updates in Configuration Manager Operating System Deployment in Configuration Manager
1381

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Documentation Library for System Center 2012 Configuration Manager

Content Management in Configuration Manager

Content management in Microsoft System Center 2012 Configuration Manager provides the tools for you to manage content files for applications, packages, software updates, and operating system deployment. Before you can deploy software to devices, the distribution point infrastructure must be in place and the content files available on the distribution points.

Content Management Topics

The following topics help you manage content in System Center 2012 Configuration Manager: Introduction to Content Management in Configuration Manager Planning for Content Management in Configuration Manager Configuring Content Management in Configuration Manager Operations and Maintenance for Content Management in Configuration Manager Security and Privacy for Content Management in Configuration Manager Technical Reference for Content Management in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Deploying Software and Operating Systems in System Center 2012 Configuration Manager

Introduction to Content Management in Configuration Manager

Content management in System Center 2012 Configuration Manager provides the tools for you to manage content files for applications, packages, software updates, and operating system deployment. Before you can deploy software to Configuration Manager clients, the distribution point infrastructure must be in place, and the content files must be available on the distribution points. For additional information about content management, see the following sections: Distribution Points
1382

Preferred Distribution Points Bandwidth Throttling and Scheduling PXE and Multicast Pull-Distribution Points

Distribution Point Groups Prestaging Content Managing Content Content Library Content Monitoring and Validation Whats New in Configuration Manager Whats New in Configuration Manager SP1

Distribution Points
Configuration Manager uses distribution points to store files that are required for software to run on client computers. Clients must have access to at least one distribution point from which they can download the files. For more information about distribution points, see the following topics: Planning for Content Management in Configuration Manager Configuring Content Management in Configuration Manager Operations and Maintenance for Content Management in Configuration Manager

Preferred Distribution Points

When you install and configure a distribution point, you have the option to assign boundary groups to the distribution point. When the clients current network location is in a boundary group that is associated with the distribution point, it is considered a preferred distribution point for that client. When a client requests content, the client first connects to a preferred distribution point to retrieve the application or package content. If the content is not available on any preferred distribution points, depending on the configuration options that you set, the client can retrieve the content from a fallback distribution point. For more information, see the Planning for Preferred Distribution Points and Fallback section in the Planning for Content Management in Configuration Manager topic.

Bandwidth Throttling and Scheduling

You can configure bandwidth settings, throttling settings, and create a schedule for content distribution between the site server and distribution point from the distribution point properties. You can configure a schedule and set specific throttling settings on remote distribution points that determine when and how Configuration Manager distributes content. For distribution points not installed on the site server, you can configure different settings that help address network bandwidth limitations from the site server to the distribution point. The scheduling and throttling settings for distribution points are similar to the settings for a standard sender address.
1383

For more information about bandwidth throttling and scheduling, see the following: The Planning for Scheduling and Throttling section in the Planning for Content Management in Configuration Manager topic. The Modify the Distribution Point Configuration Settings section in the Configuring Content Management in Configuration Manager topic.

PXE and Multicast

You have the option to enable PXE and multicast in the properties of a distribution point. Configuration Manager uses PXE and multicast during operating system deployment. Enable PXE and configure the associated settings for the distribution point to accept PXE requests for operating system deployment. For more information, see Planning for PXEInitiated Operating System Deployments in Configuration Manager. Enable multicast and configure the associated settings to deploy operating system images by using multicast, you must provide a distribution point that supports multicast deployments. For more information, see Planning a Multicast Strategy in Configuration Manager.

Pull-Distribution Points
For Configuration Manager SP1 only: With Configuration Manager SP1, you can configure individual distribution points to be pulldistribution points. Use of pull-distribution points can help reduce the processing load on the site server when you deploy content to a large number of distribution points at one site. By default, the primary site server transfers content that you distribute to the distribution point. However, when you configure a distribution point to be a pull-distribution point, you change how Configuration Manager distributes content to that distribution point computer. When you distribute content to a pull-distribution point, the Configuration Manager notifies the pull-distribution point which then initiates the transfer of the content from a source distribution point. For more information about pull-distribution points, see the Planning for Pull-Distribution Points section in the Planning for Content Management in Configuration Manager topic.

Distribution Point Groups

Distribution point groups provide a logical grouping of distribution points for content distribution. You can add one or more distribution points from any site in the Configuration Manager hierarchy to the distribution point group. You can also add the distribution point to more than one distribution point group. This lets you manage and monitor content from a central location for distribution points that span multiple sites. When you distribute content to a distribution point group, Configuration Manager distributes the content to all distribution points that are members of the distribution point group. If you add a distribution point to the distribution point group after an initial content distribution, Configuration Manager automatically distributes the content to the new distribution point member. You can also associate a collection to a distribution point group. When you distribute content to a collection, Configuration Manager determines the distribution point
1384

groups associated with the collection, and then the content is distributed to all distribution points that are members of distribution point groups. For more information about distribution point groups, see the following: The Plan for Distribution Point Groups section in the Planning for Content Management in Configuration Manager topic. The Create and Configure Distribution Point Groups section in the Configuring Content Management in Configuration Manager topic.

Prestaging Content
You can prestage content to add the content files to the content library on a site server or distribution point before you distribute the content. Because the content files are already in the content library, they are not transferred over the network when you distribute the content. You can prestage content files for applications and packages. In the Configuration Manager console, you select the content that you want to prestage, and then use the Create Prestaged Content File Wizard to create a compressed prestaged content file that contains the files and associated metadata for the content. Then, you can manually import the content at a site server or distribution point. When you import the prestaged content file on a site server, the content files are added to the content library on the site server, and then registered in the site server database. When you import the prestaged content file on a distribution point, the content files are added to the content library on the distribution point, and a status message is sent to the site server that informs the site that the content is available on the distribution point. You can optionally configure the distribution point as prestaged to help manage content distribution. Then, when you distribute content you can choose whether you want to always prestage the content on the distribution point, prestage the initial content for the package and then use the standard content distribution process when there are updates to the content, or always use the standard content distribution process for the content in the package. For more information about prestaging content, see the following: The Network Bandwidth Considerations for Distribution Points section in the Planning for Content Management in Configuration Manager topic to determine whether to prestage content on the remote distribution point. The Configuring Content Management in Configuration Manager topic for steps to configure the distribution point as prestaged. The Prestage Content section in the Operations and Maintenance for Content Management in Configuration Manager topic for the procedures to prestage content.

Managing Content
You can manage your content from the properties of distribution points, distribution point groups, and package types (for example, applications, deployment packages, and driver packages). From the distribution point and distribution point properties, you can review all package types that are assigned for distribution. In the package properties, you can review all distribution points and distribution point groups in which the package has been distributed. You can redistribute,
1385

validate, or remove the content in the properties for the objects. For more information about how to manage content files, see the following sections in the Operations and Maintenance for Content Management in Configuration Manager topic: Distribute Content on Distribution Points Update Content on Distribution Points Redistribute Content on Distribution Points Remove Content on Distribution Points

Content Library
The content library stores all content files for software updates, applications, operating system deployment, and so on. The content library is located on each site server and on each distribution point and provides a single instance store for content files. Before Configuration Manager downloads content files to the site server and copies the files to distribution points, Configuration Manager verifies whether each content file is already in the content library. If the content file is available, Configuration Manager does not copy the file to the distribution point, but instead associates the existing content file with the application or package. On computers where you install a distribution point, you can configure the disk drives on which you want to create the content library, and you can configure a priority for each drive. Configuration Manager copies the content files to the drive with the highest priority until that drive contains less than a minimum amount of free space that you specify. You configure the drive settings during the distribution point installation. You cannot configure the drive settings in the distribution point properties after installation completes. For more information about how to configure the drive settings for the distribution point, see the Install and Configure the Distribution Point section in the Configuring Content Management in Configuration Manager topic. Important For Configuration Manager SP1 only: To move the content library to a different location on a distribution point after the installation, use the Content Library Transfer Tool in the System Center 2012 Configuration Manager Service Pack 1 Toolkit. You can download the toolkit from the Microsoft Download Center.

About the Content Library on the Central Administration Site

By default, Configuration Manager creates a content library on the central administration site when the site installs. The content library is placed on the drive of the site server that has the most free disk space. Because you cannot install a distribution point on the central administration site, you cannot prioritize the drives for use for the content library. Similar to the content library on other site servers and on distribution points, when the drive that contains the content library runs out of available disk space, the content library automatically spans to the next available drive.
1386

Configuration Manager uses the content library on the central administration site in the following scenarios: When you create content at the central administration site. When you migrate content from another Configuration Manager site, and assign the central administration site as the site that will manage that content. Note When you create content at a primary site and then distribute it to a different primary site or a secondary site below a different primary site, the central administration site temporarily stores that content in the scheduler inbox on the central administration site but does not add that content to its content library. Use the following options to manage the content library on the central administration site: To prevent the content library from installing on a specific drive, create an empty file named no_sms_on_drive.sms and copy it to the root folder of the drive before the content library is created. After the content library is created, use Content Library Transfer tool from the System Center 2012 Configuration Manager Service Pack 1 Toolkit to manage the location of the content library. You can download the toolkit from the Microsoft Download Center.

Content Monitoring and Validation

The Configuration Manager console provides content monitoring that includes the status for all package types in relation to the associated distribution points, the status of content assigned to a specific distribution point group, the state of content assigned to a distribution point, and the status of optional features for each distribution point. For more information about monitoring content, see the Monitor Content section in the Operations and Maintenance for Content Management in Configuration Manager topic. You can enable content validation on distribution points to verify the integrity of distributed packages. You can configure content validation to run on a schedule. Or, you can manually start content validation from the properties for distribution points, distribution point groups, and package types. You can view status reports in the Monitoring workspace in the Configuration Manager console. For more information about content validation, see the following: The Configuring Content Management in Configuration Manager topic to configure content validation. The Initiate Content Validation section in the Operations and Maintenance for Content Management in Configuration Manager topic to manually start content validation.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.
1387

The following items are new or have changed for content management since Configuration Manager 2007. Branch distribution points were available in Configuration Manager 2007 to distribute content, for example, to a small office with limited bandwidth. In System Center 2012 Configuration Manager, there is only one distribution point type with the following new functionality: You can install the distribution point site system role on client or server computers. You can configure bandwidth settings, throttling settings, and schedule content distribution between the site server and distribution point. You can prestage content on remote distribution points and manage how Configuration Manager updates content to the prestaged distribution points. The PXE service point and the associated settings are in the properties for the distribution point.

In Configuration Manager 2007, you configure a distribution point as protected to prevent clients outside the protected boundaries from accessing the distribution point. In System Center 2012 Configuration Manager, preferred distribution points replace protected distribution points. Distribution point groups provide a logical grouping of distribution points for content distribution. You can add one or more distribution points from any site in the Configuration Manager hierarchy to the distribution point group. You can also add the distribution point to more than one distribution point group. This expanded functionality lets you manage and monitor content from a central location for distribution points that span multiple sites. The content library in System Center 2012 Configuration Manager is the location that stores all content files for software updates, applications, operating system deployment, and so on. The content library provides a single instance store for content files on the site server and distribution points, and provides an advantage over content management functionality in Configuration Manager 2007. For example, in Configuration Manager 2007, you might distribute the same content files multiple times by using different deployments and deployment packages. The result was that the same content files were stored multiple times on the site server and on distribution points and added unnecessary processing overhead and excessive hard disk space requirements. You can prestage content, which is the process to copy content, to the content library on a site server or distribution point before you distribute the content. Because the content files are already in the content library, Configuration Manager does not copy the files over the network when you distribute the content. The Configuration Manager console provides content monitoring that includes the status for all package types in relation to the associated distribution points, the status of content assigned to a specific distribution point group, the state of content assigned to a distribution point, and the status of optional features for each distribution point. You can enable content validation on distribution points to verify the integrity of packages that have been distributed to the distribution point. In Configuration Manager 2007, content files are automatically distributed to the disk drive with the most amount of free space. In System Center 2012 Configuration Manager, you
1388

configure the disk drives on which you want to store content and configure the priority for each drive when Configuration Manager copies the content files. BranchCache has been integrated in System Center 2012 Configuration Manager so that you can control usage at a more detailed level. You can configure the BranchCache settings on a deployment type for applications and on the deployment for a package.

Whats New in Configuration Manager SP1

The following items are new for content management in Configuration Manager SP1. You can configure the drive location for the content library in the Create Site System Server Wizard and Add Site System Roles Wizard when you create the distribution point site role. You can configure some distribution points as pull-distribution points. When you distribute content to a pull-distribution point, the Configuration Manager site server does not transfer the content that you distribute to the distribution point computer. Instead, Configuration Manager notifies the pull-distribution point which then transfers the content from a source distribution point that you specify.

See Also
Content Management in Configuration Manager

Planning for Content Management in Configuration Manager

Content management in System Center 2012 Configuration Manager provides the tools for you to manage content files for applications, packages, software updates, and operating system deployment. Configuration Manager uses distribution points to store files required for software to run on client computers. These distribution points function as distribution centers for the content files and let users download and run the software. Clients must have access to at least one distribution point from which they can download the files. Use the following sections in this topic to help you plan how to manage content in your Configuration Manager hierarchy: Plan for Distribution Points Distribution Point Configurations Planning for Preferred Distribution Points and Fallback Content Source Location Network Connection Speed to the Content Source Location On-Demand Content Distribution Content Source Location Scenarios

Planning for BranchCache Support

1389

Network Bandwidth Considerations for Distribution Points Planning for Scheduling and Throttling Determine Whether To Prestage Content

Planning for Cloud-Based Distribution Points Prerequisites for Cloud-Based Distribution Points Plan for the Cost of using Cloud-Based Distribution About Subscriptions and Certificates for Cloud-Based Distribution Points Site Server to Cloud-Based Distribution Point Communication Client to Cloud-Based Distribution Point Communication

Determine the Distribution Point Infrastructure

Plan for Distribution Point Groups Plan for Content Libraries Note For information about the dependencies and supported configurations for content management, see Prerequisites for Content Management in Configuration Manager.

Plan for Distribution Points

When you plan for distribution points in your hierarchy, determine what distribution point attributes you must have in your environment, how to distribute the network and system load on the distribution point, and determine the distribution point infrastructure.

Distribution Point Configurations

Distribution points can have a number of different configurations. The following table describes the possible configurations.
Distribution point configuration Descriptions

Preferred distribution point

You assign boundary groups to distribution points. The distribution points are preferred for clients that are within the boundary group for the distribution point, and the client uses preferred distribution points as the source location for content. When the content is not available on a preferred distribution point, the client uses another distribution point for the content source location. You can configure a distribution point to let clients not in the boundary groups use it as a fallback location for content.
1390

Distribution point configuration

Descriptions

PXE

Enable the PXE option on a distribution point to enable operating system deployment for Configuration Manager clients. The PXE option must be configured to respond to PXE boot requests that Configuration Manager clients on the network make and then interact with the Configuration Manager infrastructure to determine the appropriate installation actions to take. Important You can enable PXE only on a server that has Windows Deployment Services installed. When you enable PXE, Configuration Manager installs Windows Deployment Services on the distribution point site system if it is not already installed.

Multicast

Enable the multicast option on a distribution point to use multicast when you distribute operating systems. Important You can enable multicast only on a server that has Windows Deployment Services installed. When you enable multicast, Configuration Manager installs Windows Deployment Services on the distribution point site system if it is not already installed.

Pull

For Configuration Manager SP1 only: Enable the pull-distribution point option on a distribution point to change the behavior of how that computer obtains the content that you distribute to the distribution point. When you configure a distribution point to be a pulldistribution point, you must specify one or more source distribution points from which the pulldistribution point obtains the content. Important
1391

Distribution point configuration

Descriptions

Although a pull-distribution point supports communications over HTTP and HTTPS, source distribution points must be configured for HTTP. You cannot specify a source distribution point that is configured for HTTPS. Support for mobile devices You must configure the distribution point to accept HTTPS communications to support mobile devices. You must configure the distribution point to accept HTTPS communications to support Internet-based clients. Although there are no configuration requirements for the distribution point to enable streaming of virtual applications to clients, there are application management prerequisites that you must consider. For more information, see Prerequisites for Application Management in Configuration Manager.

Support for Internet-based clients

Application Virtualization

Planning for Preferred Distribution Points and Fallback

When you create a distribution point, you have the option to assign boundary groups to the distribution point. The distribution points are preferred for clients that are within a boundary group that is assigned to the distribution point.

Content Source Location

When you deploy software to a client, the client sends a content request to a management point, the management point sends a list of the preferred distribution points to the client, and the client uses one of the preferred distribution points on the list as the source location for content. When the content is not available on a preferred distribution point, the management point sends a list to the client with distribution points that have the content available. The client uses one of the distribution points for the content source location. In the distribution point properties and in the properties for a deployment type or package, you can configure whether to enable clients to use a fallback source location for content. When a preferred distribution point does not have the content and the fallback settings are not enabled, the client fails to download the content, and the software deployment fails.

1392

Network Connection Speed to the Content Source Location

You can configure the network connection speed of each distribution point in an assigned boundary group. Clients use this value when they connect to the distribution point. By default, the network connection speed is configured as Fast, but it can also be configured as Slow. When the client uses a distribution point that is not preferred, the connection to the distribution point is automatically considered as slow. The network connection speed helps determine whether a client can download content from a distribution point. You can configure the deployment behavior for each network connection speed in the deployment properties for the specific software that you are deploying. You can choose to never install software when the network connection is considered slow, download and install the software, and so on.

On-Demand Content Distribution

You can select the Distribute the content for this package to preferred distribution points property for an application or package to enable on-demand content distribution to preferred distribution points. When enabled, the management point creates a trigger for Distribution Manager to distribute the content to all preferred distribution points in the list when a client requests the content for the package and the content is not available on any preferred distribution points. Depending on the scenario, the client might wait for the content to be available on a preferred distribution point, or it might download the content from a distribution point that is configured to enable a fallback location for content source.

Content Source Location Scenarios

When you deploy software to clients, the content source location that the client uses depends on the following settings: Allow fallback source location for content: This distribution point property enables clients to fall back and use the distribution point as the source location for content when the content is not available on a preferred distribution point. Deployment properties for network connection speed: The deployment properties for network speed are configured as a property for deployed objects, such as application deployment types, software updates, and task sequence deployments. There are different settings for the different deployment objects, but the properties can configure whether to download and install the software content when the network connection speed is configured as slow. Distribute the content for this package to preferred distribution points : When you select this application deployment type or package property, you enable on-demand content distribution to preferred distribution points.

The following table provides scenarios for different content location and fallback scenarios.
Scenario: Scenario 1 Scenario 2 Scenario 3

Fallback configuration and deployment

Allow Fallback Not enabled

Allow Fallback Enabled

Deployment Fallback option:

1393

Scenario:

Scenario 1

Scenario 2

Scenario 3

behavior for slow network:

Enabled Deployment behavior Deployment behavior for slow network for slow network Deployment behavior Any configuration Do not download for slow network content Download and install content

Distribution points are online and meet the following criteria: Content is available on a preferred distribution point. Content is available on a fallback distribution point. The package configuration for on-demand package distribution is not relevant in this scenario.

The client sends a content request to the management point.

The client sends a content request to the management point. The client includes a flag with the request A content location list that indicates fallback is returned to the client distribution points are from the management allowed. point with the A content location list preferred distribution points that contain the is returned to the client from the management content. point with the preferred distribution The client downloads points and fallback the content from a distribution points that preferred distribution contain the content. point on the list. The client downloads the content from a preferred distribution point on the list.

The client sends a content request to the management point. The client includes a flag with the request to indicate that fallback distribution points are allowed. A content location list is returned to the client from the management point with the preferred distribution points and fallback distribution points that contain the content. The client downloads the content from a preferred distribution point on the list. The client sends a content request to the management point. The client includes a flag with the request that indicates fallback distribution points are allowed. A content location list is returned to the client
1394

Distribution points are online and meet the following criteria: Content is not available on a preferred distribution point. Content is available on a fallback

The client sends a content request to the management point.

The client sends a content request to the management point. The client includes a flag with the request A content location list that indicates fallback is returned to the client distribution points are from the management allowed. point with the preferred distribution points that have the A content location list content. There are no is returned to the client

Scenario:

Scenario 1

Scenario 2

Scenario 3

distribution point. The package is not configured for on-demand package distribution.

preferred distribution points in the list.

from the management point with the preferred distribution points and fallback The client fails with the distribution points that message Content is have the content. not available and There are no preferred goes into retry mode. distribution points that A new content request have the content, but is started every hour. at least one fallback distribution point has the content. The content is not downloaded because the deployment property for when the client is using a fallback distribution point is set to Do not download. The client fails with the message Content is not available and goes into retry mode. The client makes a new content request every hour.

from the management point with the preferred distribution points and fallback distribution points that have the content. There are no preferred distribution points that have the content, but at least one fallback distribution point that has the content. The content is downloaded from a fallback distribution point on the list because the deployment property for when the client is using a fallback distribution point is set to Download and install the content.

Distribution points are online and meet the following criteria: Content is not available on a preferred distribution point. Content is available on a fallback distribution point. The package is configured for on-

The client sends a content request to the management point.

The client sends a content request to the management point. The client includes a flag with the request A content location list that indicates fallback is returned to the client distribution points are from the management allowed. point with the preferred distribution points that have the A content location list content. There are no is returned to the client preferred distribution from the management

The client sends a content request to the management point. The client includes a flag with the request that indicates fallback distribution points are allowed. A content location list is returned to the client from the management
1395

Scenario:

Scenario 1

Scenario 2

Scenario 3

demand package distribution.

points that have the content.

point with the preferred distribution points and fallback distribution points that The client fails with the have the content. message Content is There are no preferred not available and distribution points that goes into retry mode. have the content, but A new content request at least one fallback is made every hour. distribution point that has the content. The management point creates a trigger The content is not for Distribution downloaded because Manager to distribute the deployment the content to all property for when the preferred distribution client is using a points for the client fallback distribution that made the content point is set to Do not request. download. The client fails with the message Distribution Manager Content is not distributes the content available and goes to all preferred into retry mode. The distribution points. client makes a new content request every hour. A content request is initiated by the client to the management point The management every hour. point creates a trigger for Distribution Manager to distribute A content location list is returned to the client the content to all from the management preferred distribution points for the client point with the that made the content preferred distribution request. points that have the content (in most cases the content is distributed to the Distribution Manager distributes the content

point with the preferred distribution points and fallback distribution points that have the content. There are no preferred distribution points that have the content, but at least one fallback distribution point that has the content. The content is downloaded from a fallback distribution point on the list because the deployment property for when the client is using a fallback distribution point is set to Download and install the content. The management point creates a trigger for Distribution Manager to distribute the content to all preferred distribution points for the client that made the content request. Distribution Manager distributes the content to all preferred distribution points.

1396

Scenario:

Scenario 1

Scenario 2

Scenario 3

preferred distribution to all preferred points within the hour). distribution points. The client downloads the content from a preferred distribution point on the list. A content request is initiated by the client to the management point. A content location list is returned to the client from the management point with the preferred distribution points that have the content (typically the content is distributed to the preferred distribution points within the hour). The client downloads the content from a preferred distribution point on the list.

Planning for BranchCache Support

Windows BranchCache has been integrated in Configuration Manager. You can configure the BranchCache settings on software deployments. When all the requirements for BranchCache are met, this feature enables clients at remote locations to obtain content from local clients that have a current cache of the content. For example, when the first BranchCache-enabled client computer requests content from a distribution point that is running Windows Server 2008 R2 and that has also been configured as a BranchCache server, the client computer downloads the content and caches it. This content is then made available for clients on the same subnet that request this same content, and these clients also cache the content. In this way, subsequent clients on the same subnet do not have to download content from the distribution point, and the content is distributed across multiple clients for future transfers. For more information about BranchCache support in Configuration Manager, see the BranchCache Feature Support section in the Supported Configurations for Configuration Manager topic.

1397

Network Bandwidth Considerations for Distribution Points

To help you plan for the distribution point infrastructure in your hierarchy, consider the network bandwidth used for the content management process and what you can do to reduce the network bandwidth that is used. When you create a package, change the source path for the content, or update content on the distribution point, the files are copied from the source path to the content library on the site server. Then, the content is copied from the content library on the site server to the content library on the distribution points. When content source files are updated, and the source files have already been distributed, Configuration Manager retrieves only the new or updated files, and then sends them to the distribution point. Scheduling and throttling controls can be configured for siteto-site communication and for communication between a site server and a remote distribution point. When network bandwidth between the site server and remote distribution point is limited even after you configure the schedule and throttling settings, you might consider prestaging the content on the distribution point.

Planning for Scheduling and Throttling

In Configuration Manager, you can configure a schedule and set specific throttling settings on remote distribution points that determine when and how content distribution is performed. Each remote distribution point can have different configurations that help address network bandwidth limitations from the site server to the remote distribution point. The controls used for scheduling and throttling to the remote distribution point are similar to the settings for a standard sender address, but in this case, the settings are used by a new component called Package Transfer Manager. Package Transfer Manager distributes content from a site server (primary site or secondary site) to a distribution point that is installed on a site system. The throttling settings are configured on the Rate Limits tab, and the scheduling settings are configured on the Schedule tab for a distribution point that is not on a site server. Warning The Rate Limits and Schedule tabs are displayed only in the properties for distribution points that are not installed on a site server. For more information about configuring scheduling and throttling settings for a remote distribution point, see the Modify the Distribution Point Configuration Settings section in the Configuring Content Management in Configuration Manager topic.

Determine Whether To Prestage Content

Consider prestaging content for applications and packages in the following scenarios: Limited network bandwidth from the site server to distribution point : When scheduling and throttling do not satisfy your concerns about distributing content over the network to a remote distribution point, consider prestaging the content on the distribution point. Each distribution point has the Enable this distribution point for prestaged content setting that you can configure in the distribution point properties. When you enable this option, the

1398

distribution point is identified as a prestaged distribution point, and you can choose how to manage the content on a per-package basis. The following settings are available in the properties for an application, package, driver package, boot image, operating system installer, and image, and let you configure how content distribution is managed on remote distribution points that are identified as prestaged: Automatically download content when packages are assigned to distribution points: Use this option when you have smaller packages where the scheduling and throttling settings provide enough control for content distribution. Download only content changes to the distribution point : Use this option when you have an initial package that is possibly large, but you expect future updates to the content in the package to be generally smaller. For example, you might prestage Microsoft Office 2010 because the initial package size is over 700 MB and too large to send over the network. However, content updates to this package might be less than 10 MB and acceptable to distribute over the network. Another example might be driver packages where the initial package size is large, but incremental driver additions to the package might be small. Manually copy the content in this package to the distribution point: Use this option for when you have large packages, with content such as an operating system, and never want to use the network to distribute the content to the distribution point. When you select this option, you must prestage the content on the distribution point. Warning The preceding options are applicable on a per-package basis and are only used when a distribution point is identified as prestaged. Distribution points that have not been identified as prestaged ignore these settings, and content always is distributed over the network from the site server to the distribution points. Restore the content library on a site server: When a site server fails, information about packages and applications contained in the content library is restored to the site database as part of the restore process, but the content library files are not restored as part of the process. If you do not have a file system backup to restore the content library, you can create a prestaged content file from another site that contains the packages and applications that you have to have, and then extract the prestaged content file on the recovered site server. For more information about site server backup and recovery, see the Planning for Backup and Recovery section in the Planning for Site Operations in Configuration Manager topic.

For more information about prestaging content files, see the Prestage Content section in the Operations and Maintenance for Content Management in Configuration Manager topic.

Planning for Pull-Distribution Points

With Configuration Manager SP1, you can configure a distribution point that is not on a site server to be a pull-distribution point. When you deploy content to a large number of distribution points at a site, pull-distribution points can help reduce the processing load on the site server and can help to speed the transfer of the content to each distribution point. This is accomplished by offloading the process of transferring the content to each distribution point from the distribution manager
1399

process on the site server. Instead, each pull-distribution point individually manages the transfer of content, downloading content from another distribution point that already has a copy of the content. A pull-distribution point can only obtain content from a distribution point that is specified as a source distribution point. Pull-distribution points support the same configurations and functionality as typical Configuration Manager distribution points. For example, a distribution point that is configured as a pulldistribution point supports using multi-cast and PXE configurations, content validation, transfer schedules, and on-demand content distribution. A pull-distribution point supports HTTP or HTTPS, supports the same certificates options as other distribution points, and can be managed individually or as a member of a distribution point group. However, the following configurations are exceptions to support for the pull-distribution point: A cloud-based distribution point cannot be configured as a pull-distribution point, and cannot be used as a source distribution point. A distribution point on a site server cannot be configured as a pull-distribution point. The prestage content configuration for a distribution point overrides the pull-distribution point configuration. A pull-distribution point that is configured for prestaged content does not pull content from source distribution point and does not receive content from the site server. A distribution point configured as a pull-distribution point does not use configurations for rate limits when transferring content. If you configure a previously installed distribution point to be a pull-distribution point, configurations for rate limits are saved, but not used. If at a later time you remove the pull-distribution point configuration, the rate limit configurations are implemented as previously configured. To transfer content from a source distribution point in a remote forest, the computer that hosts the pull-distribution point must have a Configuration Manager client installed, and a Network Access Account that can access the source distribution point must be configured for use.

You can configure a pull-distribution point when you install the distribution point or after it has installed by editing the properties of the distribution point site system role. A distribution point that you will configure as a pull-distribution point can support communication by HTTP or HTTPS. When you configure the pull-distribution point you must specify one or more source distribution points and only distribution points that qualify to be source distribution points are displayed. Only distribution points that support HTTP can be specified as a source distribution points. A pulldistribution point that supports HTTP can be specified as a source distribution point for another pull-distribution point. When you distribute content to the pull-distribution point, Configuration Manager notifies the distribution point about the content but does not transfer the content to the distribution point computer. Instead, after the pull-distribution point is notified, it attempts to download the content from the first source distribution point on its list of source distribution points. If the content is not available, the pull-distribution point attempts to download the content from the next distribution point on the list, continuing until either the content is successfully downloaded or the content is not accessed from any source distribution point. If the content cannot be downloaded from any source distribution point, the pull-distribution point sleeps for 30 minutes and then begins the process again.
1400

To manage the transfer of content, pull-distribution points use the CCMFramework component of the Configuration Manager client software. This framework is installed by the Pulldp.msi when you configure the distribution point to be a pull-distribution point and does not require that the Configuration Manager client be installed. After the pull-distribution point installs, the CCMExec service on the distribution point computer must be operational for the pull-distribution point to function. When the pull-distribution point transfers content, it logs its operation in the datatransferservice.log and the pulldp.log on the distribution point computer. By default, a pull-distribution point uses its computer account to transfer content from a source distribution point. However, when the pull-distribution point transfers content from a source distribution point that is in a remote forest, the pull-distribution point always uses the Network Access Account. This requires that the computer have the Configuration Manager client installed and that a Network Access Account is configured for use and has access to the source distribution point. For information about the Network Access Account, see the Network Access Account section in the Technical Reference for Accounts Used in Configuration Manager topic. For information about configuring the Network Access Account, see Configure the Network Access Account in the Configuring Content Management in Configuration Manager topic. Note Because the pull-distribution point requires the CCMFramework from Configuration Manager SP1, computers that run client software from Configuration Manager with no service pack cannot be configured as pull-distribution points. You can remove the configuration to be a pull-distribution point by editing the properties of the distribution point. When you remove the pull-distribution point configuration, the distribution point returns to normal operation and future content transfers to the distribution point are managed by the site server. In the Configuration Manager console, there is nothing that identified the distribution point as a pull-distribution point. You must review the properties of the distribution point to identify if it is configured as a pull-distribution point.

Planning for Cloud-Based Distribution Points

With Configuration Manager SP1, you can use a cloud service in Windows Azure to host a distribution point. When you use a cloud-based distribution, you configure client settings to enable users and devices to access the content, and specify a primary site to manage the transfer of content to the distribution point. Additionally, you specify thresholds for the amount of content you want to store on the distribution point and the amount of content you want to allow clients to transfer from the distribution point. Based on these thresholds, Configuration Manager can raise alerts that warn you when the combined amount of content you have stored on the distribution point is near the specified storage amount, or when transfers of data by clients are close to the thresholds that you defined. Cloud-based distribution points support the following features that are also supported with onpremises distribution points: You manage cloud-based distribution points individually, or as members of distribution point groups.
1401

You can use a cloud-based distribution point for fallback content location. Support for both intranet and Internet-based clients. Content that is sent to the cloud-based distribution point is encrypted by Configuration Manager before sending to Windows Azure. In Windows Azure, you can manually scale the cloud service to meet changing demands for content request by clients, without the requirement to install and provision additional distribution points. The cloud-based distribution point supports the download of content by clients that are configured for Windows BranchCache. You cannot use a cloud-based distribution point for PXE or multi-cast enabled deployments. Additionally, clients are not offered a cloud-based distribution point as a content location for a task sequence that is configured for download on demand. Cloud-based distribution points do not support packages that run from the distribution point. All content must be downloaded by the client, and then run locally. No support to stream applications by using Application Virtualization or similar programs. No support for prestaged content. The distribution manager of the primary site that manages the distribution point transfers all content to the distribution point. Cloud-based distribution points cannot be configured as pull-distribution points.

A cloud-based distribution point provides the following additional benefits:

The following are limitations of cloud-based distribution points:

Prerequisites for Cloud-Based Distribution Points

The following are prerequisites to use a cloud-based distribution point: A subscription to Windows Azure. A management certificate (self-signed or PKI) for communication from a Configuration Manager primary site server to the cloud service in Windows Azure. A service certificate (PKI) that Configuration Manager clients use to connect to cloud-based distribution points and download content from them by using HTTPS. Before a device or user can access content from a cloud-based distribution point, they must receive the client setting for Cloud Services of Allow access to cloud distribution points set to Yes. By default, this value is set to No. Clients must be able to resolve the name of the cloud service, which requires a DNS alias (CNAME record) in your DNS namespace. Clients must be able to access the Internet to use the cloud-based distribution point.

Plan for the Cost of using Cloud-Based Distribution

To help control costs associated with data transfers to and from a cloud-based distribution point, Configuration Manager includes options to control and monitor data access. You can control and monitor the amount of content you store in a cloud service, and you can configure Configuration Manager to alert you when thresholds for client downloads meet or exceed monthly limits. Use these alerts to proactively manage data charges when you use a cloud-based distribution point.
1402

For more information, see the section Controlling the Cost of Cloud-Based Distribution Points in the topic Manage Cloud Services for Configuration Manager.

About Subscriptions and Certificates for Cloud-Based Distribution Points

Cloud-based distribution points require certificates to enable Configuration Manager to manage the cloud service that hosts the distribution point, and for clients to access content from the distribution point. The following table provides overview information about these certificates. For more detailed information, see PKI Certificate Requirements for Configuration Manager.
Certificate Details

Management certificate for site server to distribution point communication

The management certificate establishes trust between the Windows Azure management API and Configuration Manager. This authentication allows Configuration Manager to call on the Windows Azure API when you perform tasks such as deploying content or starting and stopping the cloud service. Windows Azure allows customers to create their own management certificates, which can be either a self-signed certificate or a certificate issued by a certification authority (CA): Provide the .cer file of the management certificate to Windows Azure when you configure Windows Azure for Configuration Manager. The .cer file contains the public key for the management certificate and you must upload this certificate to Windows Azure before you install a cloud-based distribution point. This certificate enables Configuration Manager to access the Windows Azure API. Provide the .pfx file of the management certificate to Configuration Manager when you install the cloud-based distribution point. The .pfx file contains the private key for the management certificate. Configuration Manager stores this certificate in the site database. Because the .pfx file contains the private key, you must provide the password to import this certificate file into the Configuration Manager database.

If you create a self-signed certificate, you must

1403

Certificate

Details

first export the certificate as a .cer file, and then export it again as a .pfx file. For more information, see How to Create a Management Certificate and How to Add a Management Certificate to a Windows Azure Subscription in the Windows Azure Platform section of the MSDN Library. Service certificate for client communication to the distribution point The Configuration Manager cloud-based distribution point service certificate establishes trust between the Configuration Manager clients and the cloud-based distribution point and secures the data that clients download from it by using SSL over HTTPS. For an example deployment of this certificate, see the Deploying the Service Certificate for Cloud-Based Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Site Server to Cloud-Based Distribution Point Communication

When you install a cloud-based distribution point, you must assign one primary site to manage the transfer of content to the cloud service. This is equivalent to installing the distribution point site system role to a specific site.

Client to Cloud-Based Distribution Point Communication

When a device or user of a device is configured with the client setting that enables the use of a cloud distribution point, they can receive the cloud-based distribution point as a valid content location. A cloud-based distribution point is considered a remote distribution point when a client evaluates available content locations. Clients on the intranet only use cloud-based distribution points as a fallback option if on-premises distribution points are not available. Clients that can use cloud-based distribution points use the following sequence when they perform a content location request: 1. A client that is configured to use cloud distribution points always attempts to obtain content from a preferred distribution point first. For information about preferred distribution points, see the Preferred Distribution Points section in the Introduction to Content Management in Configuration Manager topic.
1404

2. When a preferred distribution point is not available, the client will use a remote distribution point, if the deployment supports this option and a remote distribution point is available. 3. When a preferred distribution point or remote distribution point is not available, the client can then fall back to obtain the content from a cloud-based distribution point. Note Clients on the Internet that receive both an Internet-based distribution point and a cloud-based distribution point as content locations for a deployment, only attempt to retrieve content from the Internet-based distribution point. If the client on the Internet fails to retrieve content from the Internet-based distribution point, the client does not then attempt to access the cloud-based distribution point. When a client uses a cloud-based distribution point as a content location, the client authenticates itself to the cloud-based distribution point by using a Configuration Manager access token. If the client trusts the Configuration Manager cloud-based distribution point certificate, the client can then download the requested content.

Determine the Distribution Point Infrastructure

At least one distribution point is required at each site in the Configuration Manager hierarchy. By default, a primary site server is configured as a distribution point. However, assign this role to a remote site system and remove it from the site server if possible. This role assignment reduces the resource requirements and improves performance on the site server, and also assists in load balancing. The distribution point site system role is automatically configured on the secondary site server when it is installed. However, the distribution point site system role is not required at secondary sites. Clients connect to distribution points at the parent primary site if one is not available at the secondary site. As you configure your distribution points with assigned boundary groups, consider the physical location and network connection speed between the distribution point and site server Consider the following to help you determine the appropriate number of distribution points to install at a site: The number of clients that might access the distribution point The configuration of the distribution point, such as PXE and multicast The network bandwidth that is available between clients and distribution points The size of the content that clients retrieve from the distribution point The setting for BranchCache, when enabled, lets clients at remote locations obtain content from local clients.

For more information about creating and configuring distribution points, see the Install and Configure the Distribution Point section in the Configuring Content Management in Configuration Manager topic.

1405

Plan for Distribution Point Groups

Distribution point groups provide a logical grouping of distribution points for content distribution. When you distribute content to a distribution point group, all distribution points that are members of the distribution point group receive the content. If you add a distribution point to the distribution point group after an initial content distribution, the content automatically distributes to the new distribution point member. You can add one or more distribution points from any site in the Configuration Manager hierarchy to the distribution point group. You can also add the distribution point to more than one distribution point group, to manage and monitor content from a central location for distribution points that span multiple sites. You can also add a collection to distribution point groups, which creates an association, and then distribute content to the collection. When you distribute content to a collection, the content is assigned to all distribution point groups that are associated with the collection. The content is then distributed to all distribution points that are members of those distribution point groups. There are no restrictions on the number of distribution point groups that can be associated with a collection or the number of collections that can be associated with a distribution point group. If you add a collection to a distribution point group, the distribution point group does not automatically receive content previously distributed to the associated collection. However, the distribution point group receives all new content that is distributed to the collection. Note After you distribute content to a collection, and then associate the collection to a new distribution point group, you must redistribute the content to the collection before the content is distributed to the new distribution point group. For more information about creating and configuring distribution point groups, see the Create and Configure Distribution Point Groups section in the Configuring Content Management in Configuration Manager topic.

Plan for Content Libraries

When you create or deploy content in System Center 2012 Configuration Manager, Configuration Manager creates a content library on the site server that manages the content (such as on the site server of the site where you create the content), and on each distribution point. The content library stores all content files for software updates, applications, operating system deployment, and so on. When planning for content management, ensure there is enough free disk space for use by the content library on each distribution point you deploy, and on each site server that will manage content that you create or that you migrate from another Configuration Manager site. For information about the content library, see the Content Library section in the Introduction to Content Management in Configuration Manager topic. Important For Configuration Manager SP1 only: To move the content library to a different location on a distribution point after the installation, use the Content Library Transfer Tool in the System
1406

Center 2012 Configuration Manager Service Pack 1 Toolkit. You can download the toolkit from the Microsoft Download Center.

Supplemental Planning Topics for Content Management

Use the following topics to help you plan for content management in Configuration Manager: Prerequisites for Content Management in Configuration Manager Best Practices for Content Management in Configuration Manager

See Also
Planning for Configuration Manager Sites and Hierarchy

Prerequisites for Content Management in Configuration Manager

Content management in System Center 2012 Configuration Manager has external dependencies and dependencies within the product. For more information about supported configurations for distribution points and other site systems roles that support content management, see the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic.

Dependencies External to Content Management

The following table lists the external dependencies for content management.
Prerequisite More information

Internet Information Services (IIS) on the site system servers to run the distribution point

For more information about this requirement, see the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic. When you install a distribution point, Configuration Manager can install and configure IIS if it is not installed. If IIS is already installed, Configuration Manager configures it to support required operations. Configuration Manager does not change settings that have been configured as part of an IIS template.
1407

Prerequisite

More information

Note You must manually install IIS on computers that run Windows Server 2003 with Service Pack 2. Certificate for client authentication When you add the distribution point site role to a server, you must specify a certificate that authenticates the distribution point to management points. Computers use the same certificate if they perform a PXE boot from the distribution point. Configuration Manager can create a self-signed certificate, or you can import a PKI certificate file that contains client authentication capability and the private key. For more information about the PKI certificate requirements for the distribution point, see the PKI Certificates for Servers section in the PKI Certificate Requirements for Configuration Manager topic. For an example deployment of this certificate, see the Deploying the Client Certificate for Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Dependencies Internal to Content Management

The following table lists the dependencies within Configuration Manager for content management.
Dependency More information

Distribution points

Before content files can be sent to devices, at least one distribution point must be configured for the Configuration Manager site. Although distribution point groups are not required, they let you manage content files on a logical grouping of distribution points. For example, you can distribute content to a distribution point group, and all distribution
1408

Distribution point groups

Dependency

More information

points that are members of the distribution point group receive the content. Package Access Accounts Package Access Accounts lets you set NTFS file system permissions to specify the users and user groups that can access a package folder on a distribution point to download content files. By default, Configuration Manager grants access only to the generic access accounts Users and Administrators. In most cases, the default settings are sufficient. For more information about configuring the Package Access Account, see the Manage Accounts to Access Package Content section in the Operations and Maintenance for Content Management in Configuration Manager topic.

See Also
Planning for Content Management in Configuration Manager

Best Practices for Content Management in Configuration Manager

Use the following best practices for content management in System Center 2012 Configuration Manager:

Use a source file location for packages that has a fast and reliable network connection to the site that owns the package content source
When you create a package that contains source files, such as an application deployment type or deployment package, the site in which the package is created becomes the site owner for the package content source. The source files are copied from the source file path that you specify for the package to the content library on the site that owns the package content source. When you start the Update Content or Update Distribution Point actions, the content files are re-copied from the source file path to the content library on the site that owns the package content source. For more information about updating content, see the Update Content on Distribution Points
1409

section in the Operations and Maintenance for Content Management in Configuration Manager topic. Before you create a package, consider the network connection between the source file location and the site that owns the package content source. As a best practice, use a source file location for packages that has a fast and reliable network connection to the site that owns the package content source. Note When you create an application, the site on which you created the application owns the package content source. The site also owns the content source for all deployment types for the application regardless of the site on which you create the deployment type. For example, when you create an application at Site X, Site X owns the package content source. When you create a deployment type for the application at Site Y, Site X continues to own the package content source. Therefore, the content for the deployment type is copied to Site X as the owner of the content.

See Also
Planning for Content Management in Configuration Manager

Configuring Content Management in Configuration Manager

Content management in Microsoft System Center 2012 Configuration Manager relies on the infrastructure of the distribution point site role. This section provides configuration information for creating the distribution point site role, configuring the distribution point properties, and creating distribution point groups. Use the following sections in this topic to help you install and configure distribution points and distribution point groups: Install and Configure the Distribution Point Modify the Distribution Point Configuration Settings Create and Configure Distribution Point Groups Configure the Network Access Account Important Planning the distribution point infrastructure is an important first step in your content management strategy. For more information about planning for content management in your hierarchy, see Planning for Content Management in Configuration Manager.

1410

Install and Configure the Distribution Point

You must designate a site system server as a distribution point before content can be made available to client computers. You can add the distribution point site role to a new site system server or add the site role to an existing site system server. Use the following procedure to add the distribution point site role to a new or existing site system server. Security You must have the following security permissions to create and configure a distribution point: Read for the Distribution Point object Copy to Distribution Point for the Distribution Point object Modify for the Site object Manage Certificates for Operating System Deployment for the Site object

To install and configure the distribution point site role on a site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles. 3. Add the distribution point site system role to a new or existing site system server by using the associated step: Note For more information about installing site system roles, see Install and Configure Site System Roles for Configuration Manager. New site system server: On the Home tab, in the Create group, click Create Site System Server. The Create Site System Server Wizard opens. Existing site system server: Click the server in which you want to install the distribution point site system role. When you click a server, a list of the site system roles that are already installed on the server are displayed in the results pane. On the Home tab, in the Server group, click Add Site System Role. The Add Site System Roles Wizard opens. 4. On the General page, specify the general settings for the site system server. When you add the distribution point to an existing site system server, verify the values that were previously configured. 5. On the System Role Selection page, select Distribution point from the list of available roles, and then click Next. 6. Configure the distribution point settings on the following pages of the wizard: Distribution Point page Configure the general distribution point settings. Install and configure IIS if required by Configuration Manager: Select this
1411

setting to let Configuration Manager install and configure Internet Information Services (IIS) on the server if it is not already installed. IIS must be installed on all distribution points. If IIS is not installed on the server and you do not select this setting, you must install IIS before the distribution point can be installed successfully. Configure how client devices communicate with the distribution point. There are advantages and disadvantages for using HTTP and HTTPS. For more information, see Security Best Practices for Content Management section in the Security and Privacy for Content Management in Configuration Manager topic.

For more information about client communication to the distribution point and other site systems, see the Planning for Client Communications in Configuration Manager section in the Planning for Communications in Configuration Manager topic.
Allow clients to connect anonymously: This setting specifies whether the distribution point will allow anonymous connections from Configuration Manager clients to the content library. Important When you deploy a Windows Installer application on a Configuration Manager client, Configuration Manager downloads the file to the local cache on the client and the files are eventually removed after the installation completes. The Configuration Manager client updates the Windows Installer source list for the installed Windows Installer applications with the content path for the content library on associated distribution points. Later, if you start the repair action from Add/Remove Programs on a Configuration Manager client, MSIExec attempts to access the content path by using an anonymous user. You must select the Allow clients to connect anonymously setting or the repair fails for clients. You must always select the Allow clients to connect anonymously setting for Windows XP clients. For all other operating systems, you can install the update and modify a registry key described in Microsoft Knowledge Base article 2619572. After the update is installed on the clients, MSIExec will access the content path by using the logged on user account when you do not select the Allow clients to connect anonymously setting. Create a self-signed certificate or import a public key infrastructure (PKI) client certificate for the distribution point. The certificate has the following purposes: It authenticates the distribution point to a management point before the distribution point sends status messages. When you select Enable PXE support for clients check box on the PXE Settings page, the certificate is sent to computers that perform a PXE boot so that they can connect to a management point during the deployment of
1412

the operating system.

When all your management points in the site are configured for HTTP, create a selfsigned certificate. When your management points are configured for HTTPS, import a PKI client certificate. To import the certificate, browse to a Public Key Cryptography Standard (PKCS #12) file that contains a PKI certificate with the following requirements for Configuration Manager:
Intended use must include client authentication. The private key must be enabled to be exported. Note There are no specific requirements for the certificate subject or subject alternative name (SAN), and you can use the same certificate for multiple distribution points.

For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example deployment of this certificate, see the Deploying the Client Certificate for Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.
Enable this distribution point for prestaged content: Select this setting to enable the distribution point for prestaged content. When this setting is selected, you can configure distribution behavior when you distribute content. You can choose whether you always want to prestage the content on the distribution point, prestage the initial content for the package, but use the normal content distribution process when there are updates to the content, or always use the normal content distribution process for the content in the package.

Drive Settings page Specify the drive settings for the distribution point. You can configure up to two disk drives for the content library and two disk drives for the package share, although System Center 2012 Configuration Manager can use additional drives when the first two reach the configured drive space reserve. The Drive Settings page configures the priority for the disk drives and the amount of free disk space that remains on each disk drive. Drive space reserve (MB): The value that you configure for this setting determines the amount of free space on a drive before System Center 2012 Configuration Manager chooses a different drive and continues the copy process to that drive. Content files can span multiple drives. Content Locations: Specify the content locations for the content library and package share. System Center 2012 Configuration Manager copies content to
1413

the primary content location until the amount of free space reaches the value specified for Drive space reserve (MB). By default, the content locations are set to Automatic. The primary content location is set to the disk drive that has the most disk space at installation, and the secondary location is assigned to the disk drive that has the second most free disk space. When the primary and secondary drives reach the drive space reserve, Configuration Manager selects another available drive with the most free disk space and continues the copy process. Note To prevent Configuration Manager from installing on a specific drive, create an empty file named no_sms_on_drive.sms and copy it to the root folder of the drive before you install the distribution point. Pull Distribution Point page For System Center 2012 SP1 only: Configure the distribution point to be a pull-distribution point by selecting Enable pulling content from other distribution points. Click Add, and then select one or more of the available distribution points to be source distribution points.. Click Remove to remove the selected distribution point as a source distribution point. Use the arrow buttons to adjust the order in which the source distribution points are contacted by the pull-distribution point when the pull-distribution point attempts to transfer content.

PXE Settings page Specify whether to enable PXE on the distribution point. When you enable PXE, Configuration Manager installs Windows Deployment Services on the server, if required. Windows Deployment Service is the service that performs the PXE boot to install operating systems. After you complete the wizard to create the distribution point, Configuration Manager installs a provider in Windows Deployment Services that uses the PXE boot functions. When you select Enable PXE support for clients, configure the following settings: Allow this distribution point to respond to incoming PXE requests: Specifies whether to enable Windows Deployment Services so that it responds to PXE service requests. Use this check box to enable and disable the service without removing the PXE functionality from the distribution point. Enable unknown computer support: Specify whether to enable support for computers that are not managed by Configuration Manager. Require a password when computers use PXE: To provide additional security for your PXE deployments, specify a strong password. User device affinity: Specify how you want the distribution point to associate users with the destination computer for PXE deployments. Select one of the following options: Allow user device affinity with auto-approval: Select this setting to
1414

automatically associate users with the destination computer without waiting for approval. Allow user device affinity pending administrator approval: Select this setting to wait for approval from an administrative user before users are associated with the destination computer. Do not allow user device affinity: Select this setting to specify that users are not associated with the destination computer.

For more information about user device affinity, see How to Associate Users with a Destination Computer.
Network interfaces: Specify that the distribution point responds to PXE requests from all network interfaces or from specific network interfaces. If the distribution point responds to specific network interface, you must provide the MAC address for each network interface. Specify the PXE server response delay (seconds): Specifies, in seconds, how long the delay is for the distribution point before it responds to computer requests when multiple PXE-enabled distribution points are used. By default, the Configuration Manager PXE service point responds first to network PXE requests. Note You can use the PXE protocol to start operating system deployments to Configuration Manager client computers. Configuration Manager uses the PXE-enabled distribution point site role to initiate the operating system deployment process. The PXE-enabled distribution point must be configured to respond to PXE boot requests that Configuration Manager clients make on the network and then interact with Configuration Manager infrastructure to determine the appropriate deployment actions to take. For more information about using PXE to deploy operating systems in Configuration Manager, see Planning How to Deploy Operating Systems in Configuration Manager. Multicast page Specify whether to enable multicast on the distribution point. When you enable multicast, Configuration Manager installs Windows Deployment Services on the server, if required. When you select the Enable multicast to simultaneously send data to multiple clients check box, configure the following settings: Multicast Connection Account: Specify the account to use when you configure Configuration Manager database connections for multicast. Multicast address settings: Specify the IP addresses used to send data to the destination computers. By default, the IP address is obtained from a DHCP server that is enabled to distribute multicast addresses. Depending on the network environment, you can specify a range of IP addresses between 239.0.0.0 and 239.255.255.255.
1415

Important The IP addresses that you configure must be accessible by the destination computers that request the operating system image. Verify that routers and firewalls allow for multicast traffic between the destination computer and the site server. UDP port range for multicast: Specify the range of user datagram protocol (UDP) ports that are used to send data to the destination computers. Important The UDP ports must be accessible by the destination computers that request the operating system image. Verify that routers and firewalls allow for multicast traffic between the destination computer and the site server. Client transfer rate: Select the transfer rate that is used to download data to the destination computers. Maximum clients: Specify the maximum number of destination computers that can download the operating system from this distribution point. Enable scheduled multicast: Specify how Configuration Manager controls when to start deploying operating systems to destination computers. When selected, configure the following options: Session start delay (minutes): Specify the number of minutes that Configuration Manager waits before it responds to the first deployment request. Minimum session size (clients): Specify how many requests must be received before Configuration Manager starts to deploy the operating system.

Note Multicast deployments conserve network bandwidth by simultaneously sending data to multiple Configuration Manager clients instead of sending a copy of the data to each client over a separate connection. For more information about using multicast for operating system deployment, see Planning a Multicast Strategy in Configuration Manager. Content Validation page Specify whether to set a schedule to validate the integrity of content files on the distribution point. When you enable content validation on a schedule, Configuration Manager starts the process at the scheduled time, and all content on the distribution point is verified. You can also configure the content validation priority. By default, the priority is set to Lowest. To view the results of the content validation process, in the Monitoring workspace, expand Distribution Status, and then click the Content Status node. The content for each package type (for example, Application, Software Update Package, and
1416

Boot Image) is displayed. Warning You specify the content validation schedule by using the local time for the computer, the schedule displays in the Configuration Manager console by using UTC. Boundary Group page Manage the boundary groups for which this distribution point is assigned. You can associate boundary groups to a distribution point. During content deployment, clients must be in a boundary group associated with the distribution point to use it as a source location for content. You can select the Allow clients to use this site system as a fallback source location for content check box to let clients outside these boundary groups fall back and use the distribution point as a source location for content when no other distribution points are available. For more information about protected distribution points, see Planning for Preferred Distribution Points and Fallback. After you complete the wizard, the distribution point site role is added to the site system server.

Modify the Distribution Point Configuration Settings

After the distribution point is installed, you can modify the configuration settings in the distribution point properties. In the properties, you can configure the settings that were available during the initial installation. You can also manage the distribution point groups that the distribution point is associated with, review the packages that are associated with the distribution point, schedule when content can transfer to the distribution point, and configure the rate limits to control the network bandwidth that is in use when transferring content. To modify the distribution point properties 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Points, and then select the distribution point that you want to configure. 3. On the Home tab, in the Properties group, click Properties. 4. Configure the distribution point settings on the following tabs in the distribution point properties: General tab Specify the following settings: Configure how client devices communicate with the distribution point. There are advantages and disadvantages for using HTTP and HTTPS. For more information, see Security Best Practices for Content Management section in the
1417

Security and Privacy for Content Management in Configuration Manager topic.

For more information about client communication to the distribution point and other site systems, see the Planning for Client Communications in Configuration Manager section in the Planning for Communications in Configuration Manager topic.
Allow clients to connect anonymously: This setting specifies whether the distribution point allows anonymous connections from Configuration Manager clients to the content library. Important When you deploy a Windows Installer application on a Configuration Manager client, Configuration Manager downloads the file to the local cache on the client and the files are eventually removed after the installation completes. The Configuration Manager client updates the Windows Installer source list for the installed Windows Installer applications with the content path for the content library on associated distribution points. Later, if you start the repair action from Add/Remove Programs on a Configuration Manager client, MSIExec attempts to access the content path by using an anonymous user. You must select the Allow clients to connect anonymously setting or the repair fails for clients. You must always select the Allow clients to connect anonymously setting for Windows XP clients. For all other operating systems, you can install the update and modify a registry key described in Microsoft Knowledge Base article 2619572. After the update is installed on the clients, MSIExec will access the content path by using the logged on user account when you do not select the Allow clients to connect anonymously setting. Create a self-signed certificate or import a PKI client certificate for the distribution point. The certificate has the following purposes: It authenticates the distribution point to a management point before the distribution point sends status messages. When Enable PXE support for clients is selected on the PXE Settings page, the certificate is sent to computers that perform a PXE boot so that they can connect to a management point during the deployment of the operating system.

When all your management points in the site are configured for HTTP, create a selfsigned certificate. When your management points are configured for HTTPS, import a PKI client certificate. To import the certificate, browse to a Public Key Cryptography Standard (PKCS #12) file that contains a PKI certificate with the following requirements for Configuration
1418

Manager:
Intended use must include client authentication. The private key must be enabled to be exported. Note There are no specific requirements for the certificate subject or subject alternative name (SAN), and you can use the same certificate for multiple distribution points.

For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example deployment of this certificate, see the Deploying the Client Certificate for Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.
Enable this distribution point for prestaged content: Select this setting to enable the distribution point for prestaged content. When this setting is selected, you can configure distribution behavior when you distribute content. You can choose whether you always want to prestage the content on the distribution point, prestage the initial content for the package, but use the normal content distribution process when there are updates to the content, or always use the normal content distribution process for the content in the package.

Pull Distribution Point tab For System Center 2012 SP1 only: Configure the distribution point to be a pull-distribution point by selecting Enable pulling content from other distribution points. Click Add, and then select one or more of the available distribution points to be source distribution points.. Click Remove to remove the selected distribution point as a source distribution point. Use the arrow buttons to adjust the order in which the source distribution points are contacted by the pull-distribution point when the pull-distribution point attempts to transfer content.

PXE tab Specify whether to enable PXE on the distribution point. When you enable PXE, Configuration Manager installs Windows Deployment Services on the server, if required. Windows Deployment Service is the service that performs the PXE boot to install operating systems. After you complete the wizard to create the distribution point, Configuration Manager installs a provider in Windows Deployment Services that uses the PXE boot functions. When you select Enable PXE support for clients, configure the following settings:
1419

Allow this distribution point to respond to incoming PXE requests: Specifies whether the PXE service point responds to computer requests. When you do not enable this setting, the PXE service point is installed but it is not activated. Enable unknown computer support: Specify whether to enable support for unknown computers. Unknown computers are computers that are not managed by Configuration Manager. Require a password when computers use PXE: Specify whether a password is required for clients to start the PXE boot. User device affinity: Specifies the user device affinity behavior. Select one of the following options: Allow user device affinity with auto-approval: Select this setting if you want to automatically associate users with the destination computer. Allow user device affinity pending administrator approval: Select this setting if you want to associate users with the destination computer only after approval is granted. Do not allow user device affinity: Select this setting if you do not want to associate users with the destination computer.

For more information about user device affinity, see How to Associate Users with a Destination Computer.
Network interfaces: Specify whether the distribution point responds to PXE requests on all network interfaces or whether it responds to PXE requests on only specific network interfaces. Specify the PXE server response delay (seconds): Specifies, in seconds, how long the delay is for the distribution point before it responds to computer requests when multiple PXE-enabled distribution points are used. By default, the Configuration Manager PXE service point responds first to network PXE requests. Note You can use the PXE protocol to initiate operating system deployments to Configuration Manager client computers. Configuration Manager uses the PXE-enabled distribution point site role to start the operating system deployment process. The PXE-enabled distribution point must be configured to respond to PXE boot requests made by Configuration Manager clients on the network and then interact with Configuration Manager infrastructure to determine the appropriate deployment actions to take. For more information about using PXE to deploy operating systems in Configuration Manager, see Planning How to Deploy Operating Systems in Configuration Manager. Multicast tab Specify whether to enable multicast on the distribution point. When you enable multicast, Configuration Manager installs Windows Deployment Services on the server, if required.
1420

When you select the Enable multicast to simultaneously send data to multiple clients check box, configure the following settings: Multicast Connection Account: Specify the account to use when you configure Configuration Manager database connections for multicast. Multicast address settings: Specify the IP addresses used to send data to the destination computers. By default, the IP address is obtained from a DHCP server that is enabled to distribute multicast addresses. Depending on the network environment, you can specify a range of IP addresses between 239.0.0.0 and 239.255.255.255. Important The IP addresses that you configure must be accessible by the destination computers that request the operating system image. Verify that routers and firewalls allow for multicast traffic between the destination computer and the site server. UDP port range for multicast: Specify the range of user datagram protocol (UDP) ports used to send data to the destination computers. Important The UDP ports must be accessible by the destination computers that request the operating system image. Verify that routers and firewalls allow for multicast traffic between the destination computer and the site server. Client transfer rate: Select the transfer rate used to download data to the destination computers. Maximum clients: Specify the maximum number of destination computers that can download the operating system from this distribution point. Enable scheduled multicast: Specify how Configuration Manager controls when to start deploying operating systems to destination computers. When selected, configure the following options: Session start delay (minutes): Specify the number of minutes that Configuration Manager waits before it responds to the first deployment request. Minimum session size (clients): Specify how many requests must be received before Configuration Manager starts to deploy the operating system. Note Multicast deployments conserve network bandwidth by simultaneously sending data to multiple Configuration Manager clients rather than sending a copy of the data to each client over a separate connection. For more information about using multicast for operating system deployment, see Planning a Multicast Strategy in Configuration Manager.
1421

Group Relationships tab Manage the distribution point groups in which this distribution point is a member. To add this distribution point as a member to an existing a distribution point group, click Add. Select an existing distribution point group in the list in the Add to Distribution Point Groups dialog box, and then click OK. To remove this distribution point from a distribution point group, select the distribution point group in the list, and then click Remove.

Content tab Manage the content that has been distributed to the distribution point. The Deployment packages section provides a list of the packages distributed to this distribution point. You can select a package from the list and perform the following actions: Validate: Starts the process to validate the integrity of the content files in the package. To view the results of the content validation process, in the Monitoring workspace, expand Distribution Status, and then click the Content Status node. Redistribute: Copies all of the content files in the package to the distribution point, and overwrites the existing files. You typically use this operation to repair content files in the package. Remove: Removes the content files from the distribution point for the package.

Content Validation tab Specify whether to set a schedule to validate the integrity of content files on the distribution point. When you enable content validation on a schedule, Configuration Manager starts the process at the scheduled time, and all content on the distribution point is verified. You can also configure the content validation priority. By default, the priority is set to Lowest. To view the results of the content validation process, in the Monitoring workspace, expand Distribution Status, and then click the Content Status node. The content for each package type (for example, Application, Software Update Package, and Boot Image) is displayed. Warning You specify the content validation schedule by using the local time for the computer, the schedule displays in the Configuration Manager console by using UTC.

Boundary Groups tab Manage the boundary groups for which this distribution point is assigned. The distribution point is considered protected for the clients that are within the boundaries associated with the boundary group. During a content deployment, only the clients that are in an assigned boundary group can use the distribution point as a content location source. You can select the Allow a client outside these boundary groups to fall back and use this site system as a source location for content check box
1422

to let clients not in the assigned boundary groups use the distribution point if a protected distribution point is not available to the client. For more information about protected distribution points, see Planning for Preferred Distribution Points and Fallback. Schedule tab Specify whether to configure a schedule that restricts when Configuration Manager can transfer data to the distribution point. To restrict data, select the time period and then select one of the following settings for Availability: Open for all priorities: Specifies that Configuration Manager sends data to the distribution point with no restrictions. Allow medium and high priority: Specifies that Configuration Manager sends only medium and high priority data to the distribution point. Allow high priority only: Specifies that Configuration Manager sends only high priority data to the distribution point. Closed: Specifies that Configuration Manager does not send any data to the distribution point.

You can restrict data by priority or close the connection for selected time periods. Rate Limits tab Specify whether to configure rate limits to control the network bandwidth that is in use when transferring content to the distribution point. You can choose from the following options: Unlimited when sending to this destination: Specifies that Configuration Manager sends content to the distribution point with no rate limit restrictions. Pulse mode: Specifies the size of the data blocks that are sent to the distribution point. You can also specify a time delay between sending each data block. Use this option when you must send data across a very low bandwidth network connection to the distribution point. For example, you might have constraints to send 1 KB of data every five seconds, regardless of the speed of the link or its usage at a given time. Limited to specified maximum transfer rates by hour: Specify this setting to have a site send data to a distribution point by using only the percentage of time that you configure. When you use this option, Configuration Manager does not identify the networks available bandwidth, but instead divides the time it can send data into slices of time. Then data is sent for a short block of time, which is followed by blocks of time when data is not sent. For example, if the maximum rate is set to 50%, Configuration Manager transmits data for a period of time followed by an equal period of time when no data is sent. The actual size amount of data, or size of the data block, is not managed. Instead, only the amount of time during which data is sent is managed.

1423

Create and Configure Distribution Point Groups

Distribution point groups provide a logical grouping of distribution points and collections for content distribution. You can add one or more distribution points from any site in the Configuration Manager hierarchy to the distribution point group. You can also add the distribution point to more than one distribution point group so that you can manage and monitor content from a central location for distribution points that span multiple sites. When you distribute content to a distribution point group, all distribution points that are members of the distribution point group receive the content. When a new distribution point is added to a distribution point group, it receives all content that has been previously distributed to it. You can also associate collections to the distribution point group. When you distribute content, you can target a collection and the distribution points that are members of all distribution point groups with an association to the collection to receive the content. Important After you distribute content to a collection, and then associate the collection to a new distribution point group, you must redistribute the content to the collection before the content is distributed to the new distribution point group. To create and configure a new distribution point group 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Point Groups. 3. On the Home tab, in the Create group, click Create Group. 4. Enter the name and description for the distribution point group. 5. On the Collections tab, click Add, select the collections that you want to associate with the distribution point group, and then click OK. 6. On the Members tab, click Add, select the distribution points that you want to add as members of the distribution point group, and then click OK. 7. Click OK to create the distribution point group. To add distribution points and associate collections to an existing distribution point group 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Point Groups, and then select the distribution point group in which you want to modify members. 3. On the Home tab, in the Properties group, click Properties. 4. On the Collections tab, click Add to select the collections that you want to associate with the distribution point group, and then click OK. 5. On the Members tab, click Add to select the distribution points that you want to add as members of the distribution point group, and then click OK. 6. Click OK to save changes to the distribution point group.

1424

To add selected distribution points to a new distribution point group 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Points, and then select the distribution points that you want to add to the new distribution point group. 3. On the Home tab, in the Distribution Point group, expand Add Selected Items, and then click Add Selected Items to New Distribution Point Group. 4. Enter the name and description for the distribution point group. 5. On the Collections tab, click Add to select the collections that you want to associate with the distribution point group, and then click OK. 6. On the Members tab, verify that you want Configuration Manager to add the listed distribution points as members of the distribution point group. Click Add to modify the distribution points that you want to add as members of the distribution point group, and then click OK. 7. Click OK to create the distribution point group. To add selected distribution points to existing distribution point groups 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Points, and then select the distribution points that you want to add to the new distribution point group. 3. On the Home tab, in the Distribution Point group, expand Add Selected Items, and then click Add Selected Items to Existing Distribution Point Groups. 4. In the Available distribution point groups, select the distribution point groups to which the selected distribution points are added as members, and then click OK.

Configure the Network Access Account

Client computers use the Network Access Account when they cannot use their local computer account to access content on distribution points; for example, this applies to workgroup clients and computers from untrusted domains. This account might also be used during operating system deployment when the computer installing the operating system does not yet have a computer account on the domain. Note Clients only use the Network Access Account for accessing resources on the network. Grant this account the minimum appropriate permissions to access the software for the content that the client requires. The account must have the Access this computer from the network right on the distribution point. Because you can create only one Network Access Account per site, this account must function for all packages and task sequences for which it is required. Warning

1425

When Configuration Manager tries to use the computername$ account to download the content and it fails, it automatically tries the Network Access Account again, even if it has previously tried and failed. Create the account in any domain that provides the necessary access to resources. The Network Access Account must always include a domain name. Pass-through security is not supported for this account. If you have distribution points in multiple domains, create the account in a trusted domain. Tip To avoid account lockouts, do not change the password on an existing Network Access Account. Instead, create a new account and configure the new account in Configuration Manager. When sufficient time has passed for all clients to have received the new account details, remove the old account from the network shared folders and delete the account. Security Do not grant this account interactive logon rights. Do not grant this account the right to join computers to the domain. If you must join computers to the domain during a task sequence, use the Task Sequence Editor Domain Joining Account. Use the following procedure to configure the Network Access Account. Note You cannot configure the Network Access Account on a central administration site. To configure the Network Access Account 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then select the site. 3. On the Settings group, click Configure Site Components, and then click Software Distribution. 4. Click the Network Access Account tab, configure the account, and then click OK.

See Also
Content Management in Configuration Manager

1426

Operations and Maintenance for Content Management in Configuration Manager

After the infrastructure is in place for content management in System Center 2012 Configuration Manager, there are operations that you typically perform to ensure the most recent content files are on distribution points and available to client computers. This section provides information about managing content files on distribution points, initiating content validation, and monitoring content. Use the following sections in this topic to help you manage typical content operations in your Configuration Manager hierarchy: Distribute Content on Distribution Points Manage Accounts to Access Package Content Update Content on Distribution Points Redistribute Content on Distribution Points Remove Content on Distribution Points Prestage Content Initiate Content Validation Monitor Content

Distribute Content on Distribution Points

You must distribute content to distribution points, before it is available to client computers. Configuration Manager stores content files in a package, and then distributes the package to the distribution point. There are several types of content that you can distribute, including application deployment types, packages, deployment packages, driver packages, operating system images, operating system installers, boot images, and task sequences. When you create a package that contains source files, such as an application deployment type or deployment package, the site on which the package is created becomes the site owner for the package content source. Configuration Manager copies the source files from the source file path that you specify for the object to the content library on the site that owns the package content source. Use the following procedure to distribute content to distribution points. To distribute content on distribution points 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, select one of the following steps for the type of content that you want to distribute: Applications: Expand Application Management, click Applications, and then select the applications that you want to distribute. Packages: Expand Application Management, click Packages, and then select the packages that you want to distribute.
1427

Deployment Packages: Expand Software Updates, click Deployment Packages, and then select the deployment packages that you want to distribute. Driver Packages: Expand Operating Systems, click Driver Packages, and then select the driver packages that you want to distribute. Operating System Images: Expand Operating Systems, click Operating System Images, and then select the operating system images that you want to distribute. Operating System Installers: Expand Operating Systems, click Operating System Installers, and then select the operating system installers that you want to distribute. Boot Images: Expand Operating Systems, click Boot Images, and then select the boot images that you want to distribute. Task Sequences: Expand Operating Systems, click Task Sequences, and then select the task sequence that you want to distribute. Although task sequences do not contain content, they have associated content dependencies that are distributed. Note If you modify the task sequence, you must redistribute the content.

3. On the Home tab, in the Deployment group, click Distribute Content. The Distribute Content Wizard opens. 4. On the General page, verify that the content listed is the content that you want to distribute, choose whether you want Configuration Manager to detect content dependencies that are associated with the selected content and add the dependencies to the distribution, and then click Next. Note You have the option to configure the Detect associated content dependencies and add them to this distribution setting only for the application content type. Configuration Manager automatically configures this setting for task sequences, and it cannot be modified. 5. On the Content tab, if displayed, verify that the content listed is the content that you want to distribute, and then click Next. Note The Content page displays only when the Detect associated content dependencies and add them to this distribution setting is selected on the General page of the wizard. 6. On the Content Destination page, click Add, choose one of the following, and then follow the associated step: Collections: Select User Collections or Device Collections, click the collection associated with one or more distribution point groups, and then click OK. Note Only the collections that are associated with a distribution point group are displayed. For more information about associating collections with
1428

distribution point groups, see the Configure Distribution Point Groups section in the Configuring Content Management in Configuration Manager topic. Distribution Point: Select an existing distribution point, and then click OK. Distribution points that have previously received the content are not displayed. Distribution Point Group: Select an existing distribution point group, and then click OK. Distribution point groups that have previously received the content are not displayed.

When you finish adding content destinations, click Next. 7. On the Summary page, review the settings for the distribution before you continue. To distribute the content to the selected destinations, click Next. 8. The Progress page displays the progress of the distribution. 9. The Confirmation page displays whether the content was successfully assigned to the points. To monitor the content distribution, see the Monitoring in Content Management section in this topic.

Manage Accounts to Access Package Content

Package Access Accounts enable you to set NTFS file system permissions to specify the users and user groups that can access package content on distribution points. By default, Configuration Manager grants access only to the generic access accounts Users and Administrators, but you can control access for client computers by using additional Windows accounts or groups. Mobile devices always retrieve package content anonymously; therefore, mobile devices do not use the Package Access Accounts. By default, when Configuration Manager copies the content files in a package to a distribution point, it grants Read access to the local Users group and Full Control to the local Administrators group. The actual permissions that are required depend on the package. If you have clients in workgroups or in untrusted forests, those clients use the Network Access Account to access the package content. Ensure that the Network Access Account has permissions to the package by using the defined Package Access Accounts. Use accounts in a domain that can access the distribution points. If you create or modify the account after the package is created, you must redistribute the package. Updating the package does not change the NTFS file system permissions on the package. You do not have to add the Network Access Account as a Package Access Account, because membership of the Users group adds it automatically. Restricting the Package Access Account to only the Network Access Account does not prevent clients from accessing the package. To manage access accounts 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, select one of the following steps for the type of content for which you want to manage access accounts: Applications: Expand Application Management, click Applications, and then
1429

select the applications for which to manage access accounts. Packages: Expand Application Management, click Packages, and then select the packages for which to manage access accounts. Deployment Packages: Expand Software Updates, click Deployment Packages, and then select the deployment packages for which to manage access accounts. Driver Packages: Expand Operating Systems, click Driver Packages, and then select the driver packages for which to manage access accounts. Operating System Images: Expand Operating Systems, click Operating System Images, and then select the operating system images for which to manage access accounts. Operating System Installers: Expand Operating Systems, click Operating System Installers, and then select the operating system installers for which to manage access accounts. Boot Images: Expand Operating Systems, click Boot Images, and then select the boot images for which to manage access accounts.

3. Right-click the selected object, and then click Manage Access Accounts. 4. In the Add Account dialog box, specify the account type that will be granted access to the content, and then specify the access rights associated with the account. Note When you add a user name for the account and Configuration Manager finds a local user account and a domain user account with that name, Configuration Manager with no service pack sets access rights for the local user account. Starting in Configuration Manager SP1, Configuration Manager sets access rights for the domain user account.

Update Content on Distribution Points

When you add new files or replace existing files with a newer version, to the source file location for the package, you can update the content files on distribution points by using the Update Distribution Points or Update Content action. The content files are copied from the source file path to the content library on the site that owns the package content source, the package version is incremented, and the distribution points are updated with only the files that have changed in the package. Warning The package version for applications is always 1. When you update the content for an application deployment type, Configuration Manager creates a new content ID for the deployment type, and the package references the new content ID. Use the following procedure to update content on distribution points. To update content on distribution points

1430

1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, select one of the following steps for the type of content that you want to distribute: Applications: Expand Application Management, click Applications, and then select the applications that you want to distribute. Click the Deployment Types tab, and then select the deployment type that you want to update. Packages: Expand Application Management, click Packages, and then select the packages that you want to update. Deployment Packages: Expand Software Updates, click Deployment Packages, and then select the deployment packages that you want to update. Driver Packages: Expand Operating Systems, click Driver Packages, and then select the driver packages that you want to update. Operating System Images: Expand Operating Systems, click Operating System Images, and then select the operating system images that you want to update. Operating System Installers: Expand Operating Systems, click Operating System Installers, and then select the operating system installers that you want to update. Boot Images: Expand Operating Systems, click Boot Images, and then select the boot images that you want to update.

3. On the Home tab, in the Deployment group, click Update Distribution Points, and then click OK to confirm that you want to update the content. Note To update content for applications, click the Deployment Types tab, right-click the deployment type, click Update Content, and then click OK to confirm that you want to refresh the content. Note When you update content for boot images, the Manage Distribution Point Wizard opens. Review the information on the Summary page, and then complete the wizard to update the content.

Redistribute Content on Distribution Points

You can redistribute a package to copy all of the content files in the package to distribution points or distribution point groups and thereby overwrite the existing files. You typically use this operation to repair content files in the package or resend the content when the initial distribution fails. You can redistribute a package in package properties, distribution point properties, or distribution point group properties. Use one of the following procedures to redistribute the content files in a package to distribution points. To redistribute content from package properties
1431

1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, select one of the following steps for the type of content that you want to distribute: Applications: Expand Application Management, click Applications, and then select the application that you want to redistribute. Packages: Expand Application Management, click Packages, and then select the package that you want to redistribute. Deployment Packages: Expand Software Updates, click Deployment Packages, and then select the deployment package that you want to redistribute. Driver Packages: Expand Operating Systems, click Driver Packages, and then select the driver package that you want to redistribute. Operating System Images: Expand Operating Systems, click Operating System Images, and then select the operating system image that you want to redistribute. Operating System Installers: Expand Operating Systems, click Operating System Installers, and then select the operating system installer that you want to redistribute. Boot Images: Expand Operating Systems, click Boot Images, and then select the boot image that you want to redistribute.

3. On the Home tab, in the Properties group, click Properties. 4. Click the Content Locations tab, select the distribution point or distribution point group in which you want to redistribute the content, click Redistribute, and then click OK. To redistribute content from distribution point properties 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Points, and then select the distribution point in which you want to redistribute content. 3. On the Home tab, in the Properties group, click Properties. 4. Click the Content tab, select the content to redistribute, click Redistribute, and then click OK. To redistribute content from distribution point group properties 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Point Groups, and then select the distribution point group in which you want to redistribute content. 3. On the Home tab, in the Properties group, click Properties. 4. Click the Content tab, select the content to redistribute, click Redistribute, and then click OK. Important The content in the package is redistributed to all of the distribution points in the distribution point group.
1432

Remove Content on Distribution Points

When you no longer require content on your distribution points, you can remove the content files on the distribution point. When the content is associated with another package that was distributed to the same distribution point, you cannot remove the content. You can remove the content in package properties, distribution point properties, or distribution point group properties. Use one of the following procedures to remove the content files from distribution points. To remove package content files from distribution points 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, select one of the following steps for the type of content that you want to delete: Applications: Expand Application Management, click Applications, and then select the application that you want to remove. Packages: Expand Application Management, click Packages, and then select the package that you want to remove. Deployment Packages: Expand Software Updates, click Deployment Packages, and then select the deployment package that you want to remove. Driver Packages: Expand Operating Systems, click Driver Packages, and then select the driver package that you want to remove. Operating System Images: Expand Operating Systems, click Operating System Images, and then select the operating system image that you want to remove. Operating System Installers: Expand Operating Systems, click Operating System Installers, and then select the operating system installer that you want to remove. Boot Images: Expand Operating Systems, click Boot Images, and then select the boot image that you want to remove.

3. On the Home tab, in the Properties group, click Properties. 4. Click the Content Locations tab, select the distribution point or distribution point group from which you want to remove the content, click Remove, and then click OK. To remove package content from distribution point properties 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Points, and then select the distribution point in which you want to delete the content. 3. On the Home tab, in the Properties group, click Properties. 4. Click the Content tab, select the content to remove, click Remove, and then click OK. To remove content from distribution point group properties 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Point Groups, and then select the
1433

distribution point group in which you want to remove content. 3. On the Home tab, in the Properties group, click Properties. 4. Click the Content tab, select the content to remove, click Remove, and then click OK.

Prestage Content
You can prestage content files for applications and package types in Configuration Manager. In the Configuration Manager console, you select the content that you have to have and then use the Create Prestaged Content File Wizard to create a compressed, prestaged content file that contains the files and associated metadata for the content that you selected. You can then manually import the content at a site server, secondary site, or distribution point. When you import the prestaged content file on a site server, the content files are added to the content library on the site server, and then registered in the site server database. When you import the prestaged content file on a distribution point, the content files are added to the content library on the distribution point, and a status message is sent to the site server that informs the site that the content is available on the distribution point. Important When the distribution point is located on the site server, do not enable the distribution point for prestaged content. Instead, use the procedure in How to Prestage Content to Distribution Points Located on a Site Server. Important When the distribution point is configured as a pull-distribution point, do not enable the distribution point for prestaged content. The prestage content configuration for a distribution point overrides the pull-distribution point configuration. A pull-distribution point that is configured for prestaged content does not pull content from source distribution point and does not receive content from the site server. Important The content library must be created on the distribution point before you can prestage content to the distribution point. Distribute content over the network at least one time before you prestage content to the distribution point. Important When you prestage content for a package with a long package source path (for example, more than 140 characters), the Extract Content command-line tool might fail to successfully extract the content for that package to the content library. Note For information about when to prestage content files, see the Determine Whether To Prestage Content section in the Planning for Content Management in Configuration Manager topic. Use the following sections to prestage content.
1434

Step 1: Create a Prestaged Content File

You can create a compressed, prestaged content file that contains the files and associated metadata for the content that you select in the Configuration Manager console. Use the following procedure to create a prestaged content file. To create a prestaged content file 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, select one of the following steps for the type of content that you want to prestage: Applications: Expand Application Management, click Applications, and then select the applications that you want to prestage. Packages: Expand Application Management, click Packages, and then select the packages that you want to prestage. Driver Packages: Expand Operating Systems, click Driver Packages, and then select the driver packages that you want to prestage. Operating System Images: Expand Operating Systems, click Operating System Images, and then select the operating system images that you want to prestage. Operating System Installers: Expand Operating Systems, click Operating System Installers, and then select the operating system installers that you want to prestage. Boot Images: Expand Operating Systems, click Boot Images, and then select the boot images that you want to prestage.

3. On the Home tab, in the Deployment group, click Create Prestage Content File. The Create Prestaged Content File Wizard opens. Note For Applications: On the Home tab, in the Application group, click Create Prestaged Content File. For Packages: On the Home tab, in the <PackageName> group, click Create Prestaged Content File. 4. On the General page, click Browse, choose the location for the prestaged content file, specify a name for the file, and then click Save. You use this prestaged content file on primary site servers, secondary site servers, or distribution points to import the content and metadata. 5. For applications, select Export all dependencies to have Configuration Manager detect and add the dependencies associated with the application to the prestaged content file. By default, this setting is selected. 6. In Administrator comments, enter optional comments about the prestaged content file, and then click Next. 7. On the Content page, verify that the content listed is the content that you want to add to the prestaged content file, and then click Next. 8. On the Content Locations page, specify the distribution points from which to retrieve the
1435

content files for the prestaged content file. You can select more than one distribution point to retrieve the content. The distribution points are listed in the Content locations section. The Content column displays how many of the selected packages or applications are available on each distribution point. Configuration Manager starts with the first distribution point in the list to retrieve the selected content, and then moves down the list in order to retrieve the remaining content required for the prestaged content file. Click Move Up or Move Down to change the priority order of the distribution points. When the distribution points in the list do not contain all of the selected content, you must add distribution points to the list that contain the content or exit the wizard, distribute the content to at least one distribution point, and then restart the wizard. 9. On the Summary page, confirm the details. You can go back to previous pages and make changes. Click Next to create the prestaged content file. 10. The Progress page displays the content that is being added to the prestaged content file. 11. On the Completion page, verify that the prestaged content file was created successfully, and then click Close.

Step 2: Assign the Content to Distribution Points

After you prestage the content file, assign the content to distribution points. Note When you use a prestaged content file to recover the content library on a site server, and do not have to prestage the content files on a distribution point, you can skip this procedure. Use the following procedure to assign the content in the prestaged content file to distribution points. Important Verify that the distribution points that you want to prestage are identified as prestaged distribution points or the content is distributed to the distribution points by using the network. For more information about configuring the distribution point as prestaged, see the To configure the distribution point properties procedure in the Configuring Content Management in Configuration Manager topic. To assign the content to distribution points 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, select one of the following steps for the type of content that you selected when you created the prestaged content file: Applications: Expand Application Management, click Applications, and then select the applications that you prestaged. Packages: Expand Application Management, click Packages, and then select the packages that you prestaged. Deployment Packages: Expand Software Updates, click Deployment Packages,
1436

and then select the deployment packages that you prestaged. Driver Packages: Expand Operating Systems, click Driver Packages, and then select the driver packages that you prestaged. Operating System Images: Expand Operating Systems, click Operating System Images, and then select the operating system images that you prestaged. Operating System Installers: Expand Operating Systems, click Operating System Installers, and then select the operating system installers that you prestaged. Boot Images: Expand Operating Systems, click Boot Images, and then select the boot images that you prestaged.

3. On the Home tab, in the Deployment group, click Distribute Content. The Distribute Content Wizard opens. 4. On the General page, verify that the content listed is the content that you prestaged, choose whether you want Configuration Manager to detect content dependencies that are associated with the selected content and add the dependencies to the distribution, and then click Next. Note You have the option to configure the Detect associated content dependencies and add them to this distribution setting only for the application content type. Configuration Manager automatically configures this setting for task sequences, and it cannot be modified. 5. On the Content page, if displayed, verify that the content listed is the content that you want to distribute, and then click Next. Note The Content page displays only when the Detect associated content dependencies and add them to this distribution setting is selected on the General page of the wizard. 6. On the Content Destination page, click Add, choose one of the following that includes the distribution points to be prestaged, and then follow the associated step: Collections: Select User Collections or Device Collections, click the collection associated with one or more distribution point groups, and then click OK. Note Only the collections that are associated with a distribution point group are displayed. For more information about associating collections with distribution point groups, see the Configure Distribution Point Groups section in the Configuring Content Management in Configuration Manager topic. Distribution Point: Select an existing distribution point, and then click OK. Distribution points that have previously received the content are not displayed. Distribution Point Group: Select an existing distribution point group, and then click OK. Distribution point groups that have previously received the content are not displayed.
1437

When you finish adding content destinations, click Next. 7. On the Summary page, review the settings for the distribution before you continue. To distribute the content to the selected destinations, click Next. 8. The Progress page displays the progress of the distribution. 9. The Confirmation page displays whether or not the content was successfully assigned to the distribution points. To monitor the content distribution, see the Content Status Monitoring section in this topic. Tip The Windows PowerShell cmdlet, Publish-CMPrestageContent, performs the same function as this procedure. For more information, see Publish-CMPrestageContent in the System Center 2012 Configuration Manager SP1 Cmdlet Reference documentation.

Step 3: Extract the Content from the Prestaged Content File

After you create the prestaged content file and assign the content to distribution points, you can extract the content files to the content library on a site server or distribution point. Typically, you have copied the prestaged content file to a portable drive, such as a USB drive, or burn the content to media, such as a DVD, and have it available at the location of the site server or distribution point that requires the content. Use the following procedure to manually export the content files from the prestaged content file by using the Extract Content command-line tool. Important When you run the Extract Content command-line tool, the tool creates a temporary file as it creates the prestaged content file. Then, the file is copied to the destination folder and the temporary file is deleted. You must have sufficient disk space for this temporary file or the process fails. The temporary file is created in the following location: 1. In Configuration Manager SP1, the temporary file is created in same folder that you specify as the destination folder for the prestaged content file. 2. In Configuration Manager with no service pack, the temporary file is created in the system drive of the computer that hosts the destination folder that you specify for the prestaged content file. Security The user that runs the Extract Content command-line tool must have administrator rights on the computer from which you are extracting the prestaged content. To extract the content files from the prestaged content file 1. Copy the prestaged content file to the computer from which you want to extract the content. 2. Copy the Extract Content command-line tool from <ConfigMgrInstallationPath>\bin\<platform> to the computer from which you want to
1438

extract the prestaged content file. 3. Open the command prompt and navigate to the folder location of the prestaged content file and Extract Content tool. Note You can extract one or more prestaged content files on a site server, secondary site server, or distribution point. 4. Type extractcontent /P:<PrestagedFileLocation>\<PrestagedFileName> /S to import a single file. Type extractcontent /P:<PrestagedFileLocation> /S to import all prestaged files in the specified folder. For example, type extractcontent /P:D:\PrestagedFiles\MyPrestagedFile.pkgx /S where D:\PrestagedFiles\ is the PrestagedFileLocation, MyPrestagedFile.pkgx is the prestaged file name, and /S informs Configuration Manager to extract only content files that are newer than what is currently on the distribution point. When you extract the prestaged content file on a site server, the content files are added to the content library on the site server, and then the content availability is registered in the site server database. When you export the prestaged content file on a distribution point, the content files are added to the content library on the distribution point, the distribution point sends a status message to the parent primary site server, and then the content availability is registered in the site database. Important In the following scenario, you must update content that you extracted from a prestaged content file when the content is updated to a new version: a. You create a prestaged content file for version 1 of a package. b. You update the source files for the package with version 2. c. You extract the prestaged content file (version 1 of the package) on a distribution point. Configuration Manager does not automatically distribute package version 2 to the distribution point. You must create a new prestaged content file that contains the new file version and then extract the content, update the distribution point to distribute the files that have changed, or redistribute all files in the package.

Initiate Content Validation

The content validation process verifies the integrity of content files on distribution points. You enable content validation on a schedule, or you can manually initiate content validation from the properties of distribution points and packages. When the content validation process starts, Configuration Manager verifies the content files on distribution points, and if the file hash is unexpected for the files on the distribution point, Configuration Manager creates a status message that you can review in the Monitoring workspace. For more information about
1439

configuring the content validation schedule, see the To configure the distribution point properties procedure in the Configuring Content Management in Configuration Manager topic. Use one of the following procedures to manually initiate content validation. To initiate content validation for all content on a distribution point 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Points, and then select the distribution point in which you want to validate content. 3. On the Home tab, in the Properties group, click Properties. 4. On the Content tab, select the package in which you want to validate the content, click Validate, click OK, and then click OK. The content validation process initiates for the package on the distribution point. 5. To view the results of the content validation process, in the Monitoring workspace, expand Distribution Status, and click the Content Status node. The content for each package type (for example, Application, Software Update Package, and Boot Image) is displayed. For more information about monitoring content status, see Content Status Monitoring in this topic. To initiate content validation for a package 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, select one of the following steps for the type of content that you want to validate: Applications: Expand Application Management, click Applications, and then select the application that you want to validate. Packages: Expand Application Management, click Packages, and then select the package that you want to validate. Deployment Packages: Expand Software Updates, click Deployment Packages, and then select the deployment package that you want to validate. Driver Packages: Expand Operating Systems, click Driver Packages, and then select the driver package that you want to validate. Operating System Images: Expand Operating Systems, click Operating System Images, and then select the operating system image that you want to validate. Operating System Installers: Expand Operating Systems, click Operating System Installers, and then select the operating system installer that you want to validate. Boot Images: Expand Operating Systems, click Boot Images, and then select the boot image that you want to prestage.

3. On the Home tab, in the Properties group, click Properties. 4. On the Content Locations tab, select the distribution point or distribution point group in which to validate the content, click Validate, click OK, and then click OK. The content validation process starts for the content on the selected distribution point or distribution
1440

point group. 5. To view the results of the content validation process, in the Monitoring workspace, expand Distribution Status, and click the Content Status node. The content for each package type (for example, Application, Software Update Package, and Boot Image) is displayed. For more information about monitoring the content status, see Content Status Monitoring in this topic.

Monitor Content
The Configuration Manager console provides improved content monitoring, including the status for all package types in relation to the associated distribution points, including the content validation status for the content in the package, the status of content assigned to a specific distribution point group, the state of content assigned to a distribution point, and the status of optional features for each distribution point (Content validation, PXE, and multicast). Note Configuration Manager only monitors the content on a distribution point that is in the content library. Content stored on the distribution point in package or custom shares is not monitored.

Content Status Monitoring

The Content Status node in the Monitoring workspace provides information about content packages. In the Configuration Manager console, you can review information such as the package name, type, how many distribution points have been targeted, the compliance rate, when the package was created, package ID, and source version. You also find information about distribution status for the package, such as the number of failures, pending distributions, installations, and so on. You can also view detailed status information for any package. Use the following procedure to view content status. To monitor content status 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Distribution Status, and then click Content Status. The packages are displayed. 3. Select the package in which you want detailed status information. 4. On the Home tab, click View Status. Detailed status information for the package is displayed.

Distribution Point Group Status

The Distribution Point Group Status node in the Monitoring workspace provides information about distribution point groups. You can review information such as the distribution point group name, description, how many distribution points are members of the distribution point group, how
1441

many packages have been assigned to the group, distribution point group status, and compliance rate. You also find information about errors for the distribution point group, how many distributions are in progress, how many have been successfully distributed, and so on. You can also view detailed status information for the distribution point group. Use the following procedure to view distribution point group status. To monitor distribution point group status 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Distribution Status, and then click Distribution Point Group Status. The distribution point groups are displayed. 3. Select the distribution point group in which you want detailed status information. 4. On the Home tab, click View Status. Detailed status information for the distribution point group is displayed.

Distribution Point Configuration Status

The Distribution Point Configuration Status node in the Monitoring workspace provides information about the distribution point. You can review what attributes are enabled for the distribution point, such as the PXE, multicast, and content validation, and the distribution status for the distribution point. You can also view detailed status information for the distribution point. Warning Distribution point configuration status is relative to the last 24 hours. If the distribution point has an error and recovers, the error status might be displayed for up to 24 hours after the distribution point recovers. Use the following procedure to view distribution point configuration status. To monitor distribution point configuration status 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Distribution Status, and then click Distribution Point Configuration Status. The distribution points are displayed. 3. Select the distribution point in which you want distribution point status information. 4. In the results pane, click the Details tab. Status information for the distribution point is displayed.

See Also
Content Management in Configuration Manager

1442

How to Prestage Content to Distribution Points Located on a Site Server

You can prestage content to add content files to the content library on a site server or distribution point before you distribute the content. Because the content files are already in the content library, they are not transferred over the network when you distribute the content. When a distribution point is installed on a site server, you must use the following procedure to successfully prestage content. When the distribution point is not enabled for prestage content or when the distribution point is not located on a site server, see the Prestage Content section in the Operations and Maintenance for Content Management in Configuration Manager topic. To prestage content on distribution points located on a site server 1. Use the following steps to verify that the distribution point is not enabled for prestaged content. a. In the Configuration Manager console, click Administration. b. In the Administration workspace, click Distribution Points, and then select the distribution point that is located on the site server. c. On the Home tab, in the Properties group, click Properties. d. On the General tab, verify that the Enable this distribution point for prestaged content check box is not selected. 2. Create the prestaged content file by using the Step 1: Create a Prestaged Content File section in the Operations and Maintenance for Content Management in Configuration Manager topic. 3. On the site server, export the content from the prestaged content file by using the Step 2: Export the Content from the Prestaged Content File section in the Operations and Maintenance for Content Management in Configuration Manager topic. 4. Assign the content to the distribution point by using the Step 3: Assign the Content to Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager topic. Note When the distribution point is on a secondary site, wait for at least 10 minutes, and then by using a Configuration Manager console that is connected to the parent primary site, assign the content to the distribution point on the secondary site.

See Also
Operations and Maintenance for Content Management in Configuration Manager

1443

Security and Privacy for Content Management in Configuration Manager

Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security and privacy information for content management in System Center 2012 Configuration Manager. Read it in conjunction with the following topics: Security and Privacy for Application Management in Configuration Manager Security and Privacy for Software Updates in Configuration Manager Security and Privacy for Deploying Operating Systems in Configuration Manager

Security Best Practices for Content Management

Use the following security best practices for content management:
Security best practice More information

For distribution points on the intranet, consider the advantages and disadvantages of using HTTPS and HTTP

Differences between HTTPS and HTTP for distribution points: When you use HTTPS for a distribution point, Configuration Manager does not use package access accounts to authorize access to the content, but the content is encrypted when it transferred over the network. When you use HTTP for a distribution point, you can use package access accounts for authorization, but the content is not encrypted when it is transferred over the network.

In most scenarios, using HTTP and package access accounts for authorization provides more security than using HTTPS with encryption but without authorization. However, if you have sensitive data in your content that you want to encrypt during transfer, use HTTPS. If you use a PKI client authentication certificate rather than a self-signed certificate for the When you require a password to import the client authentication certificate that you use for
1444

Security best practice

More information

distribution point, protect the certificate file (.pfx) with a strong password. If you store the file on the network, secure the network channel when you import the file into Configuration Manager.

the distribution point to communicate with management points, this helps to protect the certificate from an attacker. Use SMB signing or IPsec between the network location and the site server to prevent an attacker from tampering with the certificate file. By default, a distribution point is installed on the same server as the site server. Clients do not have to communicate directly with the site server, so to reduce the attack surface, assign the distribution point role to other site systems and remove it from the site server. The distribution point share allows Read access to all users. To restrict which users can access the content, use package access accounts when the distribution point is configured for HTTP. For more information about the Package Access Account, see the Manage Accounts to Access Package Content section in the Operations and Maintenance for Content Management in Configuration Manager topic The distribution point does not require HTTP Redirection and IIS Management Scripts and Tools. To reduce the attack surface, remove these role services for the web server (IIS) role. For more information about the role services for the web server (IIS) role for distribution points, see the Site System Requirements section in the Supported Configurations for Configuration Manager topic. Because changes to the access accounts on the package files become effective only when you redistribute the package, set the package access permissions carefully when you first create the package. This is particularly important for the following scenarios: The package is large. You are distributing the package to many
1445

Remove the distribution point role from the site server.

Secure content at the package access level. Note This does not apply to cloud-based distribution points on Configuration Manager SP1, which do not support package access accounts.

If Configuration Manager installs IIS when you add a distribution point site system role, remove HTTP Redirection and IIS Management Scripts and Tools when the distribution point installation is complete

Set package access permissions when you create the package

Security best practice

More information

distribution points. Implement access controls to protect media that contains prestaged content The network bandwidth capacity for content distribution is limited.

Prestaged content is compressed but not encrypted. An attacker could read and modify the files that are then downloaded to devices. Configuration Manager clients will reject content that is tampered with, but they still download it. To avoid tampering and elevation of privileges, use only the authorized command-line tool that is supplied with Configuration Manager.

Import prestaged content by using only the ExtractContent command-line tool (ExtractContent.exe) that is supplied with Configuration Manager and make sure that is signed by Microsoft Secure the communication channel between the site server and the package source location

Use IPsec or SMB signing between the site server and the package source location for when you create applications and packages. This helps to prevent an attacker from tampering with the source files. When you change from using the default website to using a custom website, Configuration Manager does not remove the old virtual directories. Remove the virtual directories that Configuration Manager originally created under the default website: SMS_DP_SMSPKG$ SMS_DP_SMSSIG$ NOCERT_SMS_DP_SMSPKG$ NOCERT_SMS_DP_SMSSIG$

If you change the site configuration option to use a custom website rather than the default website after any distribution point roles are installed, remove the default virtual directories

For cloud-based distribution points in Configuration Manager SP1: Protect your subscription details and certificates

When you use cloud-based distribution points in Configuration Manager SP1, protect the following high-value items: The user name and password for your Windows Azure subscription. The Windows Azure management certificate. The cloud-based distribution point service certificate.
1446

Security best practice

More information

Store the certificates securely and if you browse to them over the network when you configure the cloud-based distribution point, use IPsec or SMB signing between the site system server and the source location. For cloud-based distribution points in Configuration Manager SP1: For service continuity, monitor the expiry date of the certificates Configuration Manager SP1 does not warn you when the imported certificates for management or the cloud-based distribution point service is about to expire. You must monitor the expiry dates independently from Configuration Manager and make sure that you renew and then import the new certificate before the expiry date. This is particularly important if you purchase a Configuration Manager cloud-based distribution point service certificate from an external certification authority (CA), because you might need additional time to obtain a renewed certificate. Note If either certificate expires, Cloud Services Manager generates the status message ID 9425 and the CloudMgr.log file contains an entry to indicate that the certificate is in expired state, with the expiry date also logged in UTC.

Security Issues for Content Management

Content management has the following security issues: Clients do not validate content until after it is downloaded Configuration Manager clients validate the hash on content only after it is downloaded to their client cache. If an attacker tampers with the list of files to download or with the content itself, the download process can take up considerable network bandwidth for the client to then discard the content when it encounters the invalid hash. You cannot restrict access to content hosted by cloud-based distribution points to users or groups

1447

When you use cloud-based distribution points in Configuration Manager SP1, access to the content is automatically restricted to your enterprise and you cannot restrict it further to selected users or groups. A blocked client can continue to download content from a cloud-based distribution point for up to 8 hours When you use cloud-based distribution points in Configuration Manager SP1, clients are authenticated by the management point and then use a Configuration Manager token to access cloud-based distribution points. The token is valid for 8 hours so if you block a client because it is no longer trusted, it can continue to download content from a cloud-based distribution point until the validity period of this token is expired. At this point, the management point will not issue another token for the client because the client is blocked. To avoid a blocked client from downloading content within this 8 hour window, you can stop the cloud service from the Cloud node, Hierarchy Configuration, in the Administration workspace in the Configuration Manager console. For more information, see Manage Cloud Services for Configuration Manager.

Privacy Information for Content Management

Configuration Manager does not include any user data in content files, although an administrative user might choose to do this. Before you configure content management, consider your privacy requirements.

See Also
Content Management in Configuration Manager

Technical Reference for Content Management in Configuration Manager

This section contains technical reference information for Content Management in System Center 2012 Configuration Manager.

Technical Reference Topics

There is currently no technical reference information for Content Management in Configuration Manager.

Other Resources for this Product

Documentation Library for System Center 2012 Configuration Manager Content Management in Configuration Manager
1448

Application Management in Configuration Manager

Application management in Microsoft System Center 2012 Configuration Manager provides a set of tools and resources that can help you to create, manage, deploy, and monitor applications in the enterprise. Use the topics in the following section for detailed information about application management in Configuration Manager.

Application Management Topics

Use the following topics learn how to create, manage, deploy, and monitor applications in Configuration Manager. Introduction to Application Management in Configuration Manager Planning for Application Management in Configuration Manager Configuring the Application Catalog and Software Center in Configuration Manager Operations and Maintenance for Application Management in Configuration Manager Packages and Programs in Configuration Manager Deploying Software to Linux and UNIX Servers in Configuration Manager Security and Privacy for Application Management in Configuration Manager Technical Reference for Application Management in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Deploying Software and Operating Systems in System Center 2012 Configuration Manager

Introduction to Application Management in Configuration Manager

Application management in Microsoft System Center 2012 Configuration Manager provides both Configuration Manager administrative users and Configuration Manager client device users the tools to manage applications in the enterprise. Important A device, in Configuration Manager, is a collective term that includes any kind of computer such as a desktop, server, or a portable computer, and mobile device, such as a phone. For administrative users, the benefits of application management include the following:

1449

Applications in Configuration Manager support user-centric management so that you can associate specific users with specific devices. Instead of having to remember the name of a users device, you can now deploy software to the user and to the device. This functionality can help you make sure that the most important software is always available on each device that a specific user accesses. If a user acquires a new computer, you can automatically install the users applications on the device before the user logs on. You can send application deployments to users, devices, groups of users, or groups of devices. You can use requirements to control the deployment of applications to devices. For example, you can specify that an application can be installed only on computers that have more than 2 gigabytes (GB) of RAM, or specify that you want the application to install only on computers that run Windows 7. Applications are installed only on the computers that meet the specified requirements. Configuration Manager contains a set of built-in requirements called global conditions, and you can also define custom requirements. Users can install Windows software directly from the Application Catalog self-service website. Users can request approval to install software from a self-service website, the Application Catalog. Administrative users can approve or deny these requests. An administrative user can configure a deployment purpose and action for an application. This configuration controls whether the application is required or optional and whether the application must be installed or uninstalled. Configuration Manager periodically monitors the state of the deployment. For example, if an application has a deployment purpose of Required and the user uninstalls it, Configuration Manager automatically reinstalls the application. A new client program, Software Center, provides a user-friendly interface that lets the user of a Windows client computer perform typical tasks to help manage software that Configuration Manager installs on their devices. A self-service application website, the Application Catalog, lets users search for, install, and request Windows applications. Users who have mobile devices can also use this website to wipe their mobile devices. Users can configure when software and updates must not be installed by specifying their own working hours.

For client device users, the benefits of application management include the following:

Configuration Manager continues to support packages and programs that were used in Configuration Manager 2007. For more information, see Packages and Programs in Configuration Manager. A deployment that uses packages and programs is useful when you deploy any of the following: Scripts that do not install an application on a computer, such as a script to defragment the computer disk drive. One-time scripts that do not require monitoring. Scripts that run on a recurring schedule and do not use global conditions or requirement rules. Note
1450

In Configuration Manager SP1, you must use packages and programs to deploy software to Linux and UNIX servers. Tip You can use Microsoft System Center Configuration Manager Package Conversion Manager to convert packages and programs into Configuration Manager applications. Download Package Conversion Manager from the Microsoft Download Center site. For more information, see Configuration Manager Package Conversion Manager. See the following sections for more information about application management: Creating Applications in Configuration Manager Deploying Applications in Configuration Manager Configuration Manager and App-V Virtual Applications App-V Virtual Environments Monitoring Application Deployments in Configuration Manager Whats New in Configuration Manager Whats New in Configuration Manager SP1

For an example scenario that shows how you might deploy and manage the life-cycle of an application in your environment, see Example Scenario for Managing Applications by Using Configuration Manager.

Creating Applications in Configuration Manager

An application in Configuration Manager contains the files and information that are required to deploy software to a device. An application also includes information about the software that all deployment types share. Applications are similar to packages in Configuration Manager 2007, but applications contain more information to support smart deployment. When you modify an application, a new revision of the application is created. Earlier versions of the application are stored and you can retrieve them later if they are necessary. You can also export applications from Configuration Manager to a file or import applications into Configuration Manager from a file. Therefore, you can make a backup of an application independently from Configuration Manager or move an application to another Configuration Manager site. The following topics describe the typical elements of an application in Configuration Manager.

General Application Information

General application information specifies basic information such as the application's name, description, version, owner, and administrative categories. Configuration Manager can read this information from the application installation files if it is present. For more information, see How to Create Applications in Configuration Manager.

1451

Application Catalog Information

Application catalog information specifies information about how the application is displayed to users who are browsing the Application Catalog. You can configure the display of information about the application to appear in multiple available languages. Tip Application Catalog information cannot be configured for some deployment types. For more information, see How to Create Applications in Configuration Manager.

Deployment Types
A deployment type is contained in an application and is made up of the information that is required to install software. A deployment type also contains rules that specify when and how the software is deployed. An application can contain multiple deployment types, each of which installs the application by using a different method. A single application can have multiple deployment types that use the same technology. For example, a single application might have multiple Windows Installer deployment types. When you deploy an application that has multiple deployment types, Configuration Manager evaluates each deployment type in order. Then, of the deployment types that meet the specified requirements, the system installs the deployment type with the highest priority. For information about how to change the priority of deployment types, see How to Manage Applications and Deployment Types in Configuration Manager. The following deployment type options are available in Configuration Manager: Windows Installer (Native) (Configuration Manager with no service pack) or Windows Installer (*.msi file) (Configuration Manager SP1) This option creates a deployment type from a Windows Installer file. Configuration Manager can retrieve information from the Windows Installer file and related files in the same folder to automatically populate some fields of the Create Deployment Type Wizard. Script Installer (Native) (Configuration Manager with no service pack) or Script Installer (Configuration Manager SP1) This option creates a deployment type that specifies a script that runs on client devices to install content or to perform an action. Microsoft Application Virtualization (Configuration Manager with no service pack) or Microsoft Application Virtualization 4 (Configuration Manager SP1) This option creates a deployment type from a Microsoft Application Virtualization 4 manifest. Configuration Manager can retrieve information from the manifest file to automatically populate some fields of the Create Deployment Type Wizard. Windows Mobile Cabinet This option creates a deployment type from a Windows Mobile Cabinet (CAB) file. Configuration Manager can retrieve information from the CAB file to automatically populate some fields of the Create Deployment Type Wizard. Nokia SIS file This option creates a deployment type from a Nokia Symbian Installation Source (SIS) file. Configuration Manager can retrieve information from the SIS file to automatically populate some fields of the Create Deployment Type Wizard.

The following new deployment types are available in Configuration Manager SP1:
1452

Windows app package (.appx file) This option creates a deployment type for Windows 8 or Windows RT from a Windows app package file. Configuration Manager can retrieve information from the package file to automatically populate some fields of the Create Deployment Type Wizard. Windows app package (in the Windows Store) This option creates a deployment type for Windows 8 or Windows RT by specifying a link to the app in the Windows Store by browsing to a computer that already has the app installed. Microsoft Application Virtualization 5 - This option creates a deployment type from a Microsoft Application Virtualization 5 package file. Configuration Manager can retrieve information from the package file to automatically populate some fields of the Create Deployment Type Wizard. Windows Phone app package (*.xap file) This option creates a deployment type from a Windows Phone app package file. Configuration Manager can retrieve information from the package file to automatically populate some fields of the Create Deployment Type Wizard. Windows Phone app package (in the Windows Phone Store) - This option creates a deployment type by specifying a link to the app in the Windows Phone. App package for iOS (*.ipa file) This option creates a deployment type from an iOS app package file. App package for iOS from App Store This option creates a deployment type by specifying a link to the iOS app in the App Store. App package for Android (*.apk file) This option creates a deployment type from an Android app package file. App package for Android on Google Play This option creates a deployment type by specifying a link to the app on Google Play. Mac OS X This option creates a deployment type from a .cmmac file that you have created with the CMAppUtil utility. Configuration Manager can retrieve information from the .cmmac file to automatically populate some fields of the Create Deployment Type Wizard.

For information about how to create deployment types, see How to Create Deployment Types in Configuration Manager.

Detection Method
With Configuration Manager, you can use any of the several available methods to determine whether a deployment type is already present on a device. You can detect a Windows Installer product code, a file or a folder, or a registry value to determine whether a deployment type is present. You can also write a script to detect whether a deployment type is present on the device. You can specify detection methods in the Create Deployment Type Wizard or in the properties of an existing deployment type. For more information, see the Step 4: Configure Detection Methods to Indicate the Presence of the Application section in the How to Create Deployment Types in Configuration Manager topic.

1453

Requirements and Global Conditions

The Configuration Manager client evaluates requirement rules to determine whether an application and any of its deployment types will be installed. Then it determines the correct deployment type by which to install an application as applicable. Every seven days, by default, the requirement rules are reevaluated to ensure compliance according to the client setting Schedule re-evaluation for deployments. As an administrative user, you can define a custom evaluation period. For more information about client settings, see About Client Settings in Configuration Manager. You can configure requirement rules to use with only a single specific deployment type, or you can create global conditions that are available to use with any deployment type. The available requirements will differ, depending on which kind of device you are configuring rules for. For more information about requirement rules, see How to Create Deployment Types in Configuration Manager. For more information about global conditions, see How to Create Global Conditions in Configuration Manager.

Dependencies
A dependency defines one or more prerequisite deployment types that must be installed before another specified deployment type can be installed. You can configure the prerequisite dependent deployment types to install automatically before the dependent deployment type is installed. For more information, see How to Create Deployment Types in Configuration Manager.

Deploying Applications in Configuration Manager

Use deployments in Configuration Manager to distribute applications to users or devices in your organization. The Deploy Software Wizard lets you specify information about the application deployment.

User Device Affinity

With Configuration Manager, you can associate specific users with specific devices. This association is called user device affinity. This mapping of devices to users can remove the need to know the names of a users devices when you deploy applications. You can define primary devices. These are typically the devices that users use daily to perform their work. When you create an affinity between a user and a computer, you gain additional options for deploying software. For example, if a user must have Microsoft Visio, you can install the program on the users primary device by using a Windows Installer deployment. On a device that is not a primary device, you might deploy Microsoft Visio as a Microsoft Application Virtualization (App-V) virtual application. With user device affinity, you can deploy applications to a user without having
1454

to install the application on every device that the user logs on to. You can also pre-deploy software on a users device when the user is not logged on. Configuration Manager automatically manages user device affinities for the mobile devices that it enrolls. However, it does not create user device affinities for mobile devices that are discovered by using the Exchange Server connector. When Configuration Manager completes mobile device enrollment, users can see their mobile devices listed in the self-service website, Application Catalog. If Configuration Manager wipes the mobile device, Configuration Manager also automatically wipes the user device affinity information for the mobile device. Whereas Configuration Manager manages user device affinity automatically for enrolled mobile devices, you have more flexibility in how you can manage user device affinity for computers. You can define user device affinity for computers by using any of the following methods: The computer user can specify that the device is a primary device in the Application Catalog. An administrative user can import a file that lists users and devices. An administrative user can configure the site to automatically create user device affinities that are based on collected usage statistics. An administrative user can then approve the detected user device affinities. An administrative user can manually create affinities. An administrative user can define user device affinity for a client computer during deployment of an operating system to a computer. Note Configuration Manager does not support user device affinity for Mac computers. User device affinity can be defined in any of the following ways: A single user to a single device. Many users to a single device. A single user to many devices.

For more information, see How to Manage User Device Affinity in Configuration Manager.

Standard Deployments
When you deploy an application in Configuration Manager, you can choose a deployment purpose and a deployment action. The available settings are as follows: Deployment Action Install and Uninstall Specifies whether the application is installed or uninstalled on client devices. Available If the application is deployed to a user, the user sees the published application in the Application Catalog and can request it on demand. If the application is deployed to a device, the user sees the application listed in Software Center and can install it on demand. Mobile devices that are enrolled by Configuration Manager do not support applications with a deployment purpose of available.
1455

Deployment Purpose

Required The application is deployed automatically. This typically occurs according to the configured schedule. However, a user can track the application deployment status and install the application before the deadline by using Software Center.

When you specify the purpose of a user-targeted deployment, you can specify whether users must request approval from an administrative user before they can install the application. Tip Depending on the device that you are deploying software to, one or more of these options might not be available. For more information, see How to Deploy Applications in Configuration Manager.

Simulated Deployments
You can use simulated deployments to test the applicability of an application deployment to computers without actually installing or uninstalling the application. When you deploy a simulated deployment, the computers to which the application is deployed evaluate the detection method, requirements, and dependencies for a deployment type and then return the evaluation results to the Configuration Manager site. You can view these results in the Deployments node in the Monitoring workspace. For more information, see How to Simulate an Application Deployment in Configuration Manager. Note You can use simulated deployments with Configuration Manager applications only. Simulated deployments cannot be used to deploy packages and programs. Additionally, you cannot use simulated deployments for mobile devices.

Support for Windows Embedded Devices That Use Write Filters

For Configuration Manager SP1 only: When you deploy applications to Windows Embedded devices that are write filter-enabled, you can specify whether to disable the write filter on the device during the deployment and then restart the device after the deployment. If the write filter is not disabled, the software is deployed to a temporary overlay and the software will no longer be installed when the device restarts unless another deployment forces changes to be persisted. Note When you deploy an application to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. This lets you manage when the write filter is disabled and enabled, and when the device restarts. The user experience setting that controls the write filter behavior is a check box named Commit changes at deadline or during a maintenance window (requires restarts) . For more information about how Configuration Manager manages embedded devices that use write filters, see the Deploying the Configuration Manager Client to Windows Embedded Devices section in the Introduction to Client Deployment in Configuration Manager topic.
1456

Application Catalog and Software Center

The user-centric management support in Configuration Manager can give users control over how and when Windows x86 and x64 software is installed on their devices. Configuration Manager can also help ensure that the software that users need in order to perform their work is available wherever they log on, not just on their primary devices. Users of Windows-based computers can manage their software deployment experience by using the new client interface, Software Center. Software Center is automatically installed on client computers where users can access it on the Start menu. In Software Center, users can manage their own software. They can perform the following actions: Install software. Schedule software for automatic installation outside of working hours. Configure when Configuration Manager can install software on their device. Configure access settings for remote control if remote control is enabled in Configuration Manager. Configure options for power management if an administrative user enables this.

By using a link in Software Center, users can connect to the Application Catalog where they can browse for, install, and request software. In addition, users can use the Application Catalog to configure certain preference settings and remotely wipe their mobile devices if it is necessary. Because the Application Catalog website is hosted in Internet Information Services (IIS), users can also directly access the Application Catalog on a browser from the intranet or the Internet. As an administrative user, you can add the name of your organization to Software Center and the Application Catalog. This helps users recognize the application as being from a trusted source. You can also customize the Application Catalog by using different theme colors. The Application Catalog supports integration with external websites. For example, if you host a Microsoft SharePoint website, the catalog can be specified as the Web Page link in the Page Viewer. The Application Catalog maintains the style and theme that you configured. It does not support customization by using cascade style sheets (CSS). The Application Catalog requires two new site system roles on your site: Application Catalog web service point Provides software information from the Software Library to the Application Catalog website. Application Catalog website point Gives users a list of available software.

For more information about how to install and configure the Application Catalog and Software Center, see Configuring the Application Catalog and Software Center in Configuration Manager. On a computer that runs Windows, the Configuration Manager client in Control Panel remains in System Center 2012 Configuration Manager. This can help administrative users troubleshoot problems with the client software. For mobile devices that are enrolled by Windows Intune, users can install apps directly from the company portal. A company portal is a self-service portal where users can view and download apps for Windows Phone 8, Windows RT, iOS, and Android devices.

1457

Configuration Manager and App-V Virtual Applications

You can use System Center 2012 Configuration Manager to install and manage virtual applications as deployment types in an application. To deploy a virtual application, you must first create the virtual application by using the Application Virtualization Sequencer. The sequencer monitors the installation and setup process for an application and records the information that is needed for the application to run in a virtual environment. You can also use the sequencer to configure which files and configurations apply to all users and which configurations users can customize. When you sequence an application, you must save the package to a location that can be accessed by Configuration Manager. You can then create an application deployment that contains this virtual application. Important Configuration Manager does not support use of the shared read-only cache feature of App-V. For Configuration Manager SP1 only: Configuration Manager supports the shared content store feature in App-V 5. When you create a deployment type for a virtual application, Configuration Manager creates the deployment type by using the contents of the application manifest file. This is an XML file that contains information about the virtual application. Additionally, Configuration Manager creates requirement rules for the deployment type based on the contents of the App-V .osd file that contains information about the supported operating systems for the virtual application. For more information about how to create and sequence applications with App-V, see Application Virtualization in the TechNet Library. To be able to use virtual applications in Configuration Manager, client computers must have the App-V 4.6 SP1 or a later version of the client installed. Also, before you can successfully deploy virtual applications, you must update the App-V client with the hotfix described in the Knowledge Base article 2645225. For information to help you plan to manage and deploy virtual applications, see Planning for AppV Integration with Configuration Manager.

Whats New in Configuration Manager

The following items are new or have changed for virtual applications since Configuration Manager 2007. Virtual applications can support App-V Dynamic Suite Composition by using Configuration Manager local and virtual application dependencies. You can selectively publish the components of a virtual application to client computers. Performance is improved for publishing application shortcuts to client computers.

1458

Clients now check more quickly for required installations after logon. Clients also now check for required installations when the desktop is unlocked. Applications can be deployed to users of Remote Desktop Services or Citrix servers when other users are logged in. System Center 2012 Configuration Manager supports streaming virtual applications over the Internet from an Internet-based distribution point. Streaming support is provided for packages suited together using Dynamic Suite Composition. In System Center 2012 Configuration Manager, all distribution points are automatically capable of virtual application streaming. In Configuration Manager 2007, you had to enable streaming support for virtual applications on each distribution point. Disk space usage is reduced on distribution points because application content is no longer duplicated for multiple application revisions. Virtual application content is no longer persisted by default in the Configuration Manager client cache. You can no longer create virtual applications by using Configuration Manager packages and programs. You must use Configuration Manager application management. Configuration Manager supports migrating virtual application packages from Configuration Manager 2007 to System Center 2012 Configuration Manager. When you migrate an App-V package from Configuration Manager 2007, the migration Wizard will create this as a System Center 2012 Configuration Manager application. The Configuration Manager 2007 client option Allow virtual application package advertisement has been removed. In System Center 2012 Configuration Manager, virtual applications can be deployed by default. Virtual applications that are deployed from an App-V Server are not deleted by the Configuration Manager client. Configuration Manager hardware inventory can be used to inventory virtual applications that are deployed by an App-V Server. Application content that has been downloaded to the App-V cache is not downloaded to the Configuration Manager client cache. Note To modify a virtual application, you must first create it as a Configuration Manager application.

App-V Virtual Environments

For Configuration Manager SP1 only: With connection groups in Microsoft Application Virtualization 5.0, your deployed virtual applications can share the same file system and registry on client computers. Unlike standard virtual applications, these applications can share data with one another. Additionally, connection groups preserve user settings for the applications that they contain. App-V virtual environments in Configuration Manager are used to configure connection groups on client computers. Virtual
1459

environments are created or changed on client computers when the application is installed or when clients next evaluate their installed applications. You can prioritize these applications so that when multiple applications try to change a file system or registry value, the application that has the highest priority takes precedence. For more information, see How to Create App-V Virtual Environments in Configuration Manager.

Monitoring Application Deployments in Configuration Manager

You can monitor the deployment of all software by using the Monitoring workspace in the Configuration Manager console. Software deployments include software updates, compliance settings, applications, task sequences, and packages and programs. Applications in Configuration Manager support state-based monitoring, by which you can track the last application deployment state for users and devices. The state messages display information about individual devices. For example, if an application is deployed to a collection of users, you can view the compliance state of the deployment and the deployment purpose in the Configuration Manager console. An application deployment has one of the following compliance states: Success The application deployment succeeded or was found to be already installed. In Progress The application deployment is in progress. Unknown The state of the application deployment could not be determined. This state is not applicable for deployments with a purpose of Available. Requirements Not Met The application was not deployed because the device was not compliant with a dependency or a requirement rule, or the operating system to which it was deployed was not applicable. Error The application did not deploy because of an error.

For each compliance state, you can view additional information. This information includes subcategories within the compliance state and the number of users and devices in the category. For example, the Error compliance state includes the following subcategories: Error evaluating policy Content related errors Installation Errors

When more than one compliance state applies for an application deployment, the Monitoring workspace displays the aggregate state that represents the lowest compliance. For example: If a user logs on to two devices and the application is successfully installed on one device but cannot be installed on the second device, then the aggregate deployment state of the application for that user is displayed as Error. If an application is deployed to all users who log on to a computer, the monitoring process obtains multiple deployment results for that computer. If one or more of the deployments cannot be completed, the aggregate deployment state for that computer is displayed as Error.
1460

The deployment state for package and program deployments is not aggregated. You can use these subcategories to help you quickly identify any important issues with an application deployment. You can also view additional information about which devices fall into a particular subcategory of a compliance state. For more information, see How to Monitor Applications in Configuration Manager.

Whats New in Configuration Manager

The following items are new or have changed for application management since Configuration Manager 2007: Software distribution in Configuration Manager 2007 is now replaced by application management in System Center 2012 Configuration Manager. Application management provides new benefits such as user-centric management. It implements user device affinity, state-based deployments, deployment types, global conditions, simulated deployments, revisions, dependencies, and supersedence. If you do not require the full management capabilities of application management, you can still deploy packages and programs. Deployments replace advertisements. Required deployments replace mandatory or assigned advertisements. Available deployments replace optional advertisements. The Deploy Software Wizard in System Center 2012 Configuration Manager replaces the previous New Advertisement Wizard in Configuration Manager 2007. Users can browse and request software from the Application Catalog. This requires the two new site system roles: the Application Catalog website point and the Application Catalog web service point. The new Software Center client program replaces the Program Download Monitor and Run Advertised Programs in Control Panel. Software Center is automatically installed on client computers. When you deploy software to users, the users no longer have to log off and back on again for Configuration Manager to include the new software deployment in the user policy. However, if the deployment uses a Windows group, any user who was recently added to the group will still have to log off and log back on to receive the software deployment.

Whats New in Configuration Manager SP1

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for application management in Configuration Manager SP1: App-V virtual environments in Configuration Manager enable virtual applications to share the same file system and registry on client computers. This lets applications that are in the same

1461

virtual environment to share data with one another. For more information, see How to Create App-V Virtual Environments in Configuration Manager. You can configure new deployment types for Windows 8 applications that support standalone applications (.appx files) and links to the Windows Store. Configuration Manager includes a new deployment type that you can use to deploy virtual applications that you have created by using Microsoft Application Virtualization 5.0. Configuration Manager includes a new deployment type that you can use to deploy applications to Mac computers that run the Configuration Manager client. Configuration Manager includes new deployment types for the following mobile devices when you use the Windows Intune connector: Windows Phone 8, Windows RT, iOS, and Android. Users download these apps from the new self-service portal for mobile devices, the company portal. For more information, see How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager. You can control the behavior of the write filter on Windows Embedded devices when you deploy applications, and packages and programs, by using the new user experience setting of Commit changes at deadline or during a maintenance windows (requires restarts) . For Windows Embedded devices that have the write filter enabled: Software deployments that have a purpose of Available are not supported. If you target a software deployment to these devices, users can see the deployment in Software Center but if they try to install it from there, they see an error message that they do not have permissions. Users on these devices cannot configure their business hours in Software Center. Users on these devices do not see user notifications to let them postpone a software deployment to nonbusiness hours.

Users can no longer install applications from the Application Catalog if the Client Policy client setting Enable user policy polling on clients is set to No. The new Computer Agent client setting, Disable deadline randomization, by default, disables the installation randomization delay for required software updates and for required application deployments. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic.

See Also
Application Management in Configuration Manager

Planning for Application Management in Configuration Manager

This section provides planning information to help you use application management in Microsoft System Center 2012 Configuration Manager.

1462

In This Section
Use the following topics to plan for application management in Configuration Manager: Prerequisites for Application Management in Configuration Manager Best Practices for Application Management in Configuration Manager Planning to Deploy Windows 8 Apps in Configuration Manager Planning for App-V Integration with Configuration Manager

See Also
Application Management in Configuration Manager

Prerequisites for Application Management in Configuration Manager

This topic lists the prerequisites for application management in Microsoft System Center 2012 Configuration Manager. The prerequisites are categorized as either external dependencies or dependencies within Configuration Manager.

Dependencies External to Configuration Manager

The following table lists the external dependencies for application management.
Prerequisite More information

IIS is required on the site system servers that run the Application Catalog website point, the Application Catalog web service point, the management point, and distribution point.

For more information about this requirement, see the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic.

For client computers that access the Internet Explorer 6 incorrectly detects some Application Catalog by using Internet Explorer 6 areas of the Application Catalog to be unsecure and HTTPS client connections: and displays a security warning about mixed Configure Internet Explorer 6 to disable the content. When this occurs, users might not be able to use the Application Catalog. Later display of mixed content for the Internet versions of Internet Explorer do not display this zone. message. Configure Internet Explorer 6 by using the following steps: 1. In Internet Explorer 6, click Tools, click Internet Options, click the Security tab,
1463

Prerequisite

More information

select the Internet zone, and then click Custom Level. 2. Locate Display mixed content and click Disable. For mobile devices that are enrolled by Configuration Manager: If you use Active Directory Certificate Services to code sign applications for mobile device applications, do not use a version 3 certificate template. When you code sign applications in order to deploy them to mobile devices, do not use a certificate that was generated by using a version 3 template (Windows Server 2008, Enterprise Edition). This certificate template creates a certificate that is not compatible with Configuration Manager applications for mobile devices. If you deploy .SIS/.SISX files to a Nokia Symbian Belle mobile device that is enrolled by Configuration Manager, you must use a file format that conforms to the OS v9.x SIS file format specification. Configuration Manager reads the following two settings from the local security policy on client computers to determine automatic user device affinities: Audit account logon events Audit logon events

To deploy applications to Symbian Bell mobile devices: The Nokia Symbian Installation Source (SIS) file must conform to the OS v9.x SIS file format specification.

Clients must be configured to audit logon events if you want to automatically create user device affinities.

To automatically create relationships between users and devices, make sure that these two settings are enabled on client computers. You can use Windows Group Policy to configure these settings.

Configuration Manager Dependencies

The following table lists the dependencies within Configuration Manager for application management.
Prerequisite More information

Management point

Clients will contact a management point to download client policy, to locate content, and to connect to the Application Catalog.
1464

Prerequisite

More information

Important If clients cannot access a management point, they cannot use the Application Catalog. Distribution point Before applications can be deployed to clients, you must have at least one distribution point in the hierarchy. By default, the site server has a distribution point site role enabled during a standard installation. The number and location of distribution points will vary according to the specific requirements of your enterprise. For more information about how to install distribution points and manage content, see Configuring Content Management in Configuration Manager. Client settings Many client settings control how applications are installed on the client and the end user experience on the client. These client settings include the following: Computer Agent Computer Restart Software Deployment User and Device Affinity

For more information about these client settings, see About Client Settings in Configuration Manager. For information about how to configure client settings, see How to Configure Client Settings in Configuration Manager. For the Application Catalog: Discovered user accounts Users must first be discovered by Configuration Manager before they can view and request applications from the Application Catalog. For more information, see the Configure Active Directory Discovery for Computers, Users, or Groups section in the Configuring Discovery in Configuration Manager topic. To be able to successfully create virtual applications in Configuration Manager, client
1465

App-V 4.6 SP1 or later client to run virtual applications

Prerequisite

More information

computers must have the App-V 4.6 SP1 or later client installed. You must also update the App-V client with the hotfix described in the Knowledge Base article 2645225 before you can successfully deploy virtual applications. Application Catalog web service point The Application Catalog web service point is a site system role that provides information about available software from the Software Library to the Application Catalog website. For information about how to configure this site system role, see Configuring the Application Catalog and Software Center in Configuration Manager. Application Catalog website point The Application Catalog website point is a site system role that provides users with a list of available software. For information about how to configure this site system role, see Configuring the Application Catalog and Software Center in Configuration Manager. Reporting services point To be able to use the reports in Configuration Manager for application management, you must first install and configure a reporting services point. For more information, see Configuring Reporting in Configuration Manager. Security permissions for application management You must have the following security permissions to manage applications. To create, modify and retire applications: Alerts Create, Delete, Modify, Modify Report, Read, Run Report. Application Approve, Create, Delete, Modify, Modify Folder, Move Object, Read, Run Report, Set Security Scope. Boundaries Read. Boundary Group Read. Collection Modify Client Status Alert,
1466

Prerequisite

More information

Read, Read Resource. Distribution Point Copy to Distribution Point, Read. Distribution Point Group Copy to Distribution Point, Read. Global Condition Read. Package Create, Delete, Modify, Modify Folder, Modify Report, Move Object, Read, Run Report, Set Security Scope. Site Read.

The Application Author security role includes the preceding listed permissions that are required to create, modify and retire applications in Configuration Manager. To deploy applications: Alerts Create, Delete, Modify, Modify Report, Read, Run Report. Application Read, Run Report. Boundaries Read. Boundary Group Read. Client Agent Setting Read. Collection Deploy Applications, Deploy Client Settings, Deploy Packages, Modify Client Status Alert, Read, Read Resource. Deployment Templates Read. Distribution Point Read. Distribution Point Group Read, Create Association to Collection. Global Condition Read. Mobile Device Enrollment Profiles Read. Package Read, Run Report. Query Read. Site Read. Status Messages Read. User Device Affinities Read, Run Report.
1467

Prerequisite

More information

The Application Deployment Manager security role includes the preceding listed permissions that are required to deploy applications in Configuration Manager. The Application Administrator security role contains all of the permissions from both the Application Author and the Application Deployment Manager security roles. For more information, see Configure RoleBased Administration in the Configuring Security for Configuration Manager topic.

See Also
Planning for Application Management in Configuration Manager

Best Practices for Application Management in Configuration Manager

Use the following best practices for application management in Microsoft System Center 2012 Configuration Manager.

Use application supersedence to update deployed applications

When you modify a deployed application, any new installations will use the modified version of the application. If, when you modify the application you also modify the detection method associated with the application, then all deployed copies of the application will be updated. To provide greater control for application updates, use application supersedence. For more information about how to supersede applications, see How to Use Application Supersedence in Configuration Manager.

1468

Use required applications rather than available applications for Windows Embedded devices that have write filters enabled
Because users cannot install applications from the Application Catalog from a Windows Embedded device that has write filters enabled, always deploy applications that are required rather than available to these devices. Typically, this will not be a problem because computers that run a Windows Embedded operating system often run a single application that must run in the same way for multiple users. Because of this, these devices are highly managed and locked down by the IT department. Required applications are well-suited to this scenario. However, if users do run more than one application on embedded devices when write filters are enabled, educate these users about the following limitations: Users cannot install applications from the Application Catalog. Users cannot install required software from Software Center. Users cannot change their business hours in the Options tab of Software Center. Users cannot postpone the installation of a required application.

In addition, low-rights users cannot log on during a maintenance period if Configuration Manager SP1 is committing changes for software installations and updates. During this period, users see a message informing them that the device is unavailable because it is being serviced.

Do not deploy applications to Windows Embedded devices that have write filters enabled if the applications require the user to accept the license terms
When writer filters are disabled so that Configuration Manager can install software on embedded devices, low-rights users cannot log on to the device. If the installation requires the user to accept the license terms, this will not be possible and the installation will fail. Make sure that you do not deploy software to Windows Embedded devices if the installation requires user interaction. You can use the Applicable Platforms list to filter these operating systems.

See Also
Planning for Application Management in Configuration Manager

1469

Planning to Deploy Windows 8 Apps in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. Use the information in the following table to help you plan and prepare to deploy Windows 8 applications (apps) to Microsoft System Center 2012 Configuration Manager SP1 clients in your organization.
Process Reference

Review the available information about the basic concepts for application management in Configuration Manager.

For introductory information about application managemen t, see Introduction to Application Managemen t in Configuratio n Manager. For information about the prerequisites for application managemen t, see Prerequisite s for Application Managemen t in Configuratio n Manager.
1470

Review and implement the prerequisites to deploy applications in Configuration Manager.

Process

Reference

Configure and test the Application Catalog and Software Center to enable users to browse for and install software.

For information about how to configure the Application Catalog and Software Center, see Configuring the Application Catalog and Software Center in Configuratio n Manager. No additional information.

Review the two different available methods that you can use to deploy software to computers that run Windows 8: Deploy the application by providing a link to the app in the Windows Store. Deploy the app installation file (.appx file) to computers directly, bypassing the Windows Store. This process is sometimes called sideloading.

Review the requirements and recommendations to deploy Windows 8 apps to computers in the company. If you are deploying a line of business application, work with the application developers to ensure that the following requirements are met: The technical compliance of the App has been validated to ensure that it provides a consistent Windows 8 application experience, that it meets the minimum technical requirements for an app, and that it will function correctly on future versions of Windows. The app is signed by a certification authority (CA) that is trusted by the Windows 8 computers that will install the app. The publisher name in the package manifest file must match the publisher name in the certificate that signs the app. Note Microsoft recommends that all apps that are installed by deploying application installation files are signed by a certificate that is from a trusted certification authority. By default, Windows trusts many certification authorities without any additional configuration. If the signing certificate is from one of these trusted authorities, you do not need to deploy and manage additional certificates on Windows 8

For information about how to validate the technical compliance of Windows 8 apps, see Testing your app with the Windows App Certification Kit in the Windows Dev Center. For information
1471

Process

Reference

computers that will install the Windows 8 app. You can also use your internal PKI to sign the app if computers trust the certification authority that issues the signing certificate. Visual Studio provides a self-signing test certificate that you can use to test apps internally. Microsoft recommends that you use these selfsigned certificates for internal testing only and that you do not use them on production networks for enterprise deployment. Important When you import a Windows 8 app into Configuration Manager, no validation is done to ensure that the app is signed. Be sure to take the steps outlined in this topic to sign the application before you import it into Configuration Manager. Configure Windows 8 computers to allow direct installation of Windows 8 apps. To do so, use group policy to configure the following sideloading registry settings: Note Client computers that run different versions of Windows 8 have different requirements for enabling the sideloading of apps. For example, you must configure the sideloading key on a computer that runs Windows 8 Enterprise if the computer is not joined to a domain. For more information about these requirements, see the section Windows 8 Sideloading Requirements in this topic. On computers that run enterprise versions of Windows 8 Enterprise, use this registry setting: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\All owAllTrustedApps = 1 On computers that run Windows 8 Professional, use this registry setting: HKEYLOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\Allo wAllTrustedApps = 1

about how to sign apps by using Microsoft Visual Studio, see Signing an app package (Windows Store apps) in the Windows Dev Center. For more information about how to configure group policy preferences in order to configure registry settings, see your Windows documentati on.

When you create an application of the type Windows app package (in the Windows Store), you must browse to a reference computer and select the application in order to create a link. Before you can do this, you must prepare the reference computer to receive Web Service Management (WS-Management) requests from the Configuration Manager console.

See Prepare the Reference Computer for Application Browsing in this topic.

1472

Supplemental Procedures to Prepare to Deploy Windows 8 Apps

Use the following information when the steps in the preceding table require supplemental procedures.

Prepare the Reference Computer for Application Browsing

Perform the following procedure to configure an HTTPS connection between the computer that runs the Configuration Manager console and the reference computer, which is the Windows 8 computer that contains the Windows Store applications to be browsed. To prepare the reference computer 1. Ensure that the account you use to log on to the computer that runs the Configuration Manager console has Administrator permissions on both the computer running the console and on the reference computer. 2. At a command prompt on the reference computer, enter the following command to create an HTTPS-based listener: winrm qc Transport:HTTPS 3. On the reference computer, enter the following command to allow Windows PowerShell to make remote connections to the computer: enable-psremoting 4. On the reference computer, enter the following command to remove the HTTP-based listener that was enabled by the previous command: winrm delete winrm/config/Listener?Address=*+Transport=HTTP 5. On the reference computer, configure a Windows Firewall inbound rule for port 5986, which is the default HTTPS port that will be used for communication.

Windows 8 Sideloading Requirements

Use the following table to understand when you must configure the sideloading keys in Windows 8 in order to enable the direct installation of applications:
Windows 8 version Configure AllowAllTrustedApps registry key Domain joined Sign .appx file with trusted enterprise code signing certificate Sideloading key required

Windows 8 Enterprise

Yes

Yes

Yes. Code signing certification

Required if Enterprise client is not joined to a

1473

Windows 8 version

Configure AllowAllTrustedApps registry key

Domain joined Sign .appx file with trusted enterprise code signing certificate

Sideloading key required

authority is trusted on Windows 8 clients. Windows 8 Professional Yes Not required Yes. Code signing certification authority is trusted on Windows 8 clients. Yes. Code signing certification authority is trusted on Windows 8 clients. Yes. Code signing certification authority is trusted on Windows 8 clients.

domain

Yes

Windows RT

Yes

Not required

Yes

Windows 8 Server

Yes

Yes

Does not support sideloading key

Note Windows 8 Home versions do not support enterprise sideloading.

See Also
Planning for Application Management in Configuration Manager

1474

Planning for App-V Integration with Configuration Manager

System Center 2012 Configuration Manager supports the management of virtual applications that are created with Microsoft Application Virtualization (App-V). When you use Configuration Manager to manage App-V applications, Configuration Manager takes over the management and streaming components of a typical App-V infrastructure. When you use Configuration Manager to manage virtual applications, you gain the benefits of using a single management infrastructure. You will also gain the benefits of scalability, deployment, and content distribution features, such as collections and user device affinity, and additional advanced application management features that Configuration Manager provides. AppV also integrates with Configuration Manager features, such as operating system deployment, software and hardware inventory, software metering, and Asset Intelligence to support virtual applications. To deploy virtual applications to computers, you must have the Configuration Manager client and App-V Client installed on your computers. Client devices can include desktop and portable computers, and Virtual Desktop Infrastructure (VDI) clients. The Configuration Manager and AppV Client software work together to deliver, locate, and launch virtual application packages. The Configuration Manager client manages the delivery of virtual application packages to the App-V Client. The App-V Client runs the virtual application on the client. Use the information in the following sections to help you plan to integrate your App-V environment with Configuration Manager and Configuration Manager SP1. Supported App-V Versions Steps to Manage App-V Virtual Applications Configuration Manager Virtual Application Delivery Methods Migrating from an App-V Infrastructure to a Configuration Manager and App-V Infrastructure Migrating App-V 5 Connection Groups to Configuration Manager Virtual Environments (Configuration Manager SP1 Only) Dynamic Suite Composition in App-V 4.6 Converting App-V 4.6 Applications to App-V 5 Applications (Configuration Manager SP1 Only) User and Deployment Configuration Files (Configuration Manager SP1 ) App-V Local Interaction App-V 5 Shared Content Store Monitoring Virtual Applications

For more information about how to create and sequence applications by using App-V, see your App-V documentation.

1475

Supported App-V Versions

Configuration Managersupports the following versions of App-V: App-V 4.6: System Center 2012 Configuration Manager with no service pack and System Center 2012 Configuration Manager SP1. To use virtual applications in Configuration Manager, client computers must have the App-V 4.6 SP1 client installed. You must also update the App-V Client with the hotfix that is described in the Knowledge Base article 2645225 before you can successfully deploy virtual applications. App-V 5: System Center 2012 Configuration Manager SP1 only.

Steps to Manage App-V Virtual Applications

There are five major steps that you must follow to manage App-V virtual applications: Sequencing - Sequencing is the process of converting an application into a virtual application by using the App-V sequencer. Create Configuration Manager applications Use the Create Deployment Type Wizard to import the sequenced application into a Configuration Manager deployment type that you can then add to an application. You can also create virtual environments that allow multiple virtual applications to share settings. Distribution Distribution is the process of making App-V applications available on Configuration Manager distribution points. Deployment Deployment is the process of making the application available on client computers. This is referred to as streaming in an App-V full infrastructure. Configuration Manager provides two options for the deployment of virtual applications: streaming and download and execute.

Configuration Manager Virtual Application Delivery Methods

Configuration Manager supports two methods for delivery of virtual applications to clients: streaming delivery and local delivery (download and execute): Streaming delivery When the App-V Client is managed by Configuration Manager, it supports the streaming of virtual applications through HTTP or HTTPS from a distribution point. Streaming through HTTP or HTTPS is enabled by default and is configured in the distribution point properties dialog box. When you deploy a virtual application to client computers and a user runs the virtual application, the Configuration Manager client contacts a management point to determine which distribution point to use; then, the application is streamed from the distribution point. Local delivery (download and execute) When you use this delivery method, the Configuration Manager client first downloads the entire virtual application package into the Configuration Manager client cache, and then it
1476

instructs the App-V Client to stream the application from the Configuration Manager cache into the App-V cache. If you deploy a virtual application to client computers and its content is not in the App-V cache, then the App-V Client streams the application content from the Configuration Manager client cache into the App-V cache, and then it runs the application. After the application runs successfully, you can configure the Configuration Manager client to delete any older versions of the package at the next deletion cycle, or to persist them in Configuration Manager client cache. Note If you select the option Load content into App-V cache before launch when you configure a deployment type, the App-V package content is loaded in the App-V cache when the application is deployed and not when the application is run. When you decide which Configuration Manager virtual application delivery method to use, compare the reduced disk space requirement for streaming delivery against the guaranteed availability of App-V applications by using local delivery. The increased client disk space that is required for local delivery might be worthwhile so that users always have the application available from any location. Use the information in the following table to help you decide the best delivery method.
Delivery method Advantages Disadvantages

Streaming delivery

This method uses standard network protocols to stream package content from distribution points. Program shortcuts for virtual applications invoke a connection to the distribution point, so the virtual application delivery is on demand. This method works well for clients with high-bandwidth connections to the distribution points. Updated virtual applications distributed throughout the enterprise are available as clients receive policy that informs them that the current version is superseded and they download only the changes

Virtual applications are not streamed until the user runs the application for the first time. In this scenario, a user might receive program shortcuts for virtual applications and then disconnect from the network before running the virtual applications for the first time. If the user tries to run the virtual application while the client is offline, the user sees an error and will not be able to run the virtualized application because a Configuration Manager distribution point is not available to stream the application. The application will be unavailable until the user reconnects to the network and runs the application.
1477

Delivery method

Advantages

Disadvantages

from the previous version.

To avoid this bad user Access permissions are defined experience, you can use the local delivery method for virtual at the distribution point to application delivery to clients, prevent users from accessing or you can enable the Internetunauthorized applications or based client management for packages. streaming delivery. Local delivery The standard distribution point functionality is used to download the package by using Background Intelligent Transfer Service (BITS). Virtual application package contents are delivered locally to the client, which means that users can run them when their computer is not connected to the network. This method is suitable for slow or unreliable network connections and for computers that only occasionally connect to the network. Configuration Manager uses Remote Differential Compression (RDC) to send to clients only the bytes within the files that have changed when virtual application package content is updated. The Configuration Manager client uses RDC to build a new version of a virtual application package based on the current version of the package and any changes sent to the client. This method provides application resiliency for mobile users or disconnected users. Administrators can choose to
1478

Disk space equaling up to twice the size of the virtual application package is required on the client when the virtual application is persisted in the Configuration Manager cache.

Delivery method

Advantages

Disadvantages

persist the package in the Configuration Manager cache after delivery if the virtual application was deployed with an Install action. The package in the Configuration Manager client cache serves as a local, reliable streaming source for the App-V Client to pull the package into its cache. You can also preinstall virtual applications on a computer and then create an image of that computer for deployment to other computers. However, if the virtual application package was created at a different site, then the binary delta replication will not be used to download updates to the application. This option can be useful in a virtual desktop infrastructure when you want applications to be available immediately instead of downloading the applications after the user logs on.

Migrating from an App-V Infrastructure to a Configuration Manager and App-V Infrastructure

Use the following table to help you plan a migration from an existing App-V infrastructure to virtual application management with Configuration Manager.
Step More information

Examine your current virtual applications to choose the applications that you want to migrate into your Configuration Manager infrastructure. Evaluate the users and devices to which the virtual applications will be deployed.

No additional information.

Create Configuration Manager collections to group together the users and devices to which you want to deploy the virtual applications. For more information, see Collections in Configuration Manager. For more information, see the Migrating App-V 5 Connection Groups to Configuration Manager Virtual Environments (Configuration Manager SP1 Only) section in this topic. For easier management, you can add the
1479

For Configuration Manager SP1 only: Migrate App-V 5 connection groups to Configuration Manager SP1 virtual environments. Investigate to find out if any of your virtual

Step

More information

applications exist as full applications in your Configuration Manager infrastructure.

virtual application as a new deployment type to the existing full application. For more information about how to create deployment types, see How to Create Deployment Types in Configuration Manager. For more information about how to create Configuration Manager applications, see Introduction to Application Management in Configuration Manager and How to Create Applications in Configuration Manager.

Create applications to replace your existing App-V packages.

Configuration Manager begins to manage No additional information. virtual applications on a client after the first deployment of a virtual application. After this, all App-V applications on the computer must be managed by Configuration Manager. Distribute the content to the appropriate distribution points to enable local delivery of applications. Deploy the application to Configuration Manager clients. Note If the App-V application was created with an earlier version of the sequencer that does not create a manifest XML file, you can open it and save it in a newer version of the sequencer to create the file. This file is required to deploy virtual applications with Configuration Manager. App-V supports the virtual application packages that are created with the SoftGrid 4.1 SP1 or 4.2 versions of the Sequencer. If the applications were previously installed locally, you must uninstall them before you deploy a virtual version of the application. System Center 2012 Configuration Manager no For more information, see Planning for the
1480

For more information, see Content Management in Configuration Manager.

For more information, see How to Deploy Applications in Configuration Manager.

Step

More information

longer supports using packages and programs that contain virtual applications. When you migrate from Configuration Manager 2007 to System Center 2012 Configuration Manager, Configuration Manager converts these packages into applications. Configuration Manager 2007 advertisements are converted into the following deployment types: Migrating App-V packages with no advertisement: One deployment type that uses the default deployment type settings. Migrating App-V packages with one advertisement: One deployment type that uses the same settings as the Configuration Manager 2007 advertisement. Migrating App-V packages with multiple advertisements: A deployment type for each Configuration Manager 2007 advertisement, that uses the settings for that advertisement.

Migration of Configuration Manager Objects to System Center 2012 Configuration Manager.

Migrating App-V 5 Connection Groups to Configuration Manager Virtual Environments (Configuration Manager SP1 Only)
App-V virtual environments in Configuration Manager allow virtual applications that you have deployed to share the same file system and registry on client computers. This means that unlike standard virtual applications, these applications can share data with each other. Virtual environments are created or modified on client computers when the application is installed or when clients next evaluate their installed applications. Virtual environments are similar to connection groups in standalone App-V 5. When you migrate connection groups from standalone App-V 5 to Configuration Manager virtual environments, you must ensure that the connection groups that already exist on client computers are managed correctly by Configuration Manager, and that the user's environment within those connection groups is preserved. Use the following procedure to help you successfully convert App-V 5 connection groups into Configuration Manager virtual environments.
1481

To convert App-V 5 connection groups to Configuration Manager virtual environments 1. Create Configuration Manager applications for all applications that existed in App-V. 2. Deploy the applications to users or devices with a deployment purpose of Required. Deployments to users must be deployed to the same users who used the application in App-V, and deployments to computers must be deployed to the same computers that had the application in App-V. 3. After the deployment is completed, create virtual environments that match the connection groups that are published in standalone App-V. The virtual environment must contain the same packages, specifically, App-V 5 deployment types, in the same order. For information about how to create an App-V virtual environment, see How to Create App-V Virtual Environments in Configuration Manager. Alternatively, you can delete all connection groups from the App-V Client before you begin to deploy applications with Configuration Manager. However, this will lose any settings that users might have saved in App-V connection groups.

Dynamic Suite Composition in App-V 4.6

Dynamic Suite Composition is a feature that provides the ability to define one virtual application package as having a dependency on another virtual application package. When the application is run, the App-V Client hosts the primary package and the dependent package in the same virtual environment for the application. To use this feature with Configuration Manager, both packages must be deployed and registered with the App-V Client. To ensure that dependent package content is hosted locally on the client computer, configure the application deployment for local delivery (download and execute). For more information about the App-V Dynamic Suite Composition feature, see your App-V documentation.

Converting App-V 4.6 Applications to App-V 5 Applications (Configuration Manager SP1 Only)
The application package format has changed between App-V 4.6 and App-V 5. Applications that have been sequenced by using App-V 4.6 are no longer supported. However, App-V 5 has a package converter tool that you can use to convert applications. For more information, see your App-V 5 documentation. Use the following steps to convert App-V 4.6 applications to App-V 5 applications: 1. Convert or re-sequence the App-V 4.6 packages into the App-V 5 format. 2. Deploy the App-V 5 client to computers in your hierarchy. 3. Create new applications that contain deployment types for your App-V 5 applications, and create supersedence rules to supersede the App-V 4.6 applications. 4. Create virtual environments as required.
1482

5. Deploy the new App-V 5 applications to computers.

User and Deployment Configuration Files (Configuration Manager SP1 )

User and deployment configuration files contain settings that control how an application behaves. You can use these files to change application settings without re-sequencing the application. A typical App-V 5 application might contain the following files: An application package (.appv) file. A user configuration file. A deployment configuration file.

The user configuration file contains settings that apply only to the logged on user. You could, for example, edit the configuration files to change the information about the application shortcut that will be deployed to users. You can also create a Configuration Manager application with multiple deployment types, and each deployment type can contain a different user configuration file and use requirement rules to ensure that these are installed for the relevant users. The deployment configuration file contains settings that apply to the computer, such as registry settings. The file can also contain user settings, which will be applied to all users. If you want to deploy App-V 5 virtual applications with Configuration Manager, all three files must be present in the same folder when you create the App-V 5 deployment type. If there are multiple files in the folder, Configuration Manager will use the most recent. For more information about user and deployment configuration files, see your App-V 5 documentation.

App-V Local Interaction

In some application deployment scenarios, some applications are installed locally on client computers and other applications are deployed as virtual applications to the same client computer. By default, the applications that were locally installed cannot see or communicate directly with virtualized applications. This is the intended behavior of the application isolation that is provided by App-V. Local Interaction is a feature of the App-V Client that you can enable for each application to allow locally installed applications that run on a client computer to see and communicate with virtualized applications. Configuration Manager and App-V fully support local interaction. For more information about the App-V Local Interaction feature, see your App-V documentation.

App-V 5 Shared Content Store

The App-V 5 Shared Content Store feature is supported by Configuration Manager SP1. For more information about this feature, see your App-V documentation.

1483

Monitoring Virtual Applications

Use the information in this section to plan how to monitor App-V applications in Configuration Manager.

Virtual Application Reports

You can use the following reports to monitor App-V in your Configuration Manager environment:
Report name Description

App-V Virtual Environment Results

Displays information about a selected virtual environment that is in a specified state for a selected collection (App-V 5 only). Displays information about a selected virtual environment for a specified asset and any deployment types for the selected virtual environment (App-V 5 only). Displays compliance information for a selected virtual environment for a selected collected. The Retained column in this report displays the assets in which a virtual environment that was previously configured is no longer applicable, but it is retained to persist user settings in applications that run in the virtual environment (App-V 5 only). Displays a summary of computers that have the specified App-V shortcut that was created by the Application Virtualization Management Sequencer (App-V 4.6 only). Displays a list of computers that have the specified App-V application package installed (App-V 4.6 only). Displays a count of all detected App-V application packages (App-V 4.6 only). Displays a count of all detected App-V applications (App-V 4.6 only).

App-V Virtual Environment Results For Asset

App-V Virtual Environment Status

Computers with a specific virtual application

Computers with a specific virtual application package

Count all instances of virtual application packages Count all instances of virtual applications

1484

Log Files
Configuration Manager records information about virtual application deployments in log files. For information about the log files that are used by virtual applications and Configuration Manager application management, see Technical Reference for Log Files in Configuration Manager. Additionally, you can find logs for the App-V client in the following locations: Windows XP: C:\Documents and Settings\All Users\Application Data\Microsoft\Application Virtualization Client Windows Vista, Windows 7, and Windows 8: C:\ProgramData\Microsoft\Application Virtualization Client

See Also
Planning for Application Management in Configuration Manager

Configuring the Application Catalog and Software Center in Configuration Manager

This topic describes the steps that are needed in order to configure the Application Catalog and Software Center in System Center 2012 Configuration Manager. Note Software Center is automatically installed on client computers when you install the Configuration Manager client. Software Center includes a link to the Application Catalog. You must install and configure the Application Catalog independently from client deployment. Use the following steps and the supplemental procedures to install and configure the Application Catalog site system roles.

Steps to Install and Configure the Application Catalog and Software Center
Use the following table for the steps, details, and more information about installing and configuring the Application Catalog and Software Center to support application management. Important Before you perform these steps, make sure that you have met all of the prerequisites. For more information, see Prerequisites for Application Management in Configuration Manager.

1485

Steps

Details

More information

Step 1: If you will use HTTPS connections, make sure that you have deployed a web server certificate to site system servers.

Deploy a web server certificate to the site system servers that will run the Application Catalog website point and the Application Catalog web service point. Additionally, if you want clients to access the Application Catalog from the Internet, deploy a web server certificate to at least one management point site system server and configure it for client connections from the Internet.

For information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example of a deployment that creates and installs this web server certificate, see Deploying the Web Server Certificate for Site Systems that Run IIS.

Step 2: If you will use a client PKI certificate for connections to management points, deploy a client authentication certificate to client computers.

Although clients do not have to use a client PKI certificate to connect to the Application Catalog, they must connect to a management point before they can use the Application Catalog. You must deploy a client authentication certificate to client computers in the following scenarios: All management points on the intranet accept only HTTPS

For information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example of a deployment that creates and installs this client certificate, see Deploying the Client Certificate for Computers.

1486

Steps

Details

More information

client connections. Clients will connect to the Application Catalog from the Internet. For more information about site system role placement, see Site System Role Placement in the Hierarchy. To configure the Application Catalog web service point and the Application Catalog website point, see the following procedure in this topic: Step 3: Installing and configuring the Application Catalog site system roles.

Step 3: Install and configure the Application Catalog web service point and the Application Catalog website.

You must install both of these site system roles in the same site. You do not have to install them on the same site system server or in the same Active Directory forest. However, the Application Catalog web service point must reside in the same forest as the site database.

Step 4: If you have users from other domains:

By default, in Configuration Manager with no Configure NTFS Service Pack, the domain users from access for the the current domain other domain users can access the Application Catalog. You must add the users from other domains to the Application Catalog folder and then grant them access. In Configuration Manager SP1, by default, users can access the Application Catalog

The Application Catalog folder is named CMApplicationCatalog. It is installed in one of the following listed locations or to a custom location if you did not install the Configuration Manager client to the default location. <drive>:\SMS_CCM\ <drive>:\Program files\SMS_CCM\ <drive>:\Windows\CCM\

Grant the users the following permissions to the CMApplicationCatalog folder and to the CMApplicationCatalog\Content\Images\AppIcons folder: Read & execute List folder contents Read Note These permissions are reset to the defaults
1487

Steps

Details

More information

from other domains.

if the Application Catalog website role is reinstalled. In addition to manual reinstallation, Configuration Manager can automatically reinstall this site system role if you change the client connections to or from HTTP and HTTPS, add or remove a client or server language pack, or upgrade the site or apply a hotfix. You must explicitly set permissions for the AppIcons folder in addition setting permissions for the CMApplicationCatalog folder. This is because the AppIcons folder does not inherit permissions from its parent folder.

Step 5: Configure client settings for the Application Catalog and Software Center.

Configure the default client settings if you want all users to have the same setting. Otherwise, configure custom client settings for specific collections. You can access the Application Catalog directly from a browser or from Software Center.

For more information about client settings, see About Client Settings in Configuration Manager. For information about how to configure these client settings, see the following procedure in this topic: Step 5: Configuring the client settings for the Application Catalog and Software Center.

Step 6: Verify that the Application Catalog is operational.

See the following procedure in this topic: Step 6: Verifying that the Application Catalog is operational.

Supplemental procedures to install and configure the Application Catalog and Software Center
Use the following information when the steps in the preceding table require supplemental procedures.

1488

Step 3: Installing and configuring the Application Catalog site system roles
These procedures configure the site system roles for the Application Catalog. Choose one of these procedures depending on whether you will install a new site system server or use an existing site system server: To install and configure the Application Catalog site systems: New site system server To install and configure the Application Catalog site systems: Existing site system server Note The Application Catalog cannot be installed on a secondary site or on a central administration site. To install and configure the Application Catalog site systems: New site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and click Servers and Site System Roles. 3. On the Home tab, in the Create group, click Create Site System Server. 4. On the General page, specify the general settings for the site system, and then click Next. Tip If you want client computers to access the Application Catalog over the Internet, specify the Internet fully qualified domain name (FQDN). 5. On the System Role Selection page, select Application Catalog web service point and Application Catalog website point from the list of available roles, and then click Next. 6. Complete the wizard. To install and configure the Application Catalog site systems: Existing site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server to use for the Application Catalog. 3. On the Home tab, in the Create group, click Add Site System Roles. 4. On the General page, specify the general settings for the site system, and then click Next. Tip If you want client computers to access the Application Catalog over the Internet, specify the Internet fully qualified domain name (FQDN). 5. On the System Role Selection page, select Application Catalog web service point and Application Catalog website point from the list of available roles, and then click
1489

Next. 6. Complete the wizard. Verify the installation of these site system roles by using status messages and by reviewing the log files: 1. Status messages: Use the components SMS_PORTALWEB_CONTROL_MANAGER and SMS_AWEBSVC_CONTROL_MANAGER. For example, status ID 1015 for SMS_PORTALWEB_CONTROL_MANAGER confirms that Site Component Manager was successfully installed the Application Catalog website point. 2. Log files: Search for SMSAWEBSVCSetup.log and SMSPORTALWEBSetup.log. For more detailed information, search for the log files awebsvcMSI.log and portlwebMSI.log.

Step 5: Configuring the client settings for the Application Catalog and Software Center
This procedure configures the default client settings for the Application Catalog and Software Center that will apply to all devices in the hierarchy. If you want these settings to apply to only some devices, you can create a custom client setting and deploy it to a collection that contains the devices that will have the specific settings. For more information about how to create a custom device setting, see the How to Create and Deploy Custom Client Settings section in the How to Configure Client Settings in Configuration Manager topic. To configure the default client settings for Application Catalog and Software Center 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties. 5. Review and configure settings that relate to user notifications, the Application Catalog, and Software Center. For example: a. Computer Agent group: Default Application Catalog website point Add default Application Catalog website to Internet Explorer trusted sites zone Organization name displayed in Software Center Tip To specify the organization name displayed in the Application Catalog and configure the website theme, use the Customization tab on the Application Catalog website properties. Install permissions Show notifications for new deployments
1490

b. Power Management group: c. Allow users to exclude their device from power management Users can change policy or notification settings in Software Center Allow users to define their primary devices Remote Tools group:

d. User and Device Affinity group:

Note For more information about the client settings, see About Client Settings in Configuration Manager. 6. Click OK to close the Default Client Settings dialog box. Client computers will be configured with these settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

Step 6: Verifying that the Application Catalog is operational

Use the following procedures to verify that the Application Catalog is operational. You can access the Application Catalog directly from a browser or from Software Center. Note The Application Catalog requires Microsoft Silverlight, which is automatically installed as a Configuration Manager client prerequisite. If you access the Application Catalog directly from a browser by using a computer that does not have the Configuration Manager client installed, first verify that Microsoft Silverlight is installed on the computer. Tip Missing prerequisites are among the most typical reasons for the Application Catalog to not operate correctly after installation. Confirm the site system role prerequisites for the Application Catalog site system roles. You can do this by using the Site System Requirements section of the Supported Configurations for Configuration Manager topic. To access the Application Catalog directly from a browser In a browser, type the address of the Application Catalog website and confirm that the web page displays with the three tabs: Application Catalog, My Application Requests, and My Devices. Select and use the appropriate address below for the Application Catalog, where <server> is the computer name, intranet FQDN, or Internet FQDN: HTTPS client connections and default site system role settings: https://<server>/CMApplicationCatalog HTTP client connections and default site system role settings:
1491

http://<server>/CMApplicationCatalog HTTPS client connections and custom site system role settings: https://<server>:<port>/<web application name> HTTP client connections and custom site system role settings: http://<server>:<port>/<web application name>

To access the Application Catalog from Software Center 1. On a client computer, click Start, click All Programs, click Microsoft System Center 2012, click Configuration Manager, and then click Software Center. 2. If you previously configured an organizational name for Software Center as a client setting, confirm that this displays as specified. 3. Click Find additional applications from the Application Catalog and confirm that the page displays with the three tabs: Application Catalog, My Application Requests, and My Devices. Warning After you have installed the Application Catalog site system roles, you will not immediately see the Application Catalog when you click the Find additional applications from the Application Catalog link from Software Center. The Application Catalog becomes available from Software Center after the client next downloads its client policy or up to 25 hours after the Application Catalog site system roles are installed.

See Also
Application Management in Configuration Manager

Operations and Maintenance for Application Management in Configuration Manager

Use the topics in this section for more information about operations and maintenance for application management in Microsoft System Center 2012 Configuration Manager.

In This Section
How to Create Applications in Configuration Manager How to Create Deployment Types in Configuration Manager How to Create and Deploy Applications for Mac Computers in Configuration Manager How to Deploy Applications in Configuration Manager How to Simulate an Application Deployment in Configuration Manager
1492

How to Manage Applications and Deployment Types in Configuration Manager How to Manage Application Revisions in Configuration Manager How to Use Application Supersedence in Configuration Manager How to Uninstall Applications in Configuration Manager How to Monitor Applications in Configuration Manager How to Manage User Device Affinity in Configuration Manager How to Create Global Conditions in Configuration Manager How to Create App-V Virtual Environments in Configuration Manager

See Also
Application Management in Configuration Manager

How to Create Applications in Configuration Manager

Use the following steps to create an application using Microsoft System Center 2012 Configuration Manager. For information about how to import an application, see How to import an application in this topic.

Steps to Create an Application

The following table provides the steps, details, and more information about how create an application.
Step Details More Information

Step 1: Start the Create Application Wizard.

The Create Application Wizard is used to configure general information about an application. There are two methods you can use to configure general information about the application: Automatically detect application information: With this method, Configuration Manager attempts to read information

See Step 1: Start the Create Application Wizard in this topic.

Step 2: Specify whether you want to automatically detect application information or manually define the information.

See To automatically detect application information and To manually define application information in this topic.

1493

Step

Details

More Information

about the application from the application installation files, and then it automatically populates fields in the wizard with discovered information. Use this method when you want to create an application with a single deployment type that uses the default settings. Manually define application information: With this method, information about the application is manually entered by the administrator. Use this method when you want to create a more complex application with multiple deployment types, detection methods, requirements. or dependencies. Also use this method when application information cannot be read from the installation files. No additional information.

Step 3: Review the actions to be taken and then complete the Wizard.

After you review the information on the Summary page of the Wizard, you can go back and make changes if necessary.

Supplemental Procedures to Create an Application

Use the following information when the steps in the preceding table require supplemental procedures.

Step 1: Start the Create Application Wizard

1. In the Configuration Manager console, click Software Library.

1494

2. In the Software Library workspace, expand Application Management, and then click Applications. 3. On the Home tab, in the Create group, click Create Application.

Step 2: Specify whether you want to automatically detect application information or manually define the information
Use one of the following procedures to automatically detect, or manually define application information. Use the procedure To automatically detect application information when you want to create a simple application with a single deployment type such as a Windows Installer file with no dependencies or requirements. After you have created an application using this procedure, you can edit it as needed in order to add or change deployment types and add detection methods, dependencies, or requirements. Use the procedure To manually define application information to create more complex applications with multiple deployment types, dependencies, detection methods, or requirements. To automatically detect application information 1. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. Note If you want to define this application information manually, go to the procedure To manually define application information. 2. From the Type drop-down list, choose the application installation file type that you want to use to detect application information. You can choose from the following installation types:
Installation type More information

Windows Installer (Native) (Configuration Manager with no service pack) Windows Installer (*.msi file) (Configuration Manager SP1) For Configuration Manager SP1 only: Windows app package (.appx file)

Detects application information and deployment types from a Windows Installer (.msi) file.

Detects application information and deployment types from a Windows app package (.appx) file. Important Because Windows XP does not support the libraries required to
1495

create an application of this type, you cannot create a Windows app package application from a Configuration Manager console running on a Windows XP computer. For Configuration Manager SP1 only: Windows app package (in the Windows Store) Detects application information and deployment types by providing a link to the application on a computer where the application is already installed. Note To be able to connect to the Windows Store, users of client computers must have a valid account. Microsoft Application Virtualization (Configuration Manager with no service pack) Microsoft Application Virtualization 4 (Configuration Manager SP1) For Configuration Manager SP1 only: Microsoft Application Virtualization 5 Detects application information and deployment types from a Microsoft Application Virtualization 4 manifest (.xml) file.

Detects application information and deployment types from a Microsoft Application Virtualization 5 (.appv) package file. Detects application information and deployment types from a Windows Phone app package (.xap) file. Configures application and deployment type information by specifying a link to the app in the Windows Phone Store. Detects application information and deployment types from a Windows Mobile cabinet (.cab) file. Detects application information and deployment types from an app package for iOS (.ipa) file. Configures application and deployment
1496

For Configuration Manager SP1 only: Windows Phone app package (*.xap file) For Configuration Manager SP1 only: Windows Phone app package (in the Windows Phone Store) Windows Mobile Cabinet

For Configuration Manager SP1 only: App package for iOS (*.ipa file) For Configuration Manager SP1 only:

App package for iOS from App Store

type information by specifying a link to the app in the App Store. Detects application information and deployment types from an app package for Android (.apk) file. Configures application and deployment type information by specifying a link to the app on Google Play. Detects application information and deployment types from a Nokia Symbian installation (.sis or .sisx) file. Detects application information and deployment types from a Mac OS X Installer (.cmmac) file that was created by using the CMAppUtil tool.

For Configuration Manager SP1 only: App package for Android (*.apk file) For Configuration Manager SP1 only: App package for Android on Google Play Nokia SIS file

For Configuration Manager SP1 only: Mac OS X

3. In the Location field, specify the UNC path in the form \\<server>\<share>\<filename> or the App store link for the application installation file you want to use to detect application information. Alternatively, click Browse to browse to the installation file location. Important When you select Windows Installer (Native) (Configuration Manager with no service pack) or Windows Installer (*.msi file) (Configuration Manager SP1) as an application type, all of the files in the folder that you specify will be imported with the application and will be sent to distribution points. Ensure that only the files that are necessary to install the application are in the folder that you specify. Note You must have access to the UNC path containing the application and any subfolders containing application content. 4. Click Next. 5. On the Import Information page of the Create Application Wizard, review the information that was imported and then click Next. If needed, you can click Previous to go back and correct any errors. 6. On the General Information page of the Create Application Wizard, specify the following information: Note Some of this information might already be populated here if it was automatically obtained from the application installation files. . Provide general information about the application such as the application name, comments, version, and an optional reference to help you reference the application in
1497

the Configuration Manager console. Installation program: Specify the installation program and any required properties that are needed to install the applications deployment type. Note If the installation program is not shown, click Browse and browse to the installation program location. Install behavior: Specify whether the applications deployment type will be installed for the currently logged on user only or for all users. You can also specify that the deployment type will be installed for all users if it is deployed to a device or only to a specific user if it is deployed to a user.

7. Click Next, review the application information on the Summary page, and then complete the Create Application Wizard. 8. The new application is displayed in the Applications node of the Configuration Manager console. To manually define application information 1. On the General page of the Create Application Wizard, select Manually specify the application information, and then click Next. Note If you want to automatically retrieve the application information, go to the procedure To automatically detect application information. 2. On the General page of the Create Application Wizard, specify general information about the application such as the application name, comments, version, and an optional reference to help you reference the application in the Configuration Manager console. 3. Click Next. 4. On the Application Catalog page of the Create Application Wizard, specify the following information: Selected language From the drop-down list, select the language version of the application that you want to configure. Click Add/Remove to configure more languages for this application. Localized application name Specify the application name in the language that was selected in the Selected language drop-down list. Important You must specify a localized application name for each language version that you configure. User categories Click Edit to specify application categories in the language that was selected in the Selected Language drop-down list. Users of the Application Catalog can use these selected categories to help filter and sort the available applications. User documentation Click Browse to select a file that users of the Application
1498

Catalog can read to find out more information about this application. Localized description Enter a description for this application in the language that was selected in the Selected Language drop-down list. Keywords Enter a list of keywords in the language that was selected in the Selected Language drop-down list. These keywords will help users of the Application Catalog search for the application. Icon Click Browse to select an icon for this application from the available icons. If you do not specify an icon, a default icon will be used for this application.

5. Click Next. 6. On the Deployment Types page of the Create Application Wizard, click Add to create a new deployment type. Note For information on how to create a deployment type, see How to Create Deployment Types in Configuration Manager. 7. Click Next, review the application information on the Summary page, and then complete the Create Application Wizard. 8. The new application is displayed in the Applications node of the Configuration Manager console.

How to import an application

Use the following steps to import an application into Configuration Manager. For information about how to export an application, see How to Manage Applications and Deployment Types in Configuration Manager. To import an application 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Import Application. 4. On the General page of the Import Application Wizard, click Browse and then specify a UNC path to the compressed file (.zip file) that contains the application to import. Alternatively, click Browse and browse to the file location. 5. On the File Content page of the wizard, select the action that will be taken if the application you are trying to import is a duplicate of an existing application. You can specify to create a new application or to ignore the duplicate and add a new revision to the existing application. 6. On the Summary page of the Wizard, review the actions to be taken, and then complete the wizard. The new application will be shown in the Applications node. Tip The Windows PowerShell cmdlet, Import-CMApplication, performs the same
1499

function as this procedure. For more information, see http://go.microsoft.com/fwlink/p/?LinkID=271396 in the Microsoft System Center 2012 Configuration Manager SP1 Cmdlet Reference documentation.

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Create Deployment Types in Configuration Manager

Use the following steps to create a deployment type by using Microsoft System Center 2012 Configuration Manager.

Steps to Create a Deployment Type

Use the following table for the steps, details, and more information about how to create a deployment type. Note If you select Automatically identify information about this deployment type from installation files on the General page of the Create Deployment Type Wizard, then you do not need to complete some of the steps in the following procedures.
Step Details More information

Step 1: Start the Create Deployment Type Wizard.

See Step 1: Start the Create Deployment Type Wizard in this topic. There are two methods that you can use to configure general information about the deployment type: Automatically detect the deployment type information Configuration Manager attempts to read information about the deployment type from the application installation files, and then automatically populates fields in the See Step 2: Specify whether you want to Automatically Detect Deployment Type Information or Manually Define the Information in this topic.

Step 2: Specify whether you want to automatically detect or to manually define the deployment type information.

1500

Step

Details

More information

wizard with discovered information. Manually configure the deployment type information The information about the deployment type is manually entered by the administrator. See Step 3: Specify Content Options for the Deployment Type in this topic.

Step 3: Specify the content options for the deployment type.

The Content page of the Create Deployment Type Wizard contains options to configure the location of the deployment type content and information about the commands that are used to install and uninstall the content. A detection method in Configuration Manager contains rules that are used to check whether an application is already installed on a device. This detection occurs before the application is installed, immediately after the application is installed, and at regular intervals afterwards. This can prevent Configuration Manager from needlessly reinstalling the application and can also detect if the application is already uninstalled by the user. Specify information about the behavior of the deployment type when it is installed on devices. Requirements are used to specify the conditions that must be met before a deployment

Step 4: Configure the detection methods to indicate the presence of the application.

See Step 4: Configure Detection Methods to Indicate the Presence of the Application in this topic.

Step 5: Specify the user experience options for the deployment type.

See Step 5: Specify User Experience Options for the Deployment Type in this topic.

Step 6: Specify the requirements for the deployment type.

See Step 6: Specify Requirements for the Deployment Type in this topic.
1501

Step

Details

More information

type can be installed on a client device. Step 7: Specify the dependencies for the deployment type. Dependencies define one or more deployment types from other applications that must be installed before a deployment type is installed. You can configure the dependent deployment types to install automatically before you install a deployment type. After you perform all the steps, confirm the settings that you selected for the deployment type, and complete the wizard. After you create a deployment type you can configure additional options that control the content and publishing options for the deployment types that contain virtual applications. See Step 7: Specify Dependencies for the Deployment Type in this topic.

Step 8: Confirm the deployment type settings and complete the wizard.

See Step 8: Confirm the Deployment Type Settings and Complete the Wizard in this topic. See Step 9: Configure Additional Options for Deployment Types that contain Virtual Applications in this topic.

Step 9: Configure additional options for the deployment types that contain virtual applications.

Supplemental Procedures to Create a Deployment Type

Use the following information when the steps in the preceding table require supplemental procedures. Important Depending on the type of deployment type you are creating, not all of the options in the wizard will be available.

Step 1: Start the Create Deployment Type Wizard

1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click
1502

Applications. 3. Select an application and then, on the Home tab, in the Application group, click Create Deployment Type to create a new deployment type for this application. Note You can also start the Create Deployment Type Wizard from the Create Application Wizard and from the Deployment Types tab of the <application name> Properties dialog box.

Step 2: Specify whether you want to Automatically Detect Deployment Type Information or Manually Define the Information
Use one of the following procedures to automatically detect, or to manually define deployment type information. To automatically detect the deployment type information 1. On the General page of the Create Deployment Type Wizard, select Automatically identify information about this deployment type from installation files . Note If you want to define this application information manually, go to the procedure To manually define the deployment type information. 2. In the Type field, choose the application installation file type that you want to use to detect the deployment type information. You can choose from the following installation types.
Installation type More information

Windows Installer (Native) (Configuration Manager with no service pack) Windows Installer (*.msi file) (Configuration Manager SP1) For Configuration Manager SP1 only: Windows app package (.appx file)

Detects application information and deployment types from a Windows Installer (.msi) file.

Detects application information and deployment types from a Windows app package (.appx) file. Important Because Windows XP does not support the libraries required to create an application of this type, you cannot create a Windows app package
1503

application from a Configuration Manager console running on a Windows XP computer.

For Configuration Manager SP1 only: Windows app package (in the Windows Store)

Detects application information and deployment types by providing a link to the application on a computer where the application is already installed. Note To be able to connect to the Windows Store, users of client computers must have a valid account.

Script Installer (Native) (Configuration Manager with no service pack) Script Installer (Configuration Manager SP1) Microsoft Application Virtualization (Configuration Manager with no service pack) Microsoft Application Virtualization 4 (Configuration Manager SP1) For Configuration Manager SP1 only: Microsoft Application Virtualization 5

Specifies a script that runs on client devices to install content or to perform an action.

Detects application information and deployment types from a Microsoft Application Virtualization 4 manifest (.xml) file.

Detects application information and deployment types from a Microsoft Application Virtualization 5 (.appv) package file.

For Configuration Manager SP1 only: Windows Phone app package (*.xap file) For Configuration Manager SP1 only: Windows Phone app package (in the Windows Phone Store) Windows Mobile Cabinet

Detects application information and deployment types from a Windows Phone app package (.xap) file. Configures application and deployment type information by specifying a link to the app in the Windows Phone Store. Detects application information and deployment types from a Windows Mobile cabinet (.cab) file.

1504

For Configuration Manager SP1 only: App package for iOS (*.ipa file) For Configuration Manager SP1 only: App package for iOS from App Store For Configuration Manager SP1 only: App package for Android (*.apk file) For Configuration Manager SP1 only: App package for Android on Google Play Nokia SIS file

Detects application information and deployment types from an app package for iOS (.ipa) file. Configures application and deployment type information by specifying a link to the app in the App Store. Detects application information and deployment types from an app package for Android (.apk) file. Configures application and deployment type information by specifying a link to the app on Google Play. Detects application information and deployment types from a Nokia Symbian installation (.sis or .sisx) file. Detects application information and deployment types from a Mac OS X Installer (.cmmac) file that was created by using the CMAppUtil tool.

For Configuration Manager SP1 only: Mac OS X

3. In the Location field, specify the UNC path in the form \\<server>\<share>\<filename> or the App store link to the application installation files and the content that you want to use to detect the deployment type information, or click Browse to browse to the installation file location. Note You must have access to the UNC path that contains the application and any subfolders that contain the application content. 4. Click Next. 5. On the Import Information page of the Create Deployment Type Wizard, review the information that was imported, and then click Next. You can also click Previous to go back and correct any errors. 6. On the General Information page of the Create Deployment Type Wizard, specify the following information: Note Some of the deployment type information might already be present if it was read from the application installation files. Specify general information about the deployment type, such as the name, administrator comments, and available languages. Installation program Specify the installation program and any required properties
1505

that are needed to install the deployment type. Install behavior Specify whether the deployment type will be installed for the currently logged-on user or for all users. You can also specify that the deployment type will be installed for all users if it is deployed to a device, or that the deployment type will be installed to a user only if it is deployed to a user.

7. Click Next, and then continue to the procedure in Step 6: Specify Requirements for the Deployment Type. To manually define the deployment type information 1. On the General page of the Create Deployment Type Wizard, select Manually specify the deployment type information. Note If you want to automatically retrieve the deployment type information, go to the procedure To automatically detect the deployment type information. 2. In the Type field, choose the application installation file type that you want to use to detect the deployment type information. You can choose the same installation types that you would use when you automatically detect the deployment type information, and you can additionally specify a script to install the deployment type. 3. Click Next. 4. On the General Information page of the Create Deployment Type Wizard, specify a name for the deployment type, an optional description, the languages in which you want to make this deployment type available, and then click Next. 5. Continue to Step 3: Specify Content Options for the Deployment Type.

Step 3: Specify Content Options for the Deployment Type

1. On the Content page of the Create Deployment Type Wizard, specify the following information: Content location Specify the location of the content for this deployment type, or click Browse to choose the deployment type content folder. Important The System account of the site server computer must have permissions to the content location that you specify. Persist content in the client cache - Specifies whether the content should be retained in the cache on the client computer indefinitely even if it has already been run. Although this option can be useful with some deployments, such as Windows Installer-based software that requires a local source copy to be available for applying updates, it will reduce the available cache space. If you specify this option, it might cause a large deployment to fail at a later point if the cache does not have sufficient
1506

available space. Allow clients to share content with other clients on the same subnet Select this option to reduce load on the network by allowing clients to download content from other local clients on the network that have already downloaded and cached the content. This option utilizes Windows BranchCache and it can be used on computers that run Windows Vista SP2 and later. Installation program Specify the name of the installation program and any required installation parameters, or click Browse to browse to the installation file location. Installation start in - Specifies the folder that contains the installation program for the deployment type. This folder can be an absolute path on the client, or a path to the distribution point folder that contains the installation files. This field is optional. Uninstall program - Specify the name of the uninstall program and any required parameters, or click Browse to browse to the uninstall file location. This field is optional. Uninstall start in - Specifies the folder that contains the uninstall program for the deployment type. This folder can be an absolute path on the client, or a path that is relative to the distribution point folder that contains the package. This field is optional.

2. Click Next.

Step 4: Configure Detection Methods to Indicate the Presence of the Application

1. On the Detection Method page of the Create Deployment Type Wizard, select Configure rules to detect the presence of this deployment type and then click Add Clause. Note You can also select Use a custom script to detect the presence of this deployment type. For more information, see the To use a custom script to determine the presence of a deployment type section in this topic. 2. In the Setting type drop-down list of the Detection Rule dialog box, choose the method that you want to use to detect the presence of the deployment type. You can choose from the following available methods: File System This method allows you to detect whether a specified file or folder exists on a client device, thus indicating that the application is installed. Note The File system setting type does not support specifying a UNC path to a network share in the Path field. You can only specify a local path on the client device.

1507

Note Select the option This file or folder is associated with a 32-bit application on 64-bit systems to check 32-bit file locations for the specified file or folder first. If the file or folder is not found, then 64-bit locations will be searched. Registry This method allows you to detect whether a specified registry key or registry value exists on a client device, thus indicating that the application is installed. Note Select the option This registry key is associated with a 32-bit application on 64-bit systems to check 32-bit registry locations for the specified registry key first. If the registry key is not found, then 64-bit locations will be searched. Windows Installer This method allows you to detect whether a specified Windows Installer file exists on a client device, thus indicating that the application is installed.

3. Specify details about the item that you want to use to detect whether this deployment type is installed. For example, you can use a file, folder, registry key or value, or a Windows Installer product code. 4. Specify details about the value that you want to assess against the item that you use to detect whether the deployment type is installed. For example, if you use a file to determine whether the deployment type is installed, you can select The file system setting must exist on the target system to indicate presence of this application. 5. Click Next to close the Detection Rule dialog box. To use a custom script to determine the presence of a deployment type 1. On the Detection Method page of the Create Deployment Type Wizard, select Use a custom script to detect the presence of this deployment type, and then click Edit. 2. In the Script Editor dialog box, select the script language that you want to use to detect the deployment type from the Script type drop down list. 3. Enter the script that you want to use in the Script contents field. You can also paste the contents of an existing script in this field, or click Open to browse to an existing saved script. Configuration Manager determines the results from the script by reading the values that are written to STDOUT, STDERR, and the exit code from the script. If the exit code is a non-zero value, then the script has failed and the application detection status is unknown. If the exit code is zero and STDOUT contains data, then the application detection state is installed. Use the following table to determine how you can use the output from a script to determine if an application is installed:
Script exit code Data read from STDOUT Data read from STDERR Script result Application detection state

Empty

Empty

Success

Not installed
1508

0 0 0 Non-zero value Non-zero value Non-zero value Non-zero value

Empty Not empty Not empty Empty

Not empty Empty Not empty Empty

Failure Success Success Failure

Unknown Installed Installed Unknown

Empty

Not empty

Failure

Unknown

Not empty

Empty

Failure

Unknown

Not empty

Not empty

Failure

Unknown

The following table contains Visual Basic (VB) script sample code that you can use to write your own application detection scripts:
VB script sample Description

WScript.Quit(1)

The script returns an exit code that is not zero, which indicates that it failed to run successfully. In this case, the application detection state is unknown. The script returns an exit code of zero, but the value of STDERR is not empty, which indicates that the script failed to run successfully. In this case, the application detection state is unknown. The script returns an exit code of zero, which indicates that it ran successfully. However, the value for STDOUT is empty, which indicates that the application is not installed. The script returns an exit code of zero, which indicates that it ran successfully; and the value for STDOUT is not empty which, indicates that the application is installed. The script returns an exit code of zero, which indicates that it ran successfully;
1509

WScript.StdErr.Write "Script failed" WScript.Quit(0)

WScript.Quit(0)

WScript.StdOut.Write "The application is installed" WScript.Quit(0)

WScript.StdOut.Write "The application is installed"

WScript.StdErr.Write "Completed" WScript.Quit(0)

and the values for STDOUT and STDERR are not empty, which indicates that the application is installed.

Note The maximum size that you can use for a script is 32 KB. 4. Click OK to close the Script Editor dialog box. 5. Click Next.

Step 5: Specify User Experience Options for the Deployment Type

To specify user experience options for the deployment type 1. On the User Experience page of the Create Deployment Type Wizard, specify the following information: Installation behavior From the drop-down list, select one of the following options: Install for user The application installs only for the user to whom the application is deployed. Install for System The application installs only once and it is available to all users. Install for System if resource is device; otherwise install as user If the application is deployed to a device, then it will install for all users. If the application is deployed to a user then it will install for only that user.

Logon requirement - Specify the logon requirements for this deployment type from the following options: Only when a user is logged on Whether or not a user is logged on Only when no user is logged on Note This option will default to Only when a user is logged on, and it cannot be changed if you selected Install for user in the Installation behavior dropdown list.

Installation program visibility Specifies the mode in which the deployment type will run on client devices. The following options are available: Maximized The deployment type runs maximized on client devices. Users will see all installation activity. Normal - The deployment type runs in the normal mode based on system and program defaults. This is the default mode.
1510

Minimized The deployment type runs minimized on client devices. Users might see the installation activity in the notification area or taskbar. Hidden The deployment type runs hidden on client devices and users will see no installation activity.

Allow users to interact with this program Specifies whether a user can interact with the deployment type installation to configure the installation options. Note This option is enabled by default if you selected the Install for user option in the Installation behavior drop-down list.

Maximum allowed run time (minutes) - Specifies the maximum time that the program is expected to run on the client computer. This setting can be specified as a whole number greater than zero. The default setting is 120 minutes. This value is used for two purposes: To monitor the results from the deployment type. To determine if a deployment type will be installed when maintenance windows are defined on client devices.

Maintenance Windows When a maintenance window is in place, a program will be launched only if there is enough available time in the maintenance window to accommodate the Maximum Allowed Run Time setting.
Important A conflict might occur if the Maximum allowed run time is longer than the scheduled maintenance window. If the maximum run time is set by the user to a period that exceeds the length of any available maintenance window, that deployment type will not be run. 2. Estimated installation time (minutes) Specify the estimated time that the deployment type will take to install. This is displayed to users of the Application Catalog. 3. Click Next.

Step 6: Specify Requirements for the Deployment Type

1. On the Requirements page of the Create Deployment Type Wizard, click Add to open the Create Requirement dialog box, and add a new requirement. Note You can also add new requirements on the Requirements tab of the
1511

<deployment type name> Properties dialog box. 2. From the Category drop-down list, select whether this requirement is for a device or a user, or select Custom to use a previously created global condition. When you select Custom, you can also click Create to create a new global condition. For more information about global conditions, see How to Create Global Conditions in Configuration Manager. Important If you create a requirement of the category User and the condition Primary Device, and then deploy the application to a device collection, the requirement will evaluate as false. 3. From the Condition drop-down list, select the condition that you want to use to assess whether the user or device meets the installation requirements. The contents of this list will vary depending on the selected category. 4. From the Operator drop-down list, choose the operator that will be used to compare the selected condition to the specified value to assess whether the user or device meets in the installation requirement. The available operators will vary depending on the selected condition. Important The available requirements will differ depending on the device type the deployment type is for. 5. In the Value field, specify the values that will be used with the selected condition and operator whether the user or device meets in the installation requirement. The available values will vary depending on the selected condition and the selected operator. 6. Click OK to save the requirement rule and exit the Create Requirement dialog box. 7. On the Requirements page of the Create Deployment Type Wizard, click Next.

Step 7: Specify Dependencies for the Deployment Type

Dependencies define one or more deployment types from another application that must be installed before a deployment type is installed. You can configure the dependent deployment types to install automatically before a deployment type is installed. Use this procedure to configure dependencies in Configuration Manager. To specify deployment type dependencies 1. On the Dependencies page of the Create Deployment Type Wizard, click Add if you want to specify the deployment types that must be installed before this deployment type can be installed. Note You can also add new dependencies on the Dependencies tab of the <deployment type name> Properties dialog box. 2. In the Add Dependency dialog box, click Add.
1512

3. In the Specify Required Application dialog box, select an existing application and one of the application deployment types to use as a dependency. Note You can click View to display the properties of the selected application or deployment type. 4. Click OK to close the Specify Required Application dialog box. 5. If you want a dependent application to automatically install, check Auto Install next to the dependent application. Note A dependent application does not need to be deployed to be automatically installed. 6. In the Dependency group name field of the Add Dependency dialog box, enter a name to refer to this group of application dependencies. 7. Optionally, use the Increase Priority and Decrease Priority buttons to change the order in which each dependency is evaluated. 8. Click OK to close the Add Dependency dialog box. 9. Click Next.

Step 8: Confirm the Deployment Type Settings and Complete the Wizard
Use the following procedure to complete the Create Deployment Type Wizard.

1. On the Summary page of the Create Deployment Type Wizard, review the actions that will be taken by the wizard. Click Next to create the deployment type, or click Previous to go back and change the deployment type settings. 2. After the Progress page of the wizard completes, review the actions that were taken, and then click Close to complete the Create Deployment Type Wizard. 3. If you started this wizard from the Create Application Wizard, you will be returned to the Deployment Types page of the wizard. For more information, see How to Create Applications in Configuration Manager.

Step 9: Configure Additional Options for Deployment Types that contain Virtual Applications
Use the following procedures to configure additional options for deployment types that contain virtual applications. To configure content options for Application Virtualization (App-V) deployment types

1513

1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, click Applications. 3. In the Applications list, select an application that contains an App-V deployment type and then, in the Home tab, in the Properties group, click Properties. 4. On the Deployment Types tab of the <Application Name> Properties dialog box, select an App-V deployment type and then click Edit. 5. In the Content tab of the <Deployment Type Name> Properties dialog box, configure the following options if required: Persist content in the client cache Select this option to ensure that the content for this deployment type is not deleted from the Configuration Manager client cache. Load content into App-V cache before launch Select this option to ensure that all content for the virtual application is loaded into the App-V cache before the application is launched. Selection of this option also ensures that the application content is not pinned in the cache and can be deleted as required.

6. Click OK to close the <Deployment Type Name> Properties dialog box. 7. Click OK to close the <Application Name> Properties dialog box. To configure publishing options for App-V deployment types 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, click Applications. 3. In the Applications list, select an application that contains an App-V deployment type and then, in the Home tab, in the Properties group, click Properties. 4. On the Deployment Types tab of the <Application Name> Properties dialog box, select an App-V deployment type and then click Edit. 5. On the Publishing tab of the <Deployment Type Name> Properties dialog box, select the items in the virtual application that you want to publish. 6. Click OK to close the <Deployment Type Name> Properties dialog box. 7. Click OK to close the <Application Name> Properties dialog box.

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Create and Deploy Applications for Mac Computers in Configuration Manager
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1.
1514

You can use Microsoft System Center 2012 Configuration Manager to deploy applications to Mac computers. The steps to deploy software to Mac computers are similar to those that are used to deploy software to Windows computers. However, before you create and deploy applications for Mac computers that are managed by Configuration Manager, consider the following: Before you can deploy Mac application packages to Mac computers, you must use the CMAppUtil tool on a Mac computer to convert these applications into a format that can be read by Configuration Manager. Configuration Manager does not support the deployment of Mac applications to users; these deployments must be to a device. Similarly, for Mac application deployments, Configuration Manager does not support the Pre-deploy software to the users primary device option on the Deployment Settings page of the Deploy Software Wizard. Mac applications support simulated deployments. You cannot deploy applications to Mac computers that have a purpose of Available. The option to send wake-up packets when you deploy software is not supported for Mac computers. Mac computers do not support Background Intelligent Transfer Service (BITS) to download application content. If an application download fails, it will be restarted from the beginning. Configuration Manager does not support global conditions when you create deployment types for Mac computers.

Use the following steps to create and deploy applications for Mac computers.

Steps to Create and Deploy an Application

The following table provides the steps, details, and more information for creating and deploying applications for Mac computers.
Step Details More information

Step 1: Prepare Mac applications for Configuration Manager.

Before you can create See Step 1: Prepare Mac Configuration Manager Applications for Configuration applications from Mac software Manager in this topic. packages, you must use the CMAppUtil tool on a Mac computer to convert the Mac software into a Configuration Manager .cmmac file. Use the Create Application See Step 2: Create a Wizard to create an application Configuration Manager for the Mac software. application that contains the Mac software in this topic. This step is required only if you See Step 3: Create a did not automatically import Deployment Type for the Mac
1515

Step 2: Create a Configuration Manager application that contains the Mac software

Step 3: Create a deployment type for the Mac application

Step

Details

More information

this information from the application. Step 4: Deploy the Mac application Use the Deploy Software Wizard to deploy the application to Mac computers. Monitor the success of application deployments to Mac computers.

Application in this topic.

See Step 4: Deploy the Mac Application in this topic.

Step 5: Monitor the deployment of the Mac application

See Step 5: Monitor the Deployment of the Mac Application in this topic.

Supplemental Procedures to Create and Deploy Applications for Mac Computers

Use the following procedures to create and deploy applications for Mac computers that are managed by Configuration Manager.

Step 1: Prepare Mac Applications for Configuration Manager

The required process to create and deploy Configuration Manager applications to Mac computers is similar to the deployment process for Windows computers. However, before you create Configuration Manager applications that contain Mac deployment types, you must prepare the applications by using the CMAppUtil tool. This tool is downloaded with the Mac client installation files. The CMAppUtil tool can gather information about the application, which includes detection data from the following Mac packages: Apple Disk Image (.dmg) Meta Package File (.mpkg) Mac OS X Installer Package (.pkg) Mac OS X Application (.app)

After it gathers application information, the CMAppUtil then creates a file with the extension .cmmac. This file contains the installation files for the Mac software and information about detection methods that can be used to evaluate whether the application is already installed. CMAppUtil can also process .dmg files that contain multiple Mac applications and create different deployment types for each application. To prepare Mac software to be deployed by Configuration Manager 1. Copy the Mac software installation package to the folder on the Mac computer where you extracted the contents of the macclient.dmg file that you downloaded from the Microsoft Download Center. 2. On the same Mac computer, open a terminal window and navigate to the folder where
1516

you extracted the contents of the macclient.dmg file. 3. Navigate to the Tools folder and enter the following command-line: ./CMAppUtil <properties> For example, if you want to convert the contents of an Apple disk image file named MySoftware.dmg stored in the users desktop folder into a cmmac file in the same folder and you want to create cmmac files for all applications that are found in the disk image file. To do this, use the following command line: ./CMApputil c /Users/<User Name>/Desktop/MySoftware.dmg -o /Users/<User Name>/Desktop -a Note The application name must be no more than 128 characters in length. To configure options for CMAppUtil, use the command-line properties in the following table:
Property More information

-h

Displays the available command-line properties. Outputs the detection.xml of the provided .cmmac file to stdout. The output contains the detection parameters and the version of CMAppUtil that was used to create the .cmmac file. Specify the source file to be converted. This property must be used in conjunction with the c property to specify the output path. Use this property in conjunction with the c property and the disk image (.dmg) file to automatically create .cmmac files for all applications and packages that are found in the disk image file. Skips generating the detection.xml if no detection parameters are found and forces the creation of the .cmmac file without the detection.xml file. Displays more detailed output from the CMAppUtil tool together with diagnostic information.
1517

-r

-c -o

-a

-s

-v

4. Ensure that the .cmmac file has been created in the output folder that you specified.

Step 2: Create a Configuration Manager application that contains the Mac software
Use the following procedure to help you create an application for Mac computers that are managed by Configuration Manager. To create an application for a Mac computer 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. On the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. Note Select Manually specify the application information if you want to specify information about the application yourself. For more information about how to manually specify the information, see the To manually define application information section in the How to Create Applications in Configuration Manager topic. 5. In the Type drop-down list, select Mac OS X. 6. In the Location field, specify the UNC path in the form \\<server>\<share>\<filename> to the Mac application installation file (.cmmac file) that will detect application information. Alternatively, click Browse to browse and specify the installation file location. Note You must have access to the UNC path that contains the application. 7. Click Next. 8. On the Import Information page of the Create Application Wizard, review the information that was imported. If necessary, you can click Previous to go back and correct any errors. Click Next to proceed. 9. On the General Information page of the Create Application Wizard, specify information about the application such as the application name, comments, version, and an optional reference to help you reference the application in the Configuration Manager console. Note Some of the application information might already be present on this page if it was previously obtained from the application installation files. 10. Click Next, review the application information on the Summary page, and then complete the Create Application Wizard.
1518

11. The new application is displayed in the Applications node of the Configuration Manager console.

Step 3: Create a Deployment Type for the Mac Application

Use the following procedure to help you create a deployment type for Mac computers that are managed by Configuration Manager. Note If you automatically imported information about the application in the Create Application Wizard, a deployment type for the application might already have been created. To create a deployment type for a Mac computer 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. Select an application and then, on the Home tab, in the Application group, click Create Deployment Type to create a new deployment type for this application. Note You can also start the Create Deployment Type Wizard from the Create Application Wizard and from the Deployment Types tab of the <application name> Properties dialog box. 4. On the General page of the Create Deployment Type Wizard, in the Type drop-down list, select Mac OS X. 5. In the Location field, specify the UNC path in the form \\<server>\<share>\<filename> to the application installation file (.cmmac file). Alternatively, click Browse to browse and specify the installation file location. Note You must have access to the UNC path that contains the application. 6. Click Next. 7. On the Import Information page of the Create Deployment Type Wizard, review the information that was imported. If necessary, click Previous to go back and correct any errors. Click Next to continue. 8. On the General Information page of the Create Deployment Type Wizard, specify information about the application such as the application name, comments, and the languages in which the deployment type is available. Note Some of the deployment type information might already be present on this page if it was previously obtained from the application installation files. 9. Click Next. 10. On the Requirements page of the Create Deployment Type Wizard, you can specify the
1519

conditions that must be met before the deployment type can be installed on Mac computers. 11. Click Add to open the Create Requirement dialog box and add a new requirement. Note You can also add new requirements on the Requirements tab of the <deployment type name> Properties dialog box. 12. From the Category drop-down list, select that this requirement is for a device. 13. From the Condition drop-down list, select the condition that you want to use to assess whether the or Mac computer meets the installation requirements. The contents of this list will vary depending on the selected category. 14. From the Operator drop-down list, choose the operator that will be used to compare the selected condition to the specified value to assess whether the user or device meets in the installation requirement. The available operators will vary depending on the selected condition. 15. In the Value field, specify the values that will be used with the selected condition and operator whether the user or device meets in the installation requirement. The available values will vary depending on the selected condition and the selected operator. 16. Click OK to save the requirement rule and exit the Create Requirement dialog box. 17. On the Requirements page of the Create Deployment Type Wizard, click Next. 18. On the Summary page of the Create Deployment Type Wizard, review the actions for the wizard to take. If necessary, click Previous to go back and change deployment type settings. Click Next to create the deployment type. 19. After the Progress page of the Wizard completes, review the actions that have been taken, and then click Close to complete the Create Deployment Type Wizard. 20. If you started this wizard from the Create Application Wizard, you will return to the Deployment Types page of the wizard.

Step 4: Deploy the Mac Application

The steps to deploy an application to Mac computers are the same as those used to deploy an application to Windows computers, except for the following differences: The deployment of applications to users is not supported. Deployments that have a purpose of Available are not supported. The Pre-deploy software to the users primary device option on the Deployment Settings page of the Deploy Software Wizard is not supported. Because Mac computers do not support Software Center, the setting User notifications on the User Experience page of the Deploy Software Wizard is ignored. The option to send wake-up packets when you deploy software is not supported for Mac computers. Note

1520

You can build a collection containing only Mac computers. To do so, create a collection that uses a query rule and use the example WQL query in the Example WQL Queries section of the topic How to Create Queries in Configuration Manager. For more information, see How to Deploy Applications in Configuration Manager.

Step 5: Monitor the Deployment of the Mac Application

You can use the same process to monitor application deployments to Mac computers as you would use for application deployments to Windows computers. For more information, see How to Monitor Applications in Configuration Manager.

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Deploy Applications in Configuration Manager

Before you can deploy an application in Microsoft System Center 2012 Configuration Manager, you must create at least one deployment type for the application. For more information about creating applications and deployment types, see How to Create Applications in Configuration Manager and How to Create Deployment Types in Configuration Manager. Important You can deploy (install/uninstall) required applications, but not packages or software updates. Available applications, which users request from the Application Catalog, are not supported for mobile devices. Mobile devices also do not support simulated deployments. Additionally, mobile devices do not support user experience and scheduling settings in the Deploy Software Wizard. To deploy an application 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Applications list, select the application that you want to deploy. Then, in the Home tab, in the Deployment group, click Deploy. 4. On the General page of the Deploy Software Wizard, specify the following information: Software This displays the application to deploy. You can click Browse to select a different application to deploy.
1521

Collection Click Browse to select the collection to deploy the application to. Use default distribution point groups associated to this collection Select this option if you want to store the application content on the collection's default distribution point group. If you have not associated the selected collection with a distribution point group, this option is not available. Automatically distribute content for dependencies If this is enabled and any of the deployment types in the application contain dependencies, then the dependent application content will be also sent to distribution points. Important If you update the dependent application after the primary application has been deployed, any new content for the dependency will not be automatically distributed.

Comments (optional) Optionally, enter a description of this deployment.

5. Click Next. 6. On the Content page of the Wizard, click Add to add the content that is associated with this deployment to distribution points or distribution point groups. If you have selected Use default distribution points associated to this collection on the General page of the Wizard, then this option will be automatically populated and can only be modified by a member of the Application Administrator security role. 7. Click Next. 8. On the Deployment Settings page of the Deploy Software Wizard, specify the following information: Action From the drop-down list, choose whether this deployment is intended to Install or Uninstall the application. Note If an application is deployed twice to a device, once with an action of Install and once with an action of Uninstall, the application deployment with an action of Install will take priority. Note You cannot change the action of a deployment after it has been created. Purpose From the drop-down list, choose one of the following options: Available - If the application is deployed to a user, the user sees the published application in the Application Catalog and can request it on demand. If the application is deployed to a device, the user will see it in the Software Center and can install it on demand. Required - The application is deployed automatically according to the configured schedule. However, a user can track the application deployment status if it is not hidden, and can install the application before the deadline by using the Software Center. Note
1522

When the deployment action is set to Uninstall, the deployment purpose is automatically set to Required and cannot be changed. Deploy automatically according to schedule whether or not a user is logged on If the deployment is to a user, select this option to deploy the application to the users primary devices. This setting does not require the user to log on before the deployment runs. Do not select this option if the user must provide input to complete the installation. This option is only available when the deployment has a purpose of Required. Note In System Center 2012 Configuration Manager SP1, this option is named Pre-deploy software to the users primary device. Send wake-up packets If the deployment purpose is set to Required and this option is selected, a wake-up packet is sent to computers before the deployment is installed to wake the computer from sleep at the installation deadline time. Before you can use this option, computers and networks must be configured for Wake On LAN. For Configuration Manager SP1 only: Allow clients on a metered Internet connection to download content after the installation deadline, which might occur additional costs This option is only available for deployments with a purpose of Required. Require administrator approval if users request this application If this option is selected, the administrator must approve any user requests for the application before it can be installed. This option is unavailable when the deployment purpose is Required or when the application is deployed to a device collection. Note Application approval requests are displayed in the Approval Requests node, under Application Management in the Software Library workspace. If an approval request is not approved within 45 days, it will be removed. Additionally, reinstalling the Configuration Manager client might cancel any pending approval requests. Automatically upgrade any superseded version of this application If this option is selected, any superseded versions of the application will be upgraded with the superseding application.

9. Click Next. 10. On the Scheduling page of the Deploy Software Wizard, configure when this application will be deployed or made available to client devices. Note The options on this page will differ depending on whether the deployment action is set to Available or Required. 11. If the application you are deploying supersedes another application, you can configure the installation deadline when users will receive the new application. Do this by using the
1523

setting Installation Deadline to upgrade users with superseded application . 12. Click Next. 13. On the User Experience page of the Deploy Software Wizard, specify information about how users can interact with the application installation. For Configuration Manager SP1 only: When you deploy applications to Windows Embedded devices that are write-filter enabled, you can specify to install the application on the temporary overlay and commit changes later, or to commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. Note When you deploy an application to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. For more information about how maintenance windows are used when you deploy applications to Windows Embedded devices, see the Deploying Applications in Configuration Manager section in the Introduction to Application Management in Configuration Manager topic. Note The options Software Installation and System restart (if required to complete the installation) are not used if the deployment purpose is set to Available. You can also configure the level of notification a user sees when the application is installed. 14. Click Next. 15. On the Alerts page of the Deploy Software Wizard, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure thresholds for reporting alerts and turn off reporting for the duration of the deployment. 16. Click Next. 17. On the Summary page of the Deploy Software Wizard, review the actions that will be taken by this deployment, and then click Next to complete the Wizard. 18. The new deployment will be displayed in the Deployments list in the Deployments node of the Monitoring workspace. You can edit the properties of this deployment or delete the deployment from the Deployments tab of the application detail pane. To delete an application deployment 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Applications list, select the application that for which to delete the deployment. 4. In the Deployments tab of the <application name> list, select the application deployment
1524

to delete. Then, in the Deployment tab, in the Deployment group, click Delete. When you delete an application deployment, any instances of the application that have already been installed are not removed. To remove these applications, you must deploy the application to computers with the action Uninstall. If you delete an application deployment, or remove a resource from the collection you are deploying to, the application will no longer be visible in Software Center or the Application Catalog.

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Simulate an Application Deployment in Configuration Manager

Use simulated deployments if you want to test the applicability of an application deployment to computers without installing or uninstalling the application. A simulated deployment evaluates the detection method, requirements and dependencies for a deployment type, and reports the results in the Deployments node of the Monitoring workspace. Use the procedure in this topic to simulate an application deployment in Microsoft System Center 2012 Configuration Manager. Note You cannot use simulated deployments for collections of mobile devices. Note You cannot deploy an application with a deployment purpose of Uninstall if a simulated deployment of the same application is active. To simulate an application deployment 1. In the Configuration Manager console, select one of the following: A collection of users. A collection of devices. A Configuration Manager application.

2. In the Home tab, in the Deployment group, click Simulate Deployment. 3. In the Simulate Application Deployment Wizard , specify the following information: Application: Click Browse and then select the application for which you want to create a simulated deployment. Collection: Click Browse and then select the collection that you want to use for the simulated deployment. Action: From the drop-down list, select whether you want to simulate the installation, or the uninstallation of the selected application.
1525

Deploy automatically with or without user login If this option is checked, the clients will evaluate the simulated deployment whether or not the clients are logged in.

4. Click Next, review the information on the Summary page, and then complete the wizard to create the simulated application deployment. 5. Simulated applications appear in the Deployments node of the Monitoring workspace with a purpose of Simulate. For more information about how to monitor application deployments, see How to Monitor Applications in Configuration Manager.

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Manage Applications and Deployment Types in Configuration Manager

Use the information in the following sections to help you manage Microsoft System Center 2012 Configuration Manager applications and deployment types. How to Manage Applications How to Manage Deployment Types

For information about how to create applications, see How to Create Applications in Configuration Manager. For information about how to create deployment types, see How to Create Deployment Types in Configuration Manager. Important Depending on the type of application or deployment type, some of the management options might not be available.

How to Manage Applications

In the Software Library workspace, expand Application Management, select Applications, select the application to manage, and then select a management task. Use the following table for more information about the management tasks that might require some information before you select them.
Task Details More information

Manage Access Accounts

Opens the Manage Access Accounts dialog box where you can specify the level of access that is allowed for the content that is associated with the

No additional information.

1526

Task

Details

More information

selected application. Create Prestage Content File Opens the Create Prestaged Content File Wizard that See Prestage helps you to manage the distribution of content to Content on a remote distribution points. When the scheduling and Distribution Point. throttling does not provide a valid solution for the remote distribution point, you can prestage the content on the distribution point Opens the Application Revision History dialog box that allows you to view the properties of revisions that were made to this application, delete old application revisions and restore old versions of this application. See How to Manage Application Revisions in Configuration Manager. See How to Create Deployment Types in Configuration Manager.

Revision History

Create Deployment Type

Opens the Create Deployment Type Wizard that allows you to add a new deployment type to the selected application.

Update Statistics

Updates the information that is displayed in the See How to Deployments node of the Monitoring workspace about Monitor the deployments of this application. Applications in Configuration Manager. This option reinstates an application that was retired by using the Retire management task. When you retire an application, it is no longer available for deployment but the application and any deployments of the application are not deleted. Existing copies of this application that were installed on client computers will not be removed. If an application that has no deployments is retired, it will be deleted from the Configuration Manager console after 60 days. However, any installed copies of the application are not removed. Important To delete an application, you must first retire the application, delete any deployments, remove references to it by other deployments,
1527

Reinstate

No additional information. See How to Manage Application Revisions in Configuration Manager.

Retire

Task

Details

More information

and then delete all of its revisions. Export Opens the Export Application Wizard that allows you to export the selected applications to a .zip file that you can then archive or install on another site. If you choose to export application content, a folder will be created and will contain the content. You can also export application dependencies, supersedence relationships and conditions and content for the application and its dependencies. Tip The Windows PowerShell cmdlet, ExportCMApplication, performs the same function. For more information, see http://go.microsoft.com/fwlink/p/?LinkID=258880 in the Microsoft System Center 2012 Configuration Manager SP1 Cmdlet Reference documentation. Delete Deletes the currently selected application. Note You cannot delete an application if other applications are dependent on it, if it has an active deployment, or if it has dependent task sequences. Simulate Deployment Opens the Simulate Application Deployment Wizard where you can test the results of an application deployment to computers without installing or uninstalling the application. See How to Simulate an Application Deployment in Configuration Manager. See How to Deploy Applications in Configuration Manager. See Operations and Maintenance for Content Management in
1528

No additional information.

No additional information.

Deploy

Opens the Deploy Software Wizard where you can deploy the selected application to collections of computers in your hierarchy.

Distribute Content

Opens the Distribute Content Wizard where you can copy the content for the selected application to distribution points in your hierarchy.

Task

Details

More information

Configuration Manager. View Relationships Displays a graphical diagram showing the relationships of the selected applications to other applications. Choose from one of the following: Dependency Displays the applications that are dependent on, and the applications that the selected application depends on. Supersedence Displays the applications that are superseded, and applications that the selected item is superseded by. Global Conditions Displays the global conditions that are referenced by this application. See How to Use Application Supersedence in Configuration Manager. See How to Create Global Conditions in Configuration Manager.

How to Manage Deployment Types

In the Software Library workspace, expand Application Management, select Applications, select the application that contains the deployment type that you want to manage, in the details pane, click the Deployment Types tab, select the deployment type that you want to manage and then select a management task. Use the following table for more information about the management tasks that might require some information before you select them.
Task Details More information

Increase Priority

Increases the priority of the No additional information. selected deployment type. Deployment types are evaluated in order. When a deployment type meets the specified requirements, it will be run and then no further deployment types on the priority list will be evaluated. Decreases the priority of the selected deployment type. Deletes the selected deployment type. Important You cannot delete a
1529

Decrease Priority

No additional information.

Delete

No additional information.

Task

Details

More information

deployment type if it is referenced by a deployment type in another application. To delete a deployment type, you must remove any dependencies to the deployment type that are contained in other deployment types. Additionally, you must also remove previous revisions of any application that contains a deployment type that references the deployment type that you want to delete. Update Content Refreshes the content for the selected deployment type. When you start this wizard for a deployment type that contains a virtual application, the Update Content Wizard is started. This wizard allows you to modify publishing options and requirement rules for the selected virtual application. For more information, see How to Create Deployment Types in Configuration Manager. Important When you refresh the content of a deployment type, a new revision of the application is created. This might cause client devices to be updated with the new application. No additional information.

1530

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Manage Application Revisions in Configuration Manager

When you make revisions to an application or to a deployment type that is contained in an application, Microsoft System Center 2012 Configuration Manager creates a new revision of the application. You can display the history of each application revision. You can also view its properties, restore a previous revision of an application, or delete an old revision. Important If you restore an application revision or create a new application revision and make changes to the detection method of one of the applications deployment types, then the installed copies of the application might be automatically replaced when the deployment schedule is next evaluated. For more control over application replacement, create a new application that supersedes the application that you want to replace and then deploy this application to the required collection. For more information, see How to Use Application Supersedence in Configuration Manager. To display an application revision history 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, click Applications, and then click the application that you want. 3. On the Home tab, in the Application group, click Revision History to open the Application Revision History dialog box. To view an application revision 1. In the Application Revision History dialog box, select an application revision, and then click View. 2. In the Properties dialog box, examine the properties of the selected application. Note The application properties that are displayed are read-only. 3. Close the Properties dialog box. To restore an application revision 1. In the Application Revision History dialog box, select an application revision, and then click Restore. 2. In the Confirm Revision Restore dialog box, click Yes to restore the selected
1531

application revision. To delete an application revision 1. In the Application Revision History dialog box, select an application revision, and then click Delete. 2. In the Delete Application Revision dialog box, click Yes. Note You can only delete the current application revision if the application is retired and contains no references.

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Use Application Supersedence in Configuration Manager

Application management in Microsoft System Center 2012 Configuration Manager allows you to upgrade or replace existing applications by using a supersedence relationship. When you supersede an application, you can specify a new deployment type to replace the deployment type of the superseded application and also configure whether to upgrade or uninstall the superseded application before the superseding application is installed. When you supersede an application, this applies to all future deployments and Application Catalog requests. This will not affect the existing installations of the application. Important When the option to uninstall the superseded deployment type is selected, a deployment type cannot be superseded by a deployment type that was deployed to a different collection type. For example, a deployment type that was deployed to a device collection cannot be superseded by a deployment type that was deployed to a user collection if the option to uninstall the superseded deployment type is collected. To specify a supersedence relationship 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, click Applications, and then click the application that will supersede another application. 3. On the Home tab, in the Properties group, click Properties to open the <Application Name> Properties dialog box. 4. On the Supersedence tab of the <Application Name> Properties dialog box, click Add.
1532

5. In the Specify Supersedence Relationship dialog box, click Browse. 6. In the Choose Application dialog box, select the application that you want to supersede and then click OK. 7. In the Specify Supersedence Relationship dialog box, select the deployment type that will replace the deployment type of the superseded application. Note By default, the new deployment type will not uninstall the deployment type of the superseded application. This scenario is commonly used when you want to deploy an upgrade to an existing application. Select Uninstall to remove the existing deployment type before the new deployment type is installed. If you decide to upgrade an application, make sure that you test this in a lab environment first. 8. Click OK to close the Specify Supersedence Relationship dialog box. 9. Click OK to close the <Application Name> Properties dialog box. To display applications that supersede the current application 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, click Applications, and then click the application that you want. 3. On the Home tab, in the Properties group, click Properties to open the <Application Name> Properties dialog box. 4. On the References tab of the <Application Name> Properties dialog box, select Applications that supersede this application from the Relationship type drop-down list. 5. Review the list of applications that supersede the selected application, then click OK to close the <Application Name> Properties dialog box.

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Uninstall Applications in Configuration Manager

Perform the following steps to uninstall an application by using Microsoft System Center 2012 Configuration Manager: Specify the command line to uninstall the deployment type content on the Content page of the Create Deployment Type Wizard. Deploy the application by using a deployment action of Uninstall.
1533

Important Some application types do not support uninstallation. The following list gives more information about the application uninstall behavior: When you uninstall a Configuration Manager application, the dependent applications are not automatically uninstalled. If you deploy an application that uses an action of Uninstall to a user, and the application was installed for all users of the computer, then the uninstall might fail if the users account does not have permissions to uninstall the application. If you remove a user or device from a collection that has an application deployed to it, the application will not be automatically removed from the device. A deployment with the deployment purpose of Uninstall does not check requirement rules. If the application is installed on the computer on which the deployment runs, it will be uninstalled. Important You must delete any existing deployments or simulated deployments of an application to a collection before you can deploy the application with a deployment action of Uninstall. For more information about how to create a deployment type, see How to Create Deployment Types in Configuration Manager. For more information about how to deploy an application, see How to Deploy Applications in Configuration Manager. To uninstall an application 1. Configure the application deployment type with the uninstall command line by using one of the following methods: On the General page of the Create Deployment Wizard, select the option Automatically identify information about this deployment type from installation files. If the information is available in the installation files, the uninstall command line is automatically added to the deployment type properties. On the Content page of the Create Deployment Type Wizard, in the Uninstall program field, specify the command line to uninstall the application. Note The Content page is displayed only if you select the option Manually specify the deployment type information on the General page of the Create Deployment Type Wizard. In the Programs tab of the <deployment type name> Properties dialog box specify the command line to uninstall the application in the Uninstall program field.

2. Deploy the application and select the deployment action Uninstall from the Deployment Settings page of the Deploy Software Wizard. Note
1534

When you select a deployment action of Uninstall, the deployment purpose is automatically configured as Required.

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Monitor Applications in Configuration Manager

In Microsoft System Center 2012 Configuration Manager, you can monitor the deployment of all software, including software updates, compliance settings, applications, task sequences, and packages and programs. You can monitor deployments by using the Monitoring workspace in the Configuration Manager console or by using reports. Applications in Configuration Manager support state-based monitoring, which allows you to track the last application deployment state for users and devices. These state messages display information about individual devices. For example, if an application is deployed to a collection of users, you can view the compliance state of the deployment and the deployment purpose in the Configuration Manager console. An application deployment state has one of the following compliance states: Success The application deployment succeeded or was found to be already installed. In Progress The application deployment is in progress. Unknown The state of the application deployment could not be determined. This state is not applicable for deployments with a purpose of Available. This state is typically displayed when state messages from the client are not yet received. Requirements Not Met The application was not deployed because it was not compliant with a dependency or a requirement rule, or because the operating system to which it was deployed was not applicable. Error The application failed to deploy because of an error.

You can view additional information for each compliance state, which includes subcategories within the compliance state and the number of users and devices in this category. For example, the Error compliance state includes the following subcategories: Error evaluating requirements Content related errors Installation errors

When more than one compliance state applies for an application deployment, you can see the aggregate state that represents the lowest compliance. For example:

1535

If a user logs in to two devices and the application is successfully installed on one device but fails to install on the second device, the aggregate deployment state of the application for that user displays as Error. If an application is deployed to all users that log on to a computer, you will receive multiple deployment results for that computer. If one of the deployments fails, the aggregate deployment state for the computer displays as Error.

The deployment state for package and program deployments is not aggregated. Use these subcategories to help you to quickly identify any important issues with an application deployment. You can also view additional information about the devices that fall into a particular subcategory of a compliance state. Application management in Configuration Manager includes a number of built-in reports that allow you to monitor information about applications and deployments. These reports have the report category of Software Distribution Application Monitoring. For more information about how to configure reporting in Configuration Manager, see Reporting in Configuration Manager. To monitor the state of an application in the Configuration Manager console 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Deployments. 3. To review deployment details for each compliance state and the devices in that state, select a deployment, and then, on the Home tab, in the Deployment group, click View Status to open the Deployment Status pane. In this pane, you can view the assets with each compliance state. Click any asset to view more detailed information about the deployment status to that asset. Note The number of items that can be displayed in the Deployment Status pane is limited to 20,000. If you need to see more items, use Configuration Manager reports to view application status data. The status of deployment types is aggregated in the Deployment Status pane. To view more detailed information about the deployment types, use the report Application Infrastructure Errors in the report category Software Distribution Application Monitoring. 4. To review general status information about an application deployment, select a deployment, and then click the Summary tab in the Selected Deployment window. 5. To review information about the applications deployment type, select a deployment, and then click the Deployment Types tab in the Selected Deployment window. Important The information shown in the Deployment Status pane after you click View Status is live data from the Configuration Manager database. The information shown in the Summary tab and the Deployment Types tab is summarized data.
1536

If the data that is shown in the Summary tab and the Deployment Types tab does not match the data that is shown in the Deployment Status pane, click Run Summarization to update the data in these tabs. You can configure the default application deployment summarization interval as follows: In the Configuration Manager console, click Administration. In the Administration workspace, expand Site Configuration, and then click Sites. From the Sites list, select the site for which you want to configure the summarization interval, and then in the Home tab, in the Settings group, click Status Summarizers. In the Status Summarizers dialog box, click Application Deployment Summarizer, and then click Edit. In the Application Deployment Summarizer Properties dialog box, configure the required summarization intervals and then click OK.

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Manage User Device Affinity in Configuration Manager

User device affinity in Microsoft System Center 2012 Configuration Manager is a method of associating a user with one or more specified devices. User device affinity can eliminate the need to know the names of a users devices in order to deploy an application to that user. Instead of deploying the application to all of the users devices, you deploy the application to the user. Then, user device affinity automatically ensures that the application install on all devices that are associated with that user. You can define primary devices. These are typically the devices that users use on a daily basis to perform their work. When you create an affinity between a user and a device, you gain more software deployment options. For example, if a user requires Microsoft Office Visio, you can install it on the users primary device by using a Windows Installer deployment. However, on a device that is not a primary device, you might deploy Microsoft Office Visio as a virtual application. You can also use user device affinity to predeploy software on a users device when the user is not logged in. Then, when the user logs on, the application is already installed and ready to run. In addition to following the procedures in this topic, you can configure user device affinity when you deploy an operating system to a computer. For more information, see How to Associate Users with a Destination Computer. You must manage user device affinity information for computers. User device affinities are automatically managed by Configuration Manager for the mobile devices that it enrolls.
1537

How to Manually Configure User Device Affinity

Use the following procedures to manually configure the affinity between users and devices from the Configuration Manager console. To configure primary users for a device 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices. 3. Select a device from the list. Then, in the Home tab, in the Device group, click Edit Primary Users. 4. In the Edit Primary Users dialog box, search for and select the users to add as primary users for the selected device, and then click Add. Note The Primary Users list shows users who are already primary users of this device and the method by which each user-device relationship was assigned. 5. Click OK to close the Edit Primary Users dialog box. To configure primary devices for a user 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Users. 3. Select a user from the list. Then, in the Device tab, click Edit Primary Devices. 4. In the Edit Primary Devices dialog box, search for and select the devices to add as primary devices for the selected user, and then click Add. Note The Primary Devices list shows devices that are already configured as primary devices for this user and the method by which each user-device relationship was assigned. 5. Click OK to close the Edit Primary Devices dialog box.

How to configure the site to automatically create user device affinities

Use the following procedure to enable your Configuration Manager site to automatically create user device affinities from usage data that is reported by client devices. Configuration Manager reads data about user logons from the Windows Event log. To be able to automatically create user device affinities, you must enable the following two settings from the local security policy on client computers to store logon events in the Windows Event log. Audit account logon events Audit logon events
1538

You can use Windows Group Policy to configure these settings. Important If an error causes the Windows Event log to generate a high number of entries, this can result in a new event log being created. If this occurs, existing logon events might be no longer be available to Configuration Manager. To configure the site to automatically create user device affinities 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. To modify the default client settings, select Default Client Settings, and then, in the Home tab, in the Properties group, click Properties. To create custom client agent settings, select the Client Settings node, and then, in the Home tab, in the Create group, click Create Custom Client Device Settings. Note If you modify the default client settings, they will be deployed to all computers in the hierarchy. For more information about configuring client settings, see How to Configure Client Settings in Configuration Manager. 4. For the client setting User and Device Affinity, configure the following: User device affinity threshold (minutes) - Specify the number of minutes of usage before a user device affinity is created. User device affinity threshold (days) Specify the number of days over which the usage based affinity threshold is measured. Note For example, if User device affinity threshold (minutes) is specified as 60 minutes and User device affinity threshold (days) is specified at 5 days, the user must use the device for at least 60 minutes over a period of 5 days to automatically create a user device affinity. Automatically configure user device affinity from usage data From the dropdown list, select True to enable the site to automatically create user device affinities. If you select False, then an administrative user must approve all user device affinity assignments. Important After an automatic user device affinity is created, Configuration Manager continues to monitor the user device affinity thresholds. If the users activity for the device falls below the configured thresholds, then the user device affinity will be removed. Configure User device affinity threshold (days) to a value of at least 7 days to avoid situations where an automatically configured user device affinity might be lost while the user is not logged on, for example, during the weekend.
1539

5. Click OK to close the client settings dialog box.

How to import a file that contains user device affinities

You can import a file that contains user device affinities to enable you to create many relationships at one time. For this procedure, the subject devices must have been discovered and exist as resources in the Configuration Manager database, otherwise this procedure will fail. Use this procedure to import a file containing user and device affinities to System Center 2012 Configuration Manager. To import a file that contains user device affinities 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click either Users or Devices. 3. On the Home tab, in the Create group, click Import User Device Affinity. 4. On the Choose Mapping page of the Import User Device Affinity Wizard, specify the following information: File name Specify a comma-separated values (.csv) file that contains a list of users and devices between which you want to create an affinity. In this file, each user-anddevice pair must be on a separate line separated by a comma. Use the format <Domain>\<user name>,<device NetBIOS name>. Important The devices listed in the file must already exist as resources in the Configuration Manager database. Otherwise, the import will fail. This file has column headings for reference purposes If the comma-separated values file has a top-row header line, select this option and the header line will be ignored during the import.

5. If the file you are importing contains more than two items on each line, you can use Column and Assign to specify which columns represent users and devices and which columns to ignore during import. 6. Click Next and then complete the Import User Device Affinity Wizard.

How to allow users to create a user device affinity

Use these procedures to allow users to create their own user device affinity from the Application Catalog. To configure the site to allow users to create a user device affinity 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings.
1540

3. To modify the default client settings, select Default Client Settings, and then, in the Home tab, in the Properties group, click Properties. To create custom client agent settings, select the Client Settings node, and then, in the Home tab, in the Create group, click Create Custom Client User Settings. Note If you modify the default client settings, they will be deployed to all computers in the hierarchy. For more information about configuring client settings, see How to Configure Client Settings in Configuration Manager. 4. Configure the following for the client setting User and Device Affinity: In the Allow user to define their primary devices drop-down list, select True. 5. Click OK to close the client settings dialog box. To configure a user device affinity 1. In the Application Catalog, click My Systems. 2. Enable the option I regularly use this computer to do my work.

How to Manage User Device Affinity Requests

When the client setting Automatically configure user device affinity from usage data is set to False, an administrative user must approve all user device affinity assignments. Use the following procedure to approve or reject a Configuration Manager user device affinity assignment. To approve or reject a user device affinity assignment 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, select the user or device collection for which you want to manage affinity requests. 3. In the Home tab, in the Collection group, click Manage Affinity Requests. 4. In the Manage User Device Affinity Requests dialog box, select the affinity requests to approve or reject, and then click Approve or Reject. 5. Click Close to close the Manage User Device Affinity Requests dialog box.

See Also
Operations and Maintenance for Application Management in Configuration Manager

1541

How to Create Global Conditions in Configuration Manager

In System Center 2012 Configuration Manager, global conditions are rules that represent business or technical conditions that you can use to specify how an application is provided and deployed to client devices. You can create global conditions from the Global Conditions node of the Configuration Manager console or from within the Create Deployment Type Wizard. Global conditions are accessed from the Requirements page of the Create Deployment Type Wizard. Note You can only edit global conditions from the site where they were created. Use the following procedures to create Configuration Manager global conditions.

Provide Basic Information about the Global Condition

Several different types of global conditions are available. Different options are associated with the different global condition types. When you select a specific global condition type, Configuration Manager displays the options that apply to your selection. To provide basic information about the global condition 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Global Conditions. 3. On the Home tab, in the Create group, click Create Global Condition. 4. In the Create Global Condition dialog box, provide a name and an optional description for the global condition. 5. In the Device type drop-down list, choose whether the global condition is for a Windows computer, Windows Mobile device, or a Nokia device. 6. In the Condition Type drop-down list, choose one of the following options: Setting This option checks for the existence of one or more items on client devices. For example, you can check that a particular file, folder, or registry key value exists on a client device. Expression This option allows you to configure more complex rules to determine if the condition is satisfied on client devices. For example, you can determine if the physical memory on a computer is between 2 GB and 4 GB or to determine if a mobile device uses touch screen input.

1542

Configure Rules for the Global Condition

The procedure for defining the global condition rules is different depending on whether you are configuring a setting or an expression. Use the applicable procedure here to configure a setting or an expression for the global condition. To configure a setting for the global condition 1. In the Condition Type drop-down list, choose Setting. 2. In the Setting type drop-down list, choose the item to use as the condition for which requirements will be checked. The following setting types are available.
Setting type More information

Active Directory query

Configure the following for this setting type: LDAP prefix - Specify a valid LDAP prefix to the Active Directory Domain Services query to assess compliance on client computers. You can use either LDAP:// or GC://. Distinguished Name (DN) - Specify the distinguished name of the Active Directory Domain Services object that will be assessed for compliance on client computers. Search filter - Specify an optional LDAP filter to refine the results from the Active Directory Domain Services query to assess compliance on client computers. Search scope - Specify the search scope in Active Directory Domain Services: Base - Queries only the object specified. One Level - This option is not used in this version of Configuration Manager. Subtree - Queries the object specified and its complete subtree in the directory.

Property - Specify the property of the Active Directory Domain Services object that will be used to assess
1543

compliance on client computers. Query - Displays the LDAP query that is constructed from the entries in LDAP prefix, Distinguished name (DN), Search Filter if specified and Property. This query will be used to assess compliance on client computers.

Assembly

Configure the following for this setting type: Assembly name: Specifies the name of the assembly object to search for. The name cannot be the same as any other assembly object of the same type and the name must be registered in the Global Assembly Cache. The assembly name can be a maximum of 256 characters long. Note An assembly is a piece of code that can be shared between applications. Assemblies can have the file name extension .dll or .exe. The Global Assembly Cache is a folder named %systemroot%\assembly on client computers in which all shared assemblies are stored.

File system

Configure the following for this setting type: Type From the drop-down list, select whether you want to search for a File or a Folder. Path - Specify the path to the specified file or folder on client computers. You can specify system environment variables and the %USERPROFILE% environment variable in the path. Note If you use the %USERPROFILE% environment variable in the Path or File or folder name
1544

fields, all user profiles on the client computer will be searched. This could result in the discovery of multiple instances of the file or folder. File or folder name - Specify the name of the file or folder object that will be searched for. You can specify system environment variables and the %USERPROFILE% environment variable in the file or folder name. You can also use the wildcards * and ? in the filename. Note If you specify a file or folder name and use wildcards, this might produce a high numbers of results. This could result in high resource use on the client computer and also high network traffic when reporting results to Configuration Manager. Include subfolders Enable this option if you also want to search any subfolders under the specified path. This file or folder is associated with a 64-bit application - Choose whether the 64-bit system file location (%windir%\system32) should be searched in addition to the 32-bit system file location (%windir%\syswow64) on Configuration Manager clients that run a 64-bit version of Windows. Note If the same file or folder exists in both the 64-bit and 32-bit system file locations on the same 64-bit computer, multiple files will be discovered by the global
1545

condition. The File system setting type does not support specifying a UNC path to a network share in the Path field. IIS metabase Configure the following for this setting type: Registry key Metabase path - Specify a valid path to the IIS Metabase. Property ID - Specify the numeric property of the IIS Metabase setting.

Configure the following for this setting type: Hive From the drop-down list, select the registry hive that you want to search in. Key - Specify the registry key name that you want to search for. The format used should be key\subkey. This registry key is associated with a 64-bit application - Specifies whether the 64-bit registry keys should be searched in addition to the 32-bit registry keys on clients that run a 64-bit version of Windows. Note If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit computer, both registry keys will be discovered by the global condition.

Registry value

Configure the following for this setting type: Hive - From the drop-down list, select the registry hive that you want to search in. Key - Specify the registry key name that you want to search for. The format used should be key\subkey. Value Specify the value that must be contained within the specified registry key. This registry key is associated
1546

with a 64-bit application - Specifies whether the 64-bit registry keys should be searched in addition to the 32-bit registry keys on clients that run a 64-bit version of Windows. Note If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit computer, both registry keys will be discovered by the global condition. Script Configure the following for this setting type: Discovery script Click Add to enter, or browse to the script to use. You can use Windows PowerShell, VBScript or JScript scripts. Run scripts by using the logged on user credentials If you enable this option, the script will run on client computers by using the logged on users credentials. Note The value returned by the script will be used to assess the compliance of the global condition. For example, when you use VBScript, you could use the command WScript.Echo Result to return the Result variable value to the global condition. SQL query Configure the following for this setting type: SQL Server instance Choose whether you want the SQL query to run on the default instance, all instances, or a specified database instance name. Note The instance name must
1547

refer to a local instance of SQL Server. To refer to a clustered SQL server instance, you should use a script setting. Database - Specify the name of the Microsoft SQL Server database for which the SQL query will be run. Column - Specify the column name returned by the Transact-SQL statement to use to assess the compliance of the global condition. Transact-SQL statement Specify the full SQL query to use for the global condition. You can also click Open to open an existing SQL query.

WQL query

Configure the following for this setting type: Namespace - Specify the WMI namespace that will be used to build a WQL query that will be assessed for compliance on client computers. The default value is Root\cimv2. Class - Specifies the WMI class that will be used to build a WQL query that will be assessed for compliance on client computers. Property - Specifies the WMI property that will be used to build a WQL query that will be assessed for compliance on client computers. WQL query WHERE clause - You can use the WQL query WHERE clause item to specify a WHERE clause to be applied to the specified namespace, class, and property on client computers.

XPath query

Configure the following for this setting type: Path - Specify the path to the XML file on client computers that will be used to assess compliance. Configuration Manager supports the use of all Windows system environment variables and the
1548

%USERPROFILE% user variable in the path name. XML file name - Specify the file name containing the XML query to use to assess compliance on client computers. Include subfolders - Enable this option if you also want to search any subfolders under the specified path. This file is associated with a 64-bit application - Choose whether the 64-bit system file location (%windir%\system32) should be searched in addition to the 32-bit system file location (%windir%\syswow64) on Configuration Manager clients that run a 64-bit version of Windows. XPath query - Specify a valid full XML path language (XPath) query to use to assess compliance on client computers. Namespaces - Opens the XML Namespaces dialog box to identify namespaces and prefixes to use during the XPath query.

3. In the Data type drop-down list, choose the format in which data will be returned by the condition before it is used to check requirements. Note The Data type drop-down list is not displayed for all setting types. 4. Configure further details about this setting below the Setting type drop-down list. The items you can configure will vary depending on the setting type you have selected. 5. Click OK to save the rule and to close the Create Global Condition dialog box. To configure an expression for the global condition 1. In the Condition Type drop-down list, choose Expression. 2. Click Add Clause to open the Add Clause dialog box. 3. From the Select category drop-down list, select whether this expression is for a device or a user. Alternatively, select Custom to use a previously configured global condition. 4. From the Select a condition drop-down list, select the condition to use to assess whether the user or device meets the rule requirements. The contents of this list will vary
1549

depending on the selected category. 5. From the Choose operator drop-down list, choose the operator that will be used to compare the selected condition to the specified value to assess whether the user or device meets the rule requirements. The available operators will vary depending on the selected condition. 6. In the Value field, specify the values that will be used with the selected condition and operator to assess whether the user or device meets the rule requirements. The available values will vary depending on the selected condition and the selected operator. 7. Click OK to save the expression and to close the Add Clause dialog box. 8. When you have finished adding clauses to the global condition, click OK to close the Create Global Condition dialog box and to save the global condition.

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Create App-V Virtual Environments in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. Microsoft Application Virtualization (App-V) virtual environments in Microsoft System Center 2012 Configuration Manager enable deployed virtual applications to share the same file system and registry on client computers. This means that unlike standard virtual applications, these applications can share data with each other. Virtual environments are created or modified on client computers when the application is installed or when clients next evaluate their installed applications. You can order these applications so that when multiple applications try to modify a file system or registry value, the application with the highest order takes priority. Security Do not rely upon App-V virtual environments to provide security protection, for example, from malware. Use the following procedure to create App-V virtual environments in Configuration Manager.

To create an App-V virtual environment

1550

1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management and then click App-V Virtual Environments. 3. In the Home tab, in the Create group, click Create Virtual Environment. 4. In the Create Virtual Environment dialog box, specify the following information: Name: Specify a unique name for the virtual environment with a maximum of 128 characters. Description: Optionally specify a description for the virtual environment.

5. Click Add to add a new deployment type to the virtual environment. You must add at least one deployment type. 6. In the Add Applications dialog box, specify a Group name of up to 128 characters that you will use to refer to this group of applications that you add to the virtual environment. 7. Click Add, select the App-V 5 applications and deployment types that you want to add to the group and then click OK. 8. In the Add Applications dialog box, you can click Increase Order or Decrease Order to specify which application will take priority if multiple applications attempt to modify file system or registry settings in the same virtual environment. 9. Click OK to return to the Create Virtual Environment dialog box. 10. When you have finished adding groups, click OK to create the virtual environment. The new virtual environment is displayed in the App-V Virtual Environments node of the Configuration Manager console. You can monitor the status of your virtual environments by using the report App-V Virtual Environment Status. Note The virtual environment will be added or modified on client computers when the application is installed or when the client next evaluates installed applications.

See Also
Operations and Maintenance for Application Management in Configuration Manager

Packages and Programs in Configuration Manager

Microsoft System Center 2012 Configuration Manager continues to support packages and programs that were used in Configuration Manager 2007. A deployment that uses packages and programs might be more suitable than a deployment that uses an application when you deploy any of the following: Scripts that do not install an application on a computer, such as a script to defragment the computer disk drive.
1551

One-off scripts that do not need to be continually monitored. Scripts that run on a recurring schedule and cannot use global evaluation.

When you migrate a Configuration Manager 2007 site to a Configuration Manager hierarchy, you can migrate existing packages and deploy them in your Configuration Manager hierarchy. After migration is complete, your Configuration Manager 2007 packages appear in the Packages node in the Software Library workspace. You can modify and deploy these packages in the same way as you did by using Configuration Manager 2007 software distribution. The Import Package from Definition Wizard remains in Configuration Manager to import legacy packages. Advertisements are converted to deployments when they are migrated from Configuration Manager 2007 to a Configuration Manager hierarchy. Note You can use Microsoft System Center Configuration Manager Package Conversion Manager to convert packages and programs into Configuration Manager applications. Download Package Conversion Manager from the Microsoft Download Center. For more information, see Configuration Manager Package Conversion Manager (Prerelease). Packages can use some new features of Configuration Manager, including distribution point groups and the new monitoring functionality. Microsoft Application Virtualization applications can no longer be distributed by using packages and programs in Configuration Manager. To distribute virtual applications, you must create these as Configuration Manager applications. Note To successfully create virtual applications in System Center 2012 Configuration Manager, 64-bit client computers must have the App-V 4.6 or later client installed before the Configuration Manager client is upgraded. Note For Configuration Manager SP1 only: For information about how to deploy packages and programs to clients that run Linux and UNIX, see Deploying Software to Linux and UNIX Servers in Configuration Manager.

In This Section
Use the following topics to create, deploy, monitor, and manage packages and programs in Configuration Manager: How to Create Packages and Programs in Configuration Manager How to Deploy Packages and Programs in Configuration Manager How to Monitor Packages and Programs in Configuration Manager How to Manage Packages and Programs in Configuration Manager

1552

See Also
Application Management in Configuration Manager

How to Create Packages and Programs in Configuration Manager

You can create or import a Microsoft System Center 2012 Configuration Manager package and program by using one of the following procedures in this topic: How to Create a Package and Program by using the Create Package and Program Wizard How to Create a Package and Program from a Package Definition File How to Import a Package and Program

How to Create a Package and Program by using the Create Package and Program Wizard
You can create a new package and program by using the Create Package and Program Wizard. To do so, use the following procedure. To create a package and program 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Packages. 3. In the Home tab, in the Create group, click Create Package. 4. On the Package page of the Create Package and Program Wizard, specify the following information: Name: Specify a name for the package with a maximum of 50 characters. Description: Optionally specify a description for this package with a maximum of 128 characters. Manufacturer: Optionally specify a manufacturer name to help you identify the package in the Configuration Manager console. This name can be a maximum of 32 characters. Language: Optionally specify the language version of the package with a maximum of 32 characters. Version: Optionally specify a version number for the package with a maximum of 32 characters. This package contains source files - This setting indicates whether the package requires source files to be present on client devices. By default, this check box is cleared and Configuration Manager does not use distribution points for the package. When this check box is selected, distribution points are used.
1553

Source folder: If the package contains source files, click Browse to open the Set Source Folder dialog box and specify the location of the source files for the package. Note The computer account of the site server must have read access permissions to the source folder that you specify.

5. On the Program Type page of the Create Package and Program Wizard, select the type of program to create, and then click Next. You can create a program for a computer or device, or you can skip this step and create a program later. Important You can only create packages and programs for devices running Windows CE. Note To create a new program for an existing package, select the package, and then, in the Home tab, in the Package group, click Create Program to open the Create Program Wizard. 6. Use one of the following procedures to create a standard program or a device program. To create a standard program 1. On the Program Type page of the Create Package and Program Wizard, select Standard Program, and then click Next. 2. On the Standard Program page of the Wizard, specify the following information: Name: Specify a name for the program with a maximum of 50 characters. Note The program name must be unique within a package. After you create a program, you cannot modify its name. Command Line: Enter the command line to be used to start this program, or click Browse to browse to the file location. If a specified file name does not have an extension specified, Configuration Manager attempts to use .com, .exe, and .bat as possible extensions. When the program is run on a client, Configuration Manager first searches for the command-line file name within the package, searches next in the local Windows folder, and then searches in local %path%. If the file cannot be found, the program fails. Startup folder: Optionally use this field to specify the folder from which the program runs, up to 127 characters. This folder can be an absolute path on the client or a path relative to the distribution point folder that contains the package. Run: Specifies the mode in which the program will run on client computers. Select one of the following: Normal - The program runs in the normal mode based on system and program
1554

defaults. This is the default mode. Minimized The program runs minimized on client devices. Users might see installation activity in the notification area or taskbar. Maximized The program runs maximized on client devices. Users will see all installation activity. Hidden The program runs hidden on client devices. Users will not see any installation activity.

Program can run: Specify whether the program can run only when a user is logged on, run only when no user is logged on, or run regardless of whether a user is logged on to the client computer. Run mode: Specify whether the program will run with administrative permissions or with the permissions of the currently logged on user. Allow users to view and interact with the program installation - Use this setting, if available, to specify whether to allow users to interact with the program installation. This check box is available only when Only when no user is logged on or Whether or not a user is logged on is selected for Program can run and Run with administrative rights is selected for Run mode. Drive mode: Specify information about how this program will runs on the network. Choose one of the following: Runs with UNC name - Indicates that the program runs with a Universal Naming Convention (UNC) name. This is the default setting. Requires drive letter - Indicates that the program requires a drive letter to fully qualify its location. For this setting, Configuration Manager can use any available drive letter on the client. Requires specific drive letter (example: Z:) - Indicates that the program requires a specific drive letter that you specify to fully qualify its location. If the specified drive letter is already used on a client, the program does not run.

Reconnect to distribution point at log on - Use this check box to indicate whether the client computer reconnects to the distribution point when the user logs on. By default, this check box is cleared.

3. On the Requirements page of the Create Package and Program Wizard, specify the following information: Run another program first You can use this setting to identify a package and program that will be run before this package and program will be run. Platform requirements Select This program can run on any platform or select This program can run only on specified platforms and then choose the operating systems that clients must be running to be able to install the package and program. Estimated disk space: Specify the amount of disk space that the software program requires to be able to run on the computer. This can be specified as Unknown (the default setting) or as a whole number greater than or equal to zero. If a value is specified, units for the value must also be specified. Maximum allowed run time (minutes): Specify the maximum time that the program is expected to run on the client computer. This can be specified as Unknown (the
1555

default setting) or as a whole number greater than zero. By default, this value is set to 120 minutes. Important If you are using maintenance windows for the collection on which this program is run, a conflict may occur if the Maximum allowed run time is longer than the scheduled maintenance window. However, if the maximum run time is set to Unknown, the program will start to run during the maintenance window and will continue to run as needed after the maintenance window is closed. If the user sets the maximum run time to a specific period that exceeds the length of any available maintenance window, then the program will not be run. If the value is set as Unknown, Configuration Manager sets the maximum allowed run time as 12 hours (720 minutes). Note If the maximum run time (whether set by the user or as the default value) is exceeded, Configuration Manager will stop the program if run with administrative rights is selected and Allow users to view and interact with the program installation is not selected. 4. Click Next and continue to To complete the Create Package and Program Wizard. To create a device program 1. On the Program Type page of the Create Package and Program Wizard, select Program for device, and then click Next. 2. On the Program for Device page of the Wizard, specify the following information: Name: Specify a name for the program with a maximum of 50 characters. Note The program name must be unique within a package. After you create a program, you cannot modify its name. Comment: Optionally, specify a comment for this device program with a maximum of 127 characters. Download folder: Specify the name of the folder on the Windows CE device in which the package source files will be stored. The default value is \Temp\. Command Line: Enter the command line to use to start this program, or click Browse to browse to the file location. Run command line in download folder Select this option to run the program from the previously specified download folder. Run command line from this folder Select this option to specify a different folder from which to run the program.

3. On the Requirements page of the Wizard, specify the following information:

1556

Estimated disk space: Specify the amount of disk space required for the software. This will be displayed to users of mobile devices before they install the program. Download program: Specify information regarding when this program can be downloaded to mobile devices. You can specify As soon as possible, Only over a fast network, or Only when the device is docked. Additional requirements: Specify any additional requirements for this program. These will be displayed to users before they install the software. For example, you could notify users that they need to close all other applications before running the program.

4. Click Next. To complete the Create Package and Program Wizard 1. On the Summary page of the Wizard, review the actions that will be taken, then complete the Wizard. 2. Optionally, verify that the new package and program is displayed in the Packages node of the Software Library workspace.

How to Create a Package and Program from a Package Definition File

Use the following procedure to create a package and program from a package definition file. For more information about package definition files, see About the Package Definition File Format in this topic. To import a package and program from a definition file 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Packages. 3. In the Home tab, in the Create group, click Create Package from Definition. 4. On the Package Definition page of the Create Package from Definition Wizard , choose an existing package definition file, or click Browse to open a new package definition file. After you have specified a new package definition file, select it from the Package definition list, and then click Next. 5. On the Source Files page of the Wizard, specify information about any required source files for the package and program, and then click Next. 6. If the package requires source files, on the Source Folder page of the Wizard, specify the location from which the source files are to be obtained, and then click Next. 7. On the Summary page of the Wizard, review the actions that will be taken and then complete the Wizard. The new package and program is displayed in the Packages node of the Software Library workspace.

1557

About the Package Definition File Format

Package definition files are scripts that you can use to help automate package and program creation with Configuration Manager. They provide all of the information that Configuration Manager needs in order to create a package and program, except for the location of package source files. Each package definition file is an ASCII or UTF-8 text file following the .ini file format and containing the following described sections: [PDF] [Package Definition] [Program]

[PDF]
This section identifies the file as a package definition file. It contains the following information: Version: This specifies the version of the package definition file format that is used by the file. This corresponds to the version of System Management Server (SMS) or Configuration Manager for which it was written. This entry is required.

[Package Definition]
This section of the package definition file specifies the properties of the package and program. It provides the following information: Name: The name of the package, up to 50 characters. This entry is required. Version: The version of the package, up to 32 characters. This entry is optional. Icon: Optionally, the file containing the icon to use for this package. If specified, this icon will replace the default package icon in the Configuration Manager console. Publisher: The publisher of the package, up to 32 characters. This entry is required. Language: The language version of the package, up to 32 characters. This entry is required. Comment: An optional comment about the package, up to 127 characters. ContainsNoFiles: This entry indicates whether or not a source is associated with the package. Programs: The programs defined for this package. Each program name corresponds to a [Program] section in this package definition file. This entry is required. Example:
Programs=Typical, Custom, Uninstall

MIFFileName: The name of the Management Information Format (MIF) file that contains the package status, up to 50 characters. MIFName: The name of the package (for MIF matching), up to 50 characters. MIFVersion: The version number of the package (for MIF matching), up to 32 characters. MIFPublisher: The software publisher of the package (for MIF matching), up to 32 characters.

1558

[Program]
For each program specified in the Programs entry in the [Package Definition] section, the package definition file must include a [Program] section that defines that program. Each Program section provides the following information: Name: The name of the program, up to 50 characters. This entry must be unique within a package. This name is used when defining advertisements. On client computers, the name of the program is shown in Run Advertised Programs in Control Panel. This entry is required. Icon: Optionally specifies the file containing the icon to use for this program. If specified, this icon will replace the default program icon in the Configuration Manager console and will be displayed on client computers when the program is advertised. Comment: An optional comment about the program, up to 127 characters. CommandLine: Specifies the command line for the program, up to 127 characters. The command is relative to the package source folder. This entry is required. StartIn: Specifies the working folder for the program, up to 127 characters. This entry can be an absolute path on the client computer or a path relative to the package source folder. This entry is required. Run: Specifies the program mode in which the program will run. You can specify Minimized, Maximized, or Hidden. If this entry is not included, the program will run in normal mode. AfterRunning: Specifies any special action that occurs after the program is successfully completed. Options available are SMSRestart, ProgramRestart, or SMSLogoff. If this entry is not included, the program will not run a special action. EstimatedDiskSpace: Specifies the amount of disk space that the software program requires to be able run on the computer. This can be specified as Unknown (the default setting) or as a whole number greater than or equal to zero. If a value is specified, the units for the value must also be specified. Example:
EstimatedDiskSpace=38MB

EstimatedRunTime: Specifies the estimated duration (in minutes) that the program is expected to run on the client computer. This can be specified as Unknown (the default setting) or as a whole number greater than zero. Example:
EstimatedRunTime=25

SupportedClients: Specifies the processors and operating systems on which this program will run. The specified platforms must be separated by commas. If this entry is not included, supported platform checking will be disabled for this program. SupportedClientMinVersionX, SupportedClientMaxVersionX: Specifies the beginning-toending range for version numbers for the operating systems specified in the SupportedClients entry. Example: SupportedClients=Win NT (I386),Win NT (IA64),Win NT (x64) Win NT (I386) MinVersion1=5.00.2195.4
1559

Win NT (I386) MaxVersion1=5.00.2195.4 Win NT (I386) MinVersion2=5.10.2600.2 Win NT (I386) MaxVersion2=5.10.2600.2 Win NT (I386) MinVersion3=5.20.0000.0 Win NT (I386) MaxVersion3=5.20.9999.9999 Win NT (I386) MinVersion4=5.20.3790.0 Win NT (I386) MaxVersion4=5.20.3790.2 Win NT (I386) MinVersion5=6.00.0000.0 Win NT (I386) MaxVersion5=6.00.9999.9999 Win NT (IA64) MinVersion1=5.20.0000.0 Win NT (IA64) MaxVersion1=5.20.9999.9999 Win NT (x64) MinVersion1=5.20.0000.0 Win NT (x64) MaxVersion1=5.20.9999.9999 Win NT (x64) MinVersion2=5.20.3790.0 Win NT (x64) MaxVersion2=5.20.9999.9999 Win NT (x64) MinVersion3=5.20.3790.0 Win NT (x64) MaxVersion3=5.20.3790.2 Win NT (x64) MinVersion4=6.00.0000.0 Win NT (x64) MaxVersion4=6.00.9999.9999 AdditionalProgramRequirements: Optionally provide any other information or requirements for client computers, up to 127 characters. CanRunWhen: Specifies the user status that the program requires to be able run on the client computer. Available values are UserLoggedOn, NoUserLoggedOn, or AnyUserStatus. The default value is UserLoggedOn. UserInputRequired: Specifies whether the program requires interaction with the user. Available values are True or False. The default value is True. This entry is set to False if CanRunWhen is not set to UserLoggedOn. AdminRightsRequired: Specifies whether the program requires administrative credentials on the computer to be able to run. Available values are True or False. The default value is False. This entry is set to True if CanRunWhen is not set to UserLoggedOn. UseInstallAccount: Specifies whether the program uses the Client Software Installation Account when it runs on client computers. By default, this value is False. This value is also False if CanRunWhen is set to UserLoggedOn. DriveLetterConnection: Specifies whether the program requires a drive letter connection to the package files that are located on the distribution point. You can specify True or False. The default value is False, which allows the program to use a Universal Naming Convention (UNC) connection. When this value is set to True, the next available drive letter will be used (starting with Z: and proceeding backward).
1560

SpecifyDrive: Optionally, specifies a drive letter that the program requires to connect to the package files on the distribution point. This specification forces the use of the specified drive letter for client connections to distribution points. ReconnectDriveAtLogon: Specifies whether the computer reconnects to the distribution point when the user logs on. Available values are True or False. The default value is False. DependentProgram: Specifies a program in this package that must run before the current program. This entry uses the format DependentProgram=<ProgramName>, where <ProgramName> is the Name entry for that program in the package definition file. If there are no dependent programs, leave this entry empty. Example: DependentProgram=Admin DependentProgram=

Assignment: Specifies how the program is assigned to users. This value can be: FirstUser, only the first user who logs on runs the program; or EveryUser, every user who logs on to the client runs the program. When CanRunWhen is not set to UserLoggedOn, this entry is set to FirstUser. Disabled: Specifies whether this program can be advertised to clients. Available values are True or False. The default value is False.

How to Import a Package and Program

To import a package and program 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Packages. 3. In the Home tab, in the Create group, Click Import. 4. On the General page of the Import Package Wizard, specify or browse to the compressed (.zip) file that contains the package and program to import, and then click Next. 5. On the File Content page of the Wizard, review the items that will be imported, and then click Next. You can click View Failure to examine the details of items that cannot be imported. If the package you are trying to import already exists, you can choose to either ignore the duplicate package or overwrite the original package. 6. On the Summary page of the Wizard, review the actions that will be taken and then complete the Wizard. The new package and program is displayed in the Packages node of the Software Library workspace.

See Also
Packages and Programs in Configuration Manager
1561

How to Deploy Packages and Programs in Configuration Manager

Use the procedure in this topic to deploy a Microsoft System Center 2012 Configuration Manager package and program to devices in your hierarchy. For more information about how to create packages and programs, see How to Create Packages and Programs in Configuration Manager.

To deploy a package and program 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Packages. 3. Select the package that you want to deploy, and then in the Home tab in the Deployment group, click Deploy. 4. On the General page of the Deploy Software Wizard, specify the name of the package and program that you want to deploy, the collection to which you want to deploy the package and program, and optional comments for the deployment. Select Use default distribution point groups associated to this collection if you want to store the package content on the collections default distribution point group. If you did not associate the selected collection with a distribution point group, this option will be unavailable. 5. On the Content page of the Wizard, click Add, and then select the distribution points or distribution point groups to which you want to deploy the content that is associated with this package and program. 6. On the Deployment Settings page of the Wizard, choose a purpose for this deployment, and specify whether you want to send wake-up packets before the package and program is installed. The deployment purpose options are the following: Available - If the application is deployed to a user, the user sees the published package and program in the Application Catalog and can request it on demand. If the package and program is deployed to a device, the user will see it in Software Center and can install it on demand. Required - The package and program is deployed automatically, according to the configured schedule. However, a user can track the package and program deployment status and install it before the deadline by using Software Center. Send wake-up packets If the deployment purpose is set to Required and this option is selected, a wake-up packet will be sent to computers before the deployment is installed to wake the computer from sleep at the installation deadline time. Before you can use this option, computers must be configured for Wake On LAN.

7. On the Scheduling page of the Wizard, configure when this package and program will be
1562

deployed or made available to client devices. The options on this page will vary depending on whether the deployment action is set to Available or Required. 8. If the deployment purpose is set to Required, configure the rerun behavior for the program from the Rerun behavior drop-down list. Choose from the following options:
Rerun behavior More information

Never rerun deployed program

The program will not be rerun on the client, even if the program originally failed, or the program files are changed. The program will always be rerun on the client when the deployment is scheduled, even if the program has already successfully run. This can be useful when you use recurring deployments in which the program is updated, for example with antivirus software. The program will be rerun when the deployment is scheduled only if it failed on the previous run attempt. The program will be rerun only if it previously ran successfully on the client. This is useful when you use recurring advertisements in which the program is routinely updated, and in which each update requires the previous update to be successfully installed.

Always rerun program

Rerun if failed previous attempt

Rerun if succeeded on previous attempt

9. On the User Experience page of the Wizard, specify the following information: Allow users to run the program independently of assignments If enabled, users can install this software from the application catalogue regardless of any scheduled installation time. Software installation Allows the software to be installed outside of any configured maintenance windows. System restart (if required to complete the installation) If the software installation requires a device restart to complete, allow this to happen outside of any configured maintenance windows. Embedded Devices - For Configuration Manager SP1 only. When you deploy packages and programs to Windows Embedded devices that are write filter enabled, you can specify to install the packages and programs on the temporary overlay and commit changes later, or commit the changes at the installation deadline or during a
1563

maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. Note When you deploy a package or program to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. For more information about how maintenance windows are used when you deploy packages and programs to Windows Embedded devices, see the Deploying Applications in Configuration Manager section in the Introduction to Application Management in Configuration Manager topic. 10. On the Distribution Points page of the Wizard, specify the following information: Deployment options Specify the actions that a client should take to run program content. You can specify behavior when the client is in a fast network boundary, or a slow or unreliable network boundary. Allow clients to share content with other clients on the same subnet Select this option to reduce load on the network by allowing clients to download content from other clients on the network that already downloaded and cached the content. This option utilizes Windows BranchCache and can be used on computers that run Windows Vista SP2 and later. Allow clients to fall back to unprotected distribution points when the content is not available on the protected distribution point If enabled, clients can search other distribution points in the hierarchy for required content if this is not available on the specified distribution point or distribution point groups.

11. On the Summary page of the Wizard, review the actions that will be taken and then complete the Wizard. You can view the deployment in the Deployments node of the Monitoring workspace and in the details pane of the package deployment tab when you select the deployment. For more information, see How to Monitor Packages and Programs in Configuration Manager. Important If you configured the option Run program from distribution point on the Distribution Points page of the Deploy Software Wizard, do not clear the option Copy the content in this package to a package share on distribution points, because this will make the package unavailable to run from distribution points.

See Also
Packages and Programs in Configuration Manager

1564

How to Monitor Packages and Programs in Configuration Manager

To monitor Microsoft System Center 2012 Configuration Manager package and program deployments, you can use the same procedures that you use to monitor applications. For more information about how to monitor packages and programs in System Center 2012 Configuration Manager, see How to Monitor Applications in Configuration Manager. Packages and programs in Configuration Manager also includes a number of built-in reports, which allow you to monitor information about the deployment status of packages and programs. These reports have the report category of Software Distribution Packages and Programs and Software Distribution Package and Program Deployment Status. For more information about how to configure reporting in Configuration Manager, see Reporting in Configuration Manager.

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Manage Packages and Programs in Configuration Manager

Use the information in this topic to help you manage packages and programs in Microsoft System Center 2012 Configuration Manager. Note For information about how to create Configuration Manager packages and programs, see How to Create Packages and Programs in Configuration Manager.

How to Manage Packages and Programs

In the Software Library workspace, expand Application Management, click Packages, select the package that you want to manage, and then select a management task. Use the following table for more information about the management tasks that might require some information before you select them.

1565

Task

Details

Create Prestage Content File

Opens the Create Prestaged Content File Wizard that allows you to create a file that contains the package content that can be manually imported to another site. This is useful in situations where you have low network bandwidth between the site server and the distribution point. Opens the Create Program Wizard that allows you to create a new program for this package. Opens the Export Package Wizard that allows you to export the selected package and its content to a file. For information about how to import packages and programs, see How to Import a Package and Program in the How to Create Packages and Programs in Configuration Manager topic.

Create Program

Export

Deploy

Opens the Deploy Software Wizard that allows you to deploy the selected package and program to a collection. For more information, see How to Deploy Packages and Programs in Configuration Manager. Opens the Distribute Content Wizard that allows you to send the content that is associated with the package and program to selected distribution points or distribution point groups. Updates distribution points with the latest content for the selected package and program.

Distribute Content

Update Distribution Points

See Also
Packages and Programs in Configuration Manager

1566

Deploying Software to Linux and UNIX Servers in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. The Microsoft System Center 2012 Configuration Manager client for Linux and UNIX supports software deployments that use packages and programs. You cannot deploy System Center 2012 Configuration Manager applications to computers that run Linux and UNIX. The client supports the following functionality for packages and program deployments: You can install software for Linux and UNIX servers, including the following: New software deployment Software updates for programs already on the computer Operating system patches

You can run native Linux and UNIX commands, and run scripts that are located on Linux and UNIX servers. You can limit deployment to the operating systems that you specify when you select the program option Only on specified client platforms. You can use maintenance windows to control when software installs. You can use deployment status messages to monitor deployments.

When you configure and deploy packages and programs for Linux and UNIX servers, use the same methods that you use to configure and deploy packages and programs to your Windowsbased computers with the following caveats:
Configuration Details

Use only configurations that are intended for computers, and do not use configurations that are intended for users.

The Configuration Manager client for Linux and UNIX does not support configurations that are intended for users.

Configure programs to download the software The Configuration Manager client for Linux and from the distribution point and run the programs UNIX does not support running software from from the local client cache the distribution point. Instead, you must configure the software to download to the client and then install. By default, after the client for Linux and UNIX installs software, that software is deleted from the clients cache. However, packages that are configured with Persist content in the client cache are not deleted from the client and
1567

Configuration

Details

remain in the clients cache after the software installs. The client for Linux and UNIX does not support configurations for the client cache, and the maximum size of the client cache is limited only by the free disk space on the client computer. Configure the Network Access Account for distribution point access Linux and UNIX computers are designed to be workgroup computers. In order to access packages from the distribution point in the Configuration Manager site server domain, you must configure the Network Access Account for the site. You must specify this account as a software distribution component property and configure the account before you deploy software. For more information, see Configuring Site Components in Configuration Manager. You can deploy packages and programs to collections that contain only Linux or UNIX clients, or you can deploy them to collections that contain a mix of client types, such as the All Systems Collection. Note When you deploy software to a mixed collection, it is likely that many clients in the collection are unable to run the software successfully because they are the wrong operating system type to understand the program files. As a result, the deployment will report failure. When the Configuration Manager client for Linux and UNIX receives and runs a deployment, it generates status messages. You can view these status messages in the Configuration Manager console, or by using reports to monitor the deployment status. For information about how to use packages and programs, see Packages and Programs in Configuration Manager. The following sections provide details about software deployment to Linux and UNIX servers.

Configuring Packages, Programs, and Deployments for Linux and UNIX Servers
You can create and deploy packages and programs by using the options that are available by default in the Configuration Manager console. The client does not require any unique configurations.
1568

Use the information in the following sections to configure packages and programs as well as deployments.

Packages and Programs

To create a package and program for a Linux or UNIX server, use the Create Package and Program Wizard from the Configuration Manager console. The client for Linux and UNIX supports most package and program settings. However, several settings are not supported. When you create or configure a package and program, consider the following: Include the file types that are supported by the destination computers Define the command lines that are appropriate for use on the destination computer Settings that interact with users are not supported

The following table lists the properties for packages and programs that are not supported.
Package and program property Behavior More information

Package share settings: All options

An error is generated and the software install fails

The client does not support this configuration. Instead, the client must download the software by using HTTP or HTTPS, and then run the command line from its local cache. The client does not support this configuration.

Package update settings: Disconnect users from distribution points

Setting is ignored

Operating system deployment settings: All options

Settings are ignored

The client does not support this configuration.

Reporting: Use package properties for status MIF matching Use these fields for status MIF matching

Settings are ignored

The client does not support the use of status MIF files.

Run: All options

Settings are ignored

The client always runs packages with no user interface. The client ignores all configuration options for Run.

After running: Configuration Manager restarts computer

An error is generated and the software install fails

The system restart setting and user specific settings are not supported.
1569

Package and program property

Behavior

More information

Program controls restart Configuration Manager logs the user off

When any setting other than the No action required setting is in use, the client generates an error and continues the software installation, with no action taken. An error is generated and the software install fails User specific settings are not supported. When this option is configured, the client generates an error and fails the installation of the software. Other options are ignored and the software installation continues.

Program can run: Only when a user is logged on

Run mode: Run with users rights

Setting is ignored

User specific settings are not supported. However, the client does support the configuration to run with Administrative rights. Important When you specify Run with administrative rights, the Configuration Manager client uses its root credentials. This setting does not generate an error or log entry. Instead, the software installation fails when the client generates an error for the prerequisite configuration of Program can run = Only when a user is logged on.

Allow users to view and interact with the program installation.

Setting is ignored

User specific settings are not supported. This configuration is ignored and the software installation continues.

Drive mode: All options

Settings are ignored

This setting is not supported because content is always downloaded to the client and run locally.
1570

Package and program property

Behavior

More information

Run another program first

An error is generated and the software install fails

Recursive program installation is not supported. When a program is configured to run another program first, the software installation fails, and the other program installation is not started.

When this program is assigned to a computer: Run once for every user who logs on

Setting is ignored

User specific settings are not supported. However, the client does support the configuration to run once for the computer. This setting does not generate an error or log entry because an error and log entry are already created for the prerequisite configuration of Program can run = Only when a user is logged on.

Suppress program notifications.

Setting is ignored

The client does not implement a user interface. When this configuration is selected, it is ignored and the software installation continues.

Disable this program on computers where it is deployed Allow this program to be installed from the Install Package task sequence without being deployed.

Setting is ignored

This setting is not supported and does not affect the installation of software. The client does not support task sequences. This setting is not supported and does not affect the installation of software.

Setting is ignored

Windows Installer: All options

Settings are ignored

The client does not support Windows Installer files or settings. The client does not support this configuration.

OpsMgr Maintenance Mode: All options

Settings are ignored

1571

For information about how to create a package and program, see How to Create Packages and Programs in Configuration Manager.

Deployments
To deploy software to a Linux or UNIX server by using a package and program, you can use the Deploy Software Wizard from the Configuration Manager console. Most deployment settings are supported by the client for Linux and UNIX, however several settings are not supported. When you deploy software consider the following: You must provision the package on at least one distribution point that is associated with a boundary group that is configured for content location. The client for Linux and UNIX that receive this deployment must be able to access this distribution point from its network location. The client for Linux and UNIX downloads the package from the distribution point and runs the program on the local computer. The client for Linux and UNIX cannot download packages from shared folders. It downloads packages from IIS enabled distribution points that support HTTP or HTTPS.

The following table lists properties for deployments that are not supported:
Deployment property Behavior More information

Deployment settings purpose: Setting is ignored Available Required

User specific settings are not supported. However, the client supports the setting Required, which enforces the scheduled installation time, but does not support manual installation prior to that scheduled time.

Send wake-up packets

Setting is ignored

The client does not support this configuration. User specific settings are not supported. However, the client supports the setting As soon as possible.

Assignment schedule: logon logoff

An error is generated and the software install fails

Notification settings: Allow users to run the program independently of assignments

Setting is ignored

The client does not implement a user interface.

When the scheduled

An error is generated

The client does not support a

1572

Deployment property

Behavior

More information

assignment time is reached, allow the following activity to be performed outside the maintenance window: System restart (if required to complete the installation) An error is generated and the software install fails

system restart.

Deployment option for fast (LAN) networks: Run program from distribution point

The client cannot run software from the distribution point and instead must download the program before it can run. The client does not support sharing content between peers.

Deployment option for a slow or Setting is ignored unreliable network boundary, or a fallback source location for content: Allow clients to share content with other clients on the same subnet

For more information about content location, see Planning for Content Management in Configuration Manager. For more information about how to create a deployment, see How to Deploy Packages and Programs in Configuration Manager.

Operations for Software Deployments

Similar to the Windows client, the Configuration Manager client for Linux and UNIX discovers new software deployments when it polls and checks for new policy. The frequency at which the client checks for new policy depends on client settings. You can configure maintenance windows to control when software deployments occur. You can configure software deployments to Linux and UNIX servers by using package properties, program properties, and deployment properties. When the client receives policy for a deployment, it submits a status message. It also submits status messages when it starts the installation of software and when the installation finishes, or fails. Programs for software deployments run with the root credentials that the Configuration Manager client for Linux and UNIX runs with. The exit code of the programs command is used to determine success or failure. An exit code of 0 (zero) is treated as success. In addition, the stdout (standard output stream) and stderr (standard error stream) are copied to the log file when the log level is set to INFO or TRACE.
1573

Tip If the software that you want to deploy is located on a Network File System (NFS) share that the Linux or UNIX server can access, you do not need to use a distribution point to download the package. Instead, when you create the package, do not select the check box for This package contains source files. Then, when you configure the program, specify the appropriate command line to directly access the package on the NFS mount point.

Security and Privacy for Application Management in Configuration Manager

Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains information about security and privacy for application management in System Center 2012 Configuration Manager. This topic also includes the Application Catalog and Software Center. Use the following sections for more information: Security best practices for application management Security issues for application management Certificates for Microsoft Silverlight 5, and elevated trust mode required for the Application Catalog Privacy information for application management User device affinity Application Catalog

Security best practices for application management

Use the following security best practices for application management:
Security best practice More information

Configure the Application Catalog points to use HTTPS connections and educate users about the dangers of malicious websites.

Configure the Application Catalog website point and the Application Catalog web service point to accept HTTPS connections so that the server is authenticated to users and the data that is transmitted is protected from tampering
1574

Security best practice

More information

and viewing. Help to prevent social engineering attacks by educating users to connect to trusted websites only. Note Do not use the branding configuration options that display the name of your organization in the Application Catalog as proof of identify when you do not use HTTPS. Use role separation, and install the Application Catalog website point and the Application Catalog service point on separate servers. If the Application Catalog website point is compromised, install it on a separate server to the Application Catalog web service point. This will help to protect the Configuration Manager clients and the Configuration Manager infrastructure. This is particularly important if the Application Catalog website point accepts client connections from the Internet because this configuration makes the server vulnerable to attack. If users browse to an external website in the same browser window that they used for the Application Catalog, the browser continues to use the security settings that are suitable for trusted sites in the intranet. Do not consider the information that is collected from users or from the device to be authoritative. If you deploy software by using user device affinity that is not specified by a trusted administrative user, the software might be installed on computers and to users who are not authorized to receive that software. When you configure deployments to download content from a distribution point and run locally, the Configuration Manager client verifies the package hash after it downloads the content, and it discards the package if the hash does not match the hash in the policy. In comparison, if you configure the deployment to run directly from a distribution point, the Configuration
1575

Educate users to close the browser window when they finish using the Application Catalog.

Manually specify the user device affinity instead of allowing users to identify their primary device; and do not enable usage-based configuration.

Always configure deployments to download content from distribution points rather than run from distribution points.

Security best practice

More information

Manager client does not verify the package hash, which means that the Configuration Manager client can install software that has been tampered with. If you must run deployments directly from distribution points, use NTFS least permissions on the packages on the distribution points, and use IPsec to secure the channel between the client and the distribution points and between the distribution points and the site server. Do not allow users to interact with programs if the option Run with administrative rights is required. When you configure a program, you can set the option Allow users to interact with this program so that users can respond to any required prompts in the user interface. If the program is also configured to Run with administrative rights, an attacker at the computer that runs the program could use the user interface to escalate privileges on the client computer. Use Windows Installer-based setup programs with per-user elevated privileges for software deployments that require administrative credentials, but that must be run in the context of a user who does not have administrative credentials. Windows Installer per-user elevated privileges provides the most secure way to deploy applications that have this requirement. Restrict whether users can install software interactively by using the Installation permissions client setting. Configure the Computer Agent client device setting Install permissions to restrict the types of users that can install software by using the Application Catalog or Software Center. For example, create a custom client setting with Install permissions set to Only administrators. Then apply this client setting to a collection of servers to prevent users without administrative permissions from installing software on those computers. Deploy mobile device applications only if they are code signed by a certification authority (CA)
1576

For mobile devices, deploy only applications that are signed

Security best practice

More information

that is trusted by the mobile device. For example: An application from a vendor, which is signed by a well-known CA, such as VeriSign. An internal application that you sign independently from Configuration Manager, by using your internal CA. An internal application that you sign by using Configuration Manager when you create the application type and use a signing certificate.

If you sign mobile device applications by using the Create Application Wizard in Configuration Manager, secure the location of the signing certificate file, and secure the communication channel.

To help protect against elevation of privileges and against man-in-the-middle attacks, store the signing certificate file in a secured folder and use IPsec or SMB between the following computers: The computer that runs the Configuration Manager console. The computer that stores the certificate signing file. The computer that stores the application source files.

Alternatively, sign the application independently from Configuration Manager and before you run the Create Application Wizard. Implement access controls to protect reference computers. When an administrative user configures the detection method in a deployment type by browsing to a reference computer, make sure that the computer has not been compromised.

Restrict and monitor the administrative users who are granted the role-based security roles that are related to application management: Application Administrator Application Author Application Deployment Manager

Even when you configure role-based administration, administrative users who create and deploy applications might have more permissions than you realize. For example, when administrative users create or modify an application, they can select dependent applications that are not in their security scope.

1577

Note For Configuration Manager SP1 only: When you configure Microsoft Application Virtualization (App-V) virtual environments, select applications in the virtual environment that have the same trust level.

Because applications in an App-V virtual environment can share resources, such as the clipboard, configure the virtual environment such that the selected applications have the same trust level. For more information, see How to Create App-

V Virtual Environments in Configuration Manager. Because the .cmmac file that the CMAppUtil tool generates and that you import into Configuration Manager is not signed or validated, to help prevent tampering of this file, store it in a secured folder and use IPsec or SMB between the following computers: The computer that runs the Configuration Manager console. The computer that stores the .cmmac file.

Note For Configuration Manager SP1 only: If you deploy applications for Mac computers in Configuration Manager SP1, secure the location of the .cmmac file and secure the communication channel when you import this file into Configuration Manager.

Security issues for application management

Application management has the following security issues: Low-rights users can copy files from the client cache on the client computer. Users can read the client cache, but cannot write to it. With read permissions, a user can copy application installation files from one computer to another. Low-rights users can modify files that record software deployment history on the client computer. Because the application history information is not protected, a user can modify files that report whether an application installed. App-V packages are not signed. App-V packages in Configuration Manager do not support signing to verify that the content is from a trusted source and that it has not been altered in transit. There is no mitigation for this security issue; make sure that you follow the security best practice to download the content from a trusted source and from a secure location. Published App-V applications can be installed by all users on the computer. When an App-V application is published on a computer, all users who log on to that computer can install the application. This means that you cannot restrict which users can install the application after it is published.

1578

Certificates for Microsoft Silverlight 5, and elevated trust mode required for the Application Catalog
Note Applies only to System Center 2012 Configuration Manager SP1. System Center 2012 Configuration Manager SP1 clients require Microsoft Silverlight 5, which must run in elevated trust mode for users to install software from the Application Catalog. By default, Silverlight applications run in partial trust mode to prevent applications from accessing user data. Configuration Manager automatically installs Microsoft Silverlight 5 on clients if it is not already installed, and by default, it configures the Computer Agent client setting Allow Silverlight applications to run in elevated trust mode to Yes. This setting allows signed and trusted Silverlight applications to request elevated trust mode. When you install the Application Catalog website point site system role, the client also installs a Microsoft signing certificate in the Trusted Publishers computer certificate store on each Configuration Manager client computer. This certificate allows Silverlight applications that are signed by this certificate to run in the elevated trust mode that computers require to install software from the Application Catalog. Configuration Manager automatically manages this signing certificate. To ensure service continuity, do not manually delete or move this Microsoft signing certificate. Warning When enabled, the client setting Allow Silverlight applications to run in elevated trust mode allows all Silverlight applications that are signed by certificates in the Trusted Publishers certificate store in either the computer store or the user store to run in elevated trust mode. The client setting cannot enable elevated trust mode specifically for the Configuration Manager Application Catalog or for the Trusted Publishers certificate store in the computer store. If malware adds a rogue certificate in the Trusted Publishers store, for example, in the user store, malware that uses its own Silverlight application can now also run in elevated trust mode. If you configure the client setting Allow Silverlight applications to run in elevated trust mode to be No, this does not remove the Microsoft signing certificate from clients. For more information about trusted applications in Silverlight, see Trusted Applications.

Privacy information for application management

Application management allows you to run any application, program, or script on any client computer or client mobile device in the hierarchy. Configuration Manager has no control over what types of applications, programs, or scripts you run or what type of information they transmit. During the application deployment process, Configuration Manager might transmit information between clients and servers that identify the device and logon accounts.
1579

Configuration Manager maintains status information about the software deployment process. Software deployment status information is not encrypted during transmission unless the client communicates by using HTTPS. The status information is not stored in encrypted form in the database. The use of Configuration Manager software installation to remotely, interactively, or silently install software on clients might be subject to software license terms for that software, and is separate from the Software License Terms for System Center 2012 Configuration Manager. Always review and agree to the Software Licensing Terms before you deploy software by using Configuration Manager. Software deployment does not happen by default and requires several configuration steps. Two optional features that help efficient software deployment are user device affinity and the Application Catalog: User device affinity maps a user to devices so that a Configuration Manager administrator can deploy software to a user, and the software is automatically installed on one or more computers that the user uses most often. The Application Catalog is a website that allows users to request software to install.

View the following sections for privacy information about user device affinity and the Application Catalog. Before you configure application management, consider your privacy requirements.

User device affinity

Configuration Manager might transmit information between clients and management point site systems that identify the computer and logon account and the summarized usage for logon accounts. The information that is transmitted between the client and server is not encrypted unless the management point is configured to require clients communicate by using HTTPS. The computer and logon account usage information that is used to map a user to a device is stored on client computers, sent to management points, and then stored in the Configuration Manager database. The old information is deleted from the database by default after 90 days. The deletion behavior is configurable by setting the Delete Aged User Device Affinity Data site maintenance task. Configuration Manager maintains status information about user device affinity. Status information is not encrypted during transmission unless clients are configured to communicate with management points by using HTTPS. Status information is not stored in encrypted form in the database. Computer, logon account usage information, and status information is not sent to Microsoft. Computer and logon usage information that is used to establish user and device affinity is always enabled. In addition, users and administrative users can supply user device affinity information.

1580

Application Catalog
The Application Catalog allows the Configuration Manager administrator to publish any application or program or script for users to run. Configuration Manager has no control over what types of programs or scripts are published in the catalog, or what type of information they transmit. Configuration Manager might transmit information between clients and the Application Catalog site system roles that identify the computer and logon accounts. The information that is transmitted between the client and servers is not encrypted unless these site system roles are configured to require that clients connect by using HTTPS. The information about the application approval request is stored in the Configuration Manager database. The requests that are canceled or denied are deleted by default after 30 days, along with the corresponding request history entries. The deletion behavior is configurable by setting the Delete Aged Application Request Data site maintenance task. The application approval requests that are in approved and pending states are never deleted. Information that is sent to and from the Application Catalog is not sent to Microsoft. The Application Catalog is not installed by default. This installation requires several configuration steps.

See Also
Application Management in Configuration Manager

Technical Reference for Application Management in Configuration Manager

Use the following topics in this section for technical reference information for application management in Microsoft System Center 2012 Configuration Manager.

In this Section
Example Scenario for Managing Applications by Using Configuration Manager

See Also
Application Management in Configuration Manager

1581

Example Scenario for Managing Applications by Using Configuration Manager

Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. This topic provides an example scenario for how you can use System Center 2012 Configuration Manager to manage applications in your enterprise. It covers the lifecycle of the application deployment: The initial creation and testing to deploy the application; updating the deployed application to a later version; and the removal of the application from computers on the production network. John is the Configuration Manager administrator at Woodgrove Bank who must deploy the latest version of Microsoft Visio to 200 users, according to the following requirements: He must install the application only to computers that run Windows 7. For performance reasons, only computers with more than 4 GB of RAM must install this application. If computers have less than 4 GB RAM, they must run the virtual version of the application. A company specific application, Woodgrove.msi, must be installed on all company computers before installing the application. If the application is installed on a computer that is not the users primary computer, a virtual version of the application must be installed. Computers that run Windows Server must not install Microsoft Visio and the Woodgrove.msi application. The application must also be made available to users to install on-demand to other computers in the organization.

The following sections in this topic provide example steps for how to use Configuration Manager to create, deploy, and manage applications in your organization: Preparation Step 1: Create and deploy the Woodgrove.msi application Step 2: Create an application for Microsoft Visio Step 3: Create multiple deployment types for the Microsoft Visio application Step 4: Test the application by using a simulated deployment Step 5: Deploy the Microsoft Visio application Step 6: Supersede the Microsoft Visio application Step 7: Remove the Microsoft Visio application

1582

Preparation
Before John can manage applications by using Configuration Manager, he takes the actions outlined in the following table.
Process Reference

John reviews the available information about the basic concepts for application management in Configuration Manager. John reviews and implements the required prerequisites to deploy applications.

For overview information about application management, see Introduction to Application Management in Configuration Manager. For information about the prerequisites for application management, see Prerequisites for Application Management in Configuration Manager. For information about how to configure the Application Catalog and Software Center, see Configuring the Application Catalog and Software Center in Configuration Manager.

John configures and tests the Application Catalog and Software Center, which allow users to browse for and install software.

Step 1: Create and deploy the Woodgrove.msi application

The application named Woodgrove.msi must be installed on all computers in the company, except for servers. To create this application in Configuration Manager, John takes the actions outlined in the following table.
Process Reference

From the Configuration Manager console, John runs the Create Application Wizard.

For information about how to start the Create Application Wizard, see the Step 1: Start the Create Application Wizard section in the How to Create Applications in Configuration Manager topic. For information about how to automatically detect information about the application from the application installation files, see the To automatically detect application information section in the How to Create Applications in Configuration Manager topic.

To automatically populate the wizard with information about the Woodgrove.msi installation file, John selects the installation file type Windows Installer (Native). He then reviews the information that has been read from the application installation file and provides further information on the General page of the Create Application Wizard. John

1583

Process

Reference

names the application Woodgrove Business Application. John completes the wizard. The new application and a deployment type (named Woodgrove MSI) for the application is created and displayed in the Applications node of the Software Library workspace. John starts the Distribute Content Wizard in order to copy the application content to the required distribution points in the Woodgrove Bank hierarchy. He uses the Content Status node in the Monitoring workspace to confirm that the content for the application has been successfully distributed. For information about the Distribute Content Wizard, see the Distribute Content on Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager topic. For information about how to monitor the distribution of application content, see the Content Status Monitoring section in the Operations and Maintenance for Content Management in Configuration Manager topic. For information about how to create collections, see How to Create Collections in Configuration Manager

John creates a device collection that contains all computers that run a desktop operating system in the Woodgrove Bank hierarchy. He names this collection All Desktop and Laptop Computers. John uses the Deploy Software Wizard to deploy the application to the All Desktop and Laptop Computers collection by using the following parameters: Deployment action - Install Deployment purpose Required

For information about how to deploy applications, see How to Deploy Applications in Configuration Manager.

John monitors the deployment of Woodgrove.msi to ensure that it is successfully installed on all computers in the All Desktop and Laptop Computers collection.

For more information about how to monitor application deployments, see How to Monitor Applications in Configuration Manager.

Step 2: Create an application for Microsoft Visio

John must now create an application for Microsoft Visio. To create this application in Configuration Manager, John takes the actions outlined in the following table.

1584

Process

Reference

From the Configuration Manager console, John runs the Create Application Wizard.

For information about how to start the Create Application Wizard, see the Step 1: Start the Create Application Wizard section in the How to Create Applications in Configuration Manager topic. For information about how to automatically detect information about the application from the application installation files, see the To automatically detect application information section in the How to Create Applications in Configuration Manager topic.

John uses the Create Application Wizard to create a new application named Microsoft Visio (Woodgrove Bank). He selects the option to automatically detect application information from the Windows Installer (.msi) file for Microsoft Visio. John completes the wizard. The new application and a deployment type for the application is created and displayed in the Applications node of the Software Library workspace. John opens the properties for the Microsoft Visio (Woodgrove Bank) application and clicks the Deployment Types tab. He then selects the deployment type that was just created, and clicks Edit. On the Requirements tab of the <deployment type> Properties dialog box, John configures the following requirements: Category: Device, Condition: Total physical memory, Operator: Greater than or equal to, Value (MB): 4000 This requirement ensures that the deployment type can be installed only on computers with more than 4 GB RAM. Category: Device, Condition: Operating system, Operator: One of, Windows 7 This requirement ensures that the deployment type can be installed only on computers that run Windows 7. Note This requirement also prevents the deployment type from installing on computers that run Windows

For information about deployment type requirements, see the Step 6: Specify Requirements for the Deployment Type section in the How to Create Deployment Types in Configuration Manager topic.

1585

Process

Reference

Server. Category: User, Condition: Primary Device, Operator: Equals, Value: True This requirement ensures that the Windows Installer deployment type can run only on the user's primary device. For more information about dependencies, see the Step 7: Specify Dependencies for the Deployment Type section in the How to Create Deployment Types in Configuration Manager topic.

On the Dependencies tab of the <deployment type> Properties dialog box, John configures the following dependency: Dependency group name Woodgrove Visio Applications. Application Woodgrove Business Application Supported Deployment Types Woodgrove MSI

John also selects the Auto Install check box to ensure that the Woodgrove.msi business application will automatically install on any computer, if required, before installing Microsoft Visio.

Step 3: Create multiple deployment types for the Microsoft Visio application
For John's business purposes, he requires two deployment types: The MSI deployment type that locally installs the application, and a virtual deployment type. John creates a deployment type for the Microsoft Visio virtual application by taking the actions outlined in the following table.
Process Reference

John uses the Microsoft Application Virtualization (App-V) Sequencer to create a virtual application for Microsoft Visio. John opens the Applications node in the Software Library workspace and selects the Microsoft Visio (Woodgrove Bank) application. Then, on the Home tab, in the Application group, he clicks Create Deployment Type.

For more information, see the topic How to Sequence a New Application (App-V 4.6) in the Application Virtualization documentation. For more information about how to create deployment types, see How to Create Deployment Types in Configuration Manager.

1586

Process

Reference

To automatically populate the wizard with information about the virtual application, John selects the installation file type Microsoft Application Virtualization and then browses to the XML manifest file for the Microsoft Visio virtual application. On the Requirements page of the Create Deployment Type Wizard, John configures the following requirements: Category: Device, Condition: Total physical memory, Operator: Greater than or equal to, Value (MB): 4000 This requirement ensures that the deployment type can be installed only on computers with more than 4 GB RAM. Category: Device, Condition: Operating system, Operator: One of, Windows 7 This requirement ensures that the deployment type can be installed only on computers that run Windows 7. Note This requirement also prevents the deployment type from installing on computers that run Windows Server. Category: User, Condition: Primary Device, Operator: Equals, Value: False This requirement ensures that the virtual application deployment type will run only on devices that are not the users primary device. For more information about application dependencies, see the Step 7: Specify Dependencies for the Deployment Type section in the How to Create Deployment Types in Configuration Manager topic. For information about deployment type requirements, see the Step 6: Specify Requirements for the Deployment Type section in the How to Create Deployment Types in Configuration Manager topic.

On the Dependencies tab of the <deployment type> Properties dialog box, John configures the following dependency: Dependency group name Woodgrove Visio Applications. Application Woodgrove Business Application Supported Deployment Types Woodgrove MSI

1587

Process

Reference

John also selects the Auto Install check box to ensure that the Woodgrove.msi business application will automatically install on any computer, if required, before installing Microsoft Visio. John starts the Distribute Content Wizard to copy the application content to the required distribution points in the Woodgrove Bank hierarchy. He then uses the Content Status node in the Monitoring workspace to confirm that the content for the application has been successfully distributed. For information about the Distribute Content Wizard, see the Distribute Content on Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager topic. For information about how to monitor the distribution of application content, see the Content Status Monitoring section in the Operations and Maintenance for Content Management in Configuration Manager topic.

Step 4: Test the application by using a simulated deployment

Before John deploys the Microsoft Visio application, he wants to test the deployment to find out how many computers will install local and virtual copies of Microsoft Visio. He also wants to determine how many computers do not meet the requirements to install the application. In order to obtain this information, John configures a simulated deployment by taking the actions outlined in the following table.
Process Reference

John creates two new user collections. The first collection is named Required Visio Installation. It contains the names of the 200 users who must have Visio installed. The second collection, named Optional Visio Installation, contains all users. In this second collection, John adds a new exclude collection rule so that the members of the Required Visio Installation collection will be excluded from this collection. John runs the Simulate Application Deployment Wizard.

For more information about how to create user collections, see the To create a user collection section in the How to Create Collections in Configuration Manager topic.

For more information about simulated application deployments, see How to Simulate
1588

Process

Reference

He creates a simulated deployment with an action of Install and deploys it to the Required Visio Installation collection. He then creates a second simulated deployment by using the same parameters to the Optional Visio Installation collection. John examines the status of each simulated deployment in the Deployments node of the Monitoring workspace. These deployments are listed with a purpose of Simulate. He discovers that about ten percent of the computers do not meet the requirements to install Microsoft Visio and he reports this information to his manager.

an Application Deployment in Configuration Manager.

For more information about how to monitor application deployments, see How to Monitor Applications in Configuration Manager.

Step 5: Deploy the Microsoft Visio application

John is now ready to deploy the new Microsoft Visio application. To accomplish this, he takes the actions outlined in the following table.
Process Reference

John uses the Deploy Software Wizard to create two deployments of the Microsoft Visio application: Deployment 1 to the Required Visio Installation collection with an action of Install and a purpose of Required. Deployment 2 to the Optional Visio Installation collection with an action of Install and a purpose of Available.

For information about how to deploy applications, see How to Deploy Applications in Configuration Manager.

John regularly monitors both of these For more information about how to monitor deployments of Microsoft Visio. He can application deployments, see How to Monitor troubleshoot any problems that might occur by Applications in Configuration Manager. using the information in the Deployments node of the Monitoring workspace. John is able to report to his managers at Woodgrove Bank that the Microsoft Visio deployment has been successful.
1589

Step 6: Supersede the Microsoft Visio application

A new version of Microsoft Visio is released and Woodgrove Bank decides to upgrade all installed copies of the software to the new version. To accomplish this task, John takes the actions outlined in the following table.
Process Reference

John deletes the current deployments of the Microsoft Visio application.

For information about how to delete an application deployment, see How to Deploy Applications in Configuration Manager. For more information, see Step 3: Create multiple deployment types for the Microsoft Visio application in this topic.

John creates deployment types for the new versions in the Microsoft Visio application for the full installation of Microsoft Visio and for a virtual installation of Microsoft Visio. John adds two new supersedence relationships: One for the full installation of Microsoft Visio and one for the virtual installation. He also selects the option to uninstall the previous versions.

For more information about superseding applications, see How to Use Application Supersedence in Configuration Manager.

John redeploys the Microsoft Visio application For information about how to deploy an to computers in the Woodgrove Bank hierarchy. application, see How to Deploy Applications in Configuration Manager. John monitors the state of these application deployments and is able to report to his manager that the new version of Microsoft Visio has been successfully deployed. For more information about how to monitor application deployments, see How to Monitor Applications in Configuration Manager.

Step 7: Remove the Microsoft Visio application

Woodgrove Bank decides that they no longer require Microsoft Visio to be installed on computers in their hierarchy. They ask John to remove all copies of the software from computers in the company. To accomplish this, he takes the actions outlined in the following table.
Process Reference

John deletes all deployments of the Microsoft Visio application.

For information about how to delete an application deployment, see How to Deploy Applications in Configuration Manager. For more information about deployment type options, see How to Create Deployment Types
1590

John checks the properties of each deployment type in the Microsoft Visio application. On the

Process

Reference

Programs tab of the Deployment Properties dialog box, he verifies that an uninstall program has been specified. John then deploys the Microsoft Visio application to all computers with an action of Uninstall and a purpose of Required. John monitors the application deployment and is able to report to his manager that all copies of Microsoft Visio have been removed from the computers at Woodgrove Bank.

in Configuration Manager.

For information about how to deploy an application, see How to Deploy Applications in Configuration Manager. For more information about how to monitor application deployments, see How to Monitor Applications in Configuration Manager.

See Also
Technical Reference for Application Management in Configuration Manager

Software Updates in Configuration Manager

Software Updates in System Center 2012 Configuration Manager provides a set of tools and resources that can help you to manage, deploy, and monitor software updates in the enterprise.

Software Updates Topics

The following topics help you to manage software updates in Configuration Manager: Introduction to Software Updates in Configuration Manager Planning for Software Updates in Configuration Manager Configuring Software Updates in Configuration Manager Operations and Maintenance for Software Updates in Configuration Manager Security and Privacy for Software Updates in Configuration Manager Technical Reference for Software Updates in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Deploying Software and Operating Systems in System Center 2012 Configuration Manager

1591

Introduction to Software Updates in Configuration Manager

Software updates in System Center 2012 Configuration Manager provides a set of tools and resources that can help manage the complex task of tracking and applying software updates to client computers in the enterprise. An effective software update management process is necessary to maintain operational efficiency, overcome security issues, and maintain the stability of the network infrastructure. However, because of the changing nature of technology and the continual appearance of new security threats, effective software update management requires consistent and continual attention. See the following sections for more information about software updates: Software Updates Synchronization Software Updates Compliance Assessment Software Update Deployment Packages Software Update Deployment Workflows Software Update Deployment Process Extend Software Updates in Configuration Manager Support for Windows Embedded Devices That Use Write Filters Network Access Protection Whats New in Configuration Manager Whats New in Configuration Manager SP1

For an example scenario that shows how you might deploy software updates in your environment, see Example Scenario for Using Configuration Manager to Deploy and Monitor the Security Software Updates Released Monthly by Microsoft.

Software Updates Synchronization

Software updates synchronization in Configuration Manager uses Microsoft Update to retrieve software updates metadata. The top-level site (central administration site or stand-alone primary site) synchronizes with Microsoft Update on a schedule or when you manually start synchronization from the Configuration Manager console. When Configuration Manager finishes software updates synchronization at the top-level site, software updates synchronization starts at child sites, if they exist. When synchronization is complete at each primary site or secondary site, a site-wide policy is created that provides to client computers the location of the software update points. Note Software updates are enabled by default in client settings. However, if you set the Enable software updates on clients client setting to No to disable software updates on a collection or in the default settings, the location for software update points are not sent to associated clients. For more information about the software updates client settings,
1592

see the Software Updates section in the About Client Settings in Configuration Manager topic. After the client receives the policy, the client starts a scan for software updates compliance and writes the information to Windows Management Instrumentation (WMI). The compliance information is then sent to the management point that then sends the information to the site server. For more information about compliance assessment, see the Software Updates Compliance Assessment section in this topic. For Configuration Manager SP1 only: Starting in Configuration Manager SP1, you can install multiple software update points at a primary site. The first software update point that you install is configured as the synchronization source. This synchronizes from Microsoft Update or a WSUS server not in your Configuration Manager hierarchy. The other software update points at the site use the first software update point as the synchronization source. Note When the software updates synchronization process is complete at the top-level site, the software updates metadata is replicated to child sites by using database replication. When you connect a Configuration Manager console to the child site, Configuration Manager displays the software updates metadata. However, until you install and configure a software update point at the site, clients will not scan for software updates compliance, clients will not report compliance information to Configuration Manager, and you cannot successfully deploy software updates.

Synchronization on the Top-Level Site

The software updates synchronization process at the top-level site retrieves from Microsoft Update the software updates metadata that meet the criteria that you specify in Software Update Point Component properties. You configure the criteria only at the top-level site. Note Starting in Configuration Manager SP1, at the top-level site, you can specify as the synchronization source instead of Microsoft Update an existing WSUS server that is not in the Configuration Manager hierarchy. The following list describes the basic steps for the synchronization process on the top-level site: 1. Software updates synchronization starts. 2. WSUS Synchronization Manager sends a request to WSUS running on the software update point to start synchronization with Microsoft Update. 3. The software updates metadata is synchronized from Microsoft Update, and any changes are inserted or updated in the WSUS database. 4. When WSUS has finished synchronization, WSUS Synchronization Manager synchronizes the software updates metadata from the WSUS database to the Configuration Manager database, and any changes after the last synchronization are inserted or updated in the site

1593

database. The software updates metadata is stored in the site database as a configuration item. 5. The software updates configuration items are sent to child sites by using database replication. 6. When synchronization has finished successfully, WSUS Synchronization Manager creates status message 6702. 7. WSUS Synchronization Manager sends a synchronization request to all child sites. 8. For a stand-alone primary site that is running System Center 2012 Configuration Manager SP1 only: WSUS Synchronization Manager sends a request one at a time to WSUS running on other software update points at the site. The WSUS servers on the other software update points are configured to be replicas of WSUS running on the default software update point at the site.

Synchronization on Child Primary and Secondary Sites

During the software updates synchronization process on the top-level site, the software updates configuration items are replicated to child sites by using database replication. At the end of the process, the top-level site sends a synchronization request to the child site, and the child site starts the WSUS synchronization. The following list provides the basic steps for the synchronization process on a child primary site or secondary site: 1. WSUS Synchronization Manager receives a synchronization request from the top-level site. 2. Software updates synchronization starts. 3. WSUS Synchronization Manager makes a request to WSUS running on the software update point to start synchronization. 4. WSUS running on the software update point on the child site synchronizes software updates metadata from WSUS running on the software update point on the parent site. 5. When synchronization has finished successfully, WSUS Synchronization Manager creates status message 6702. 6. From a primary site, WSUS Synchronization Manager sends a synchronization request to any child secondary sites. The secondary site starts the software updates synchronization with the parent primary site. The secondary site is configured as a replica of WSUS running on the parent site. 7. For Configuration Manager with no service pack only: When there is a remote Internet-based software update point, WSUS Synchronization Manager starts the synchronization process for WSUS running on the remote site system. 8. For Configuration Manager SP1 only: WSUS Synchronization Manager sends a request one at a time to WSUS running on other software update points at the site. The WSUS servers on the other software update points are configured to be replicas of WSUS running on the default software update point at the site.

1594

Synchronization for Internet-Based Software Update Points

Important This section applies to Configuration Manager with no service pack only. When synchronization has finished for the active software update point at a site, synchronization is started for the active Internet-based software update point for the site, if you configured it. This process resembles the synchronization process on child sites, except that WSUS running on the active Internet-based software update point synchronizes with WSUS running on the active software update point for the same site. 1. WSUS Synchronization Manager makes a request to WSUS running on the remote Internetbased software update point to start synchronization. 2. WSUS running on the remote Internet-based software update point synchronizes software updates metadata from WSUS running on the active software update point for the same site. 3. When synchronization has finished successfully, WSUS Synchronization Manager creates status message 6702. 4. WSUS Synchronization Manager sends a synchronization request to any child sites. When the synchronization source configured for the Internet-based software update point is not configured to synchronize with an upstream update server, you can use the Export and Import functions of the WSUSutil tool to synchronize software updates metadata from an active software update point for the site. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in the Configuring Software Updates in Configuration Manager topic.

Software Updates Compliance Assessment

Before you deploy software updates to client computers in Configuration Manager, start a scan for software updates compliance on client computers. For each software update, a state message is created that contains the compliance state for the update. The state messages are sent in bulk to the management point and then to the site server, where the compliance state is inserted into the site database. The compliance state for software updates is displayed in the Configuration Manager console. You can deploy and install software updates on computers that require the updates. The following sections provide information about the compliance states and describe the process for scanning for software updates compliance.

Software Updates Compliance States

The following table lists and describes each compliance state that is displayed in the Configuration Manager console for software updates.
State Description

Required

Specifies that the software update is applicable and required on the client computer. Any of the
1595

State

Description

following conditions could be true when the software update state is Required: The software update was not deployed to the client computer. The software update was installed on the client computer. However, the most recent state message has not yet been inserted into the database on the site server. The client computer rescans for the update after the installation has finished. There might be a delay of up to two minutes before the client sends the updated state to the management point that then forwards the updated state to the site server. The software update was installed on the client computer. However, the software update installation requires a computer restart before the update is completed. The software update was deployed to the client computer but has not yet been installed.

Not Required

Specifies that the software update is not applicable on the client computer. Therefore, the software update is not required. Specifies that the software update is applicable on the client computer and that the client computer already has the software update installed. Specifies that the site server has not received a state message from the client computer, typically because one of the following: The client computer did not successfully scan for software updates compliance. The scan finished successfully on the client computer. However, the state message has not yet been processed on the site server, possibly because of a state message backlog. The scan finished successfully on the client computer, but the state message has not been received from the child site.
1596

Installed

Unknown

State

Description

The scan finished successfully on the client computer, but the state message file was corrupted in some way and could not be processed.

Scan for Software Updates Compliance Process

When the software update point is installed and synchronized, a site-wide machine policy is created that informs client computers that Configuration Manager Software Updates was enabled for the site. When a client receives the machine policy, a compliance assessment scan is scheduled to start randomly within the next two hours. When the scan is started, a Software Updates Client Agent process clears the scan history, submits a request to find the WSUS server that should be used for the scan, and updates the local Group Policy with the WSUS server location. Note Internet-based clients must connect to the WSUS server by using SSL. A scan request is passed to the Windows Update Agent (WUA). The WUA then connects to the WSUS server location that is listed in the local policy, retrieves the software updates metadata that has been synchronized on the WSUS server, and scans the client computer for the updates. A Software Updates Client Agent process detects that the scan for compliance has finished, and it creates state messages for each software update that changed in compliance state after the last scan. The state messages are sent to the management point in bulk every 15 minutes. The management point then forwards the state messages to the site server, where the state messages are inserted into the site server database. After the initial scan for software updates compliance, the scan is started at the configured scan schedule. However, if the client has scanned for software updates compliance in the time frame indicated by the Time to Live (TTL) value, the client uses the software updates metadata that is stored locally. When the last scan is outside the TTL, the client must connect to WSUS running on the software update point and update the software updates metadata stored on the client. Including the scan schedule, the scan for software updates compliance can start in the following ways: Software updates scan schedule: The scan for software updates compliance starts at the configured scan schedule that is configured in the Software Updates Client Agent settings. For more information about how to configure the Software Updates client settings, see the see the Software Updates section in the About Client Settings in Configuration Manager topic. Configuration Manager Properties action: The user can start the Software Updates Scan Cycle or Software Updates Deployment Evaluation Cycle action on the Action tab in the Configuration Manager Properties dialog box on the client computer.

1597

Deployment reevaluation schedule: The deployment evaluation and scan for software updates compliance starts at the configured deployment reevaluation schedule, which is configured in the Software Updates Client Agent settings. For more information about the Software Updates client settings, see the Software Updates section in the About Client Settings in Configuration Manager topic. Prior to downloading update files: When a client computer receives an assignment policy for a new required deployment, the Software Updates Client Agent downloads the software update files to the local client cache. Before downloading the software update files, the client agent starts a scan to verify that the software update is still required. Prior to software update installation: Just before the software update installation, the Software Updates Client Agent starts a scan to verify that the software updates are still required. After software update installation: Just after a software update installation is complete, the Software Updates Client Agent starts a scan to verify that the software updates are no longer required and creates a new state message that states that the software update is installed. When the installation has finished, but a restart is necessary, the state message indicates that the client computer is pending a restart. After system restart: When a client computer is pending a system restart for the software update installation to finish, the Software Updates Client Agent starts a scan after the restart to verify that the software update is no longer required and creates a state message that states that the software update is installed.

Time to Live Value

The software updates metadata that is required for the scan for software updates compliance is stored on the local client computer, and by default, is relevant for up to 24 hours. This value is known as the Time to Live (TTL).

Scan for Software Updates Compliance Types

The client scans for software updates compliance by using an online or offline scan and a forced or non-forced scan, depending on the way the scan for software updates compliance is started. The following table describes which methods for starting the scan are online or offline and whether the scan is forced or non-forced.
Scan method Scan type Description

Software updates scan schedule

Non-forced online scan

At the configured scan schedule, the client connects to WSUS running on the software update point to retrieve the software updates metadata only when the last scan was outside the TTL.

1598

Scan method

Scan type

Description

Software Updates Scan Cycle or Software Updates Deployment Evaluation Cycle

Forced online scan

The client computer always connects to WSUS running on the software update point to retrieve the software updates metadata before the client computer scans for software updates compliance. After the scan is complete, the TTL counter is reset. For example, if the TTL is 24 hours, after a user starts a scan for software updates compliance, the TTL is reset to 24 hours. At the configured deployment reevaluation schedule, the client connects to WSUS running on the software update point to retrieve the software updates metadata only when the last scan was outside the TTL. Before the client can download update files in required deployments, the client connects to WSUS running on the software update point to retrieve the software updates metadata only when the last scan was outside the TTL. Before the client installs software updates in required deployments, the client connects to WSUS running on the software update point to retrieve the software updates metadata only when the last scan was outside the TTL. After a software update is installed, the Software Updates Client Agent starts a scan by
1599

Deployment reevaluation schedule

Non-forced online scan

Prior to downloading update files

Non-forced online scan

Prior to software update installation

Non-forced online scan

After software update installation

Forced offline scan

Scan method

Scan type

Description

using the local metadata. The client never connects to WSUS running on the software update point to retrieve software updates metadata. After system restart Forced offline scan After a software update is installed and the computer is restarted, the Software Updates Client Agent starts a scan by using the local metadata. The client never connects to WSUS running on the software update point to retrieve software updates metadata.

Software Update Deployment Packages

A software update deployment package is the vehicle used to download software updates to a network shared folder, and copy the software update source files to the content library on site servers and on distribution points that are defined in the deployment. By using the Download Updates Wizard, you can download software updates and add them to deployment packages before you deploy them. This wizard lets you provision software updates on distribution points and verify that this part of the deployment process is successful before you deploy the software updates to clients. When you deploy downloaded software updates by using the Deploy Software Updates Wizard, the deployment automatically uses the deployment package that contains the software updates. When software updates that have not been downloaded are deployed, you must specify a new or existing deployment package in the Deploy Software Updates Wizard, and the software updates are downloaded when the wizard is finished. Important You must manually create the shared network folder for the deployment package source files before you specify it in the wizard. Each deployment package must use a different shared network folder. Security The SMS Provider computer account and the administrative user who actually downloads the software updates both require Write permissions to the package source. Restrict access to the package source to reduce the risk of an attacker tampering with the software updates source files in the package source.
1600

When a new deployment package is created, the content version is set to 1 before any software updates are downloaded. When the software update files are downloaded by using the package, the content version is incremented to 2. Therefore, all new deployment packages start with a content version of 2. Every time that the content changes in a deployment package, the content version is incremented by 1. For more information about content management in Configuration Manager, see Introduction to Content Management in Configuration Manager. Clients install software updates in a deployment by using any distribution point that has the software updates available, regardless of the deployment package. Even if a deployment package is deleted for an active deployment, clients still can install the software updates in the deployment as long as each update was downloaded to at least one other deployment package and is available on a distribution point that can be accessed from the client. When the last deployment package that contains a software update is deleted, client computers cannot retrieve the software update until the update is downloaded again to a deployment package. Software updates appear with a red arrow in the Configuration Manager console when the update files are not in any deployment packages. Deployments appear with a double red arrow if they contain any updates in this condition.

Software Update Deployment Workflows

There are two main scenarios for deploying software updates in your environment, manual deployment and automatic deployment. Typically, you deploy software updates manually to create a baseline for client computers, and then you manage software updates on clients by using automatic deployment. The following sections provide a summary for the workflow for manual and automatic deployment for software updates.

Manual Deployment of Software Updates

Manual deployment of software updates is the process of selecting software updates in the Configuration Manager console and manually starting the deployment process. You typically use this method of deployment to get the client computers up-to-date with required software updates before you create automatic deployment rules that manage ongoing monthly software update deployments, and to deploy out of band software update requirements. The following list provides the general workflow for manual deployment of software updates: 1. Filter for software updates that use specific requirements. For example, you could provide criteria that retrieves all security or critical software updates that are required on more than 50 client computers. 2. Create a software update group that contains the software updates. 3. Download the content for the software updates in the software update group. 4. Manually deploy the software update group.

1601

Automatic Deployment of Software Updates

Automatic software updates deployment is configured by using automatic deployment rules. You typically use this method of deployment for your monthly software updates (generally known as Patch Tuesday) and for managing definition updates. When the rule runs, the software updates that meet a specified criteria (for example, all security software updates released in the last week) are added to a software update group, the content files for the software updates are downloaded and copied to distribution points, and the software updates are deployed to client computers in the target collection. The following list provides the general workflow for automatic deployment of software updates: 1. Create an automatic deployment rule that specifies deployment settings such as the following: Target collection Decide whether to enable the deployment or report on software updates compliance for the client computers in the target collection Software updates criteria Evaluation and deployment schedules User experience Download properties

2. The software updates are added to a software update group. 3. The software updates group is deployed to the client computers in the target collection, if it is specified. You must determine what deployment strategy to use in your environment. For example, you might create the automatic deployment rule and target a collection of test clients. After you verify that the software updates are installed on the test group, you can change the collection in the automatic deployment rule to a target collection that includes a larger set of clients. The software update objects that are created by the automatic deployment rules are interactive. Software updates that were deployed by using an automatic deployment rule are automatically deployed to new clients added to the target collection. New software updates added to a software update group are automatically deployed to the clients in the target collection. You can enable or disable deployments at any time for the automatic deployment rule.

Software Update Deployment Process

After you deploy software updates or when an automatic deployment rule runs and deploys software updates, a deployment assignment policy is added to the machine policy for the site. The software updates are downloaded from the download location, the Internet, or network shared folder, to the package source. The software updates are copied from the package source to the content library on the site server, and then copied to the content library on the distribution point.

1602

When a client computer in the target collection for the deployment receives the machine policy, the Software Update Client Agent starts an evaluation scan. The client agent downloads the content for required software updates from a distribution point to the local client cache soon after it receives the deployment, but waits until after the Software available time setting for the deployment before the software updates are available to install. The software updates in optional deployments (deployments that do not have an installation deadline) are not downloaded until a user manually starts the installation. When the configured deadline passes, the Software Updates Client Agent performs a scan to verify that the software updates are still required. Then it checks the local cache on the client computer to verify that the software update source files are still available. Finally, the client installs the software updates. If the content was deleted from the client cache to make room for another deployment, the client re-downloads the software updates from the distribution point to the client cache. Software updates are always downloaded to the client cache regardless of the configured maximum client cache size. When the installation is complete, the client agent verifies that the software updates are no longer required, and then sends a state message to the management point to indicate that the software updates are now installed on the client.

Required System Restart

By default, when software updates from a required deployment are installed on a client computer and a system restart is required for the installation to finish, the system restart is started. For software updates that were installed before the deadline, the automatic system restart is postponed until the deadline, unless the computer is restarted before that for some other reason. The system restart can be suppressed for servers and workstations. These settings are configured in the User Experience page of the Deploy Software Updates Wizard or Create Automatic Updates Rule Wizard.

Deployment Reevaluation Cycle

By default, client computers start a deployment reevaluation cycle every 7 days. During this evaluation cycle, the client computer scans for software updates that were previously deployed and installed. If any software updates are missing, the software updates are reinstalled from the local cache. If a software update is no longer available in the local cache, it is downloaded from a distribution point and then installed. You can configure the reevaluation schedule on the Software Updates page in client settings for the site.

Support for Windows Embedded Devices That Use Write Filters

For Configuration Manager SP1 only: When you deploy software updates to Windows Embedded devices that are write filter-enabled, you can specify whether to disable the write filter on the device during the deployment and then restart the device after the deployment. If the write filter is not disabled, the software is deployed
1603

to a temporary overlay and the software will no longer be installed when the device restarts unless another deployment forces changes to be persisted. Note When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. This lets you manage when the write filter is disabled and enabled, and when the device restarts. The user experience setting that controls the write filter behavior is a check box named Commit changes at deadline or during a maintenance windows (requires restarts) . For more information about how Configuration Manager manages embedded devices that use write filters, see the Deploying the Configuration Manager Client to Windows Embedded Devices section in the Introduction to Client Deployment in Configuration Manager topic.

Extend Software Updates in Configuration Manager

Use System Center Updates Publisher 2011 to manage software updates that are not available from Microsoft Update. After you publish the software updates to the update server and synchronize the software updates in Configuration Manager, you can deploy the software updates to Configuration Manager clients. For more information about Updates Publisher 2011, see Updates Publisher 2011.

Network Access Protection

Configuration Manager Network Access Protection (NAP) interacts with Configuration Manager and Windows Network Access Protection to help protect the network.

Network Access Protection with Software Updates

When NAP is enabled, Configuration Manager clients can assess whether they are compliant or not with the software updates that you select. Configuration Manager clients send this information in a statement of health (SoH).This is presented to the Configuration Manager System Health Validator that resides on the System Health Validator point site system role. The System Health Validator point is installed on a computer that is running Windows Server 2008 with the Network Policy Server role. It validates whether the client computer is compliant or noncompliant and passes the health state of that computer to the Windows Network Policy Server.

Enforcing Compliance with Software Updates on the Network Policy Server

The Windows Network Policy Server is configured to use policies that determine the action for computers that are known to be compliant or noncompliant.
1604

If the health state of a client cannot be determined, then this is considered an error condition. By default, all error conditions are mapped to a noncompliant state. However, they are split into five categories and each category can be configured to map to either compliant or noncompliant. The actions that the Network Policy Server can take based on computer health states include the following: Restrict computers from accessing the full network Provide full access to the network but for a limited period Provide full access to the network indefinitely Remediate noncompliant computers to bring them into compliance with policies

Be aware that the Configuration Manager administrative user cannot control the action that will be taken because of a computer health state that it passes to the Network Policy Server. However, if the Network Policy Server is configured to enforce compliance through remediation, Configuration Manager services are then used to deliver the software updates that are required to bring noncompliant clients into compliance. When compliance is successfully remediated, clients reassess their statement of health, which then changes from noncompliant to compliant, and their health state is updated to compliant.

Configuring Software Updates for Network Access Protection

You select the software updates that clients must have to be compliant by creating Configuration Manager NAP policies. You can only select software updates that are already downloaded to the content library on the site server. Unlike software update deployments that are targeted to collections of your choice, Configuration Manager NAP policies are automatically targeted to all computers that are assigned to the site. Configuration Manager NAP policies flow down the Configuration Manager hierarchy, similar to the behavior of software deployments and packages in Configuration Manager. Sites that inherit the Configuration Manager NAP policies then automatically target the Configuration Manager NAP policies to clients assigned to the site. Important Because of this automatic targeting and inheritance throughout the hierarchy, you must remember that a Configuration Manager NAP policy potentially affects every client in the hierarchy.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. Although the general concepts for deploying software updates are the same in System Center 2012 Configuration Manager as they were in Configuration Manager 2007, new or updated functionality is available that improves the software update deployment process. This includes automatic approval and deployment for software updates, improved search with
1605

expanded criteria, improvements to software updates monitoring, and greater user control for scheduling software update installation. The following items are new or have changed since Configuration Manager 2007: Software update groups are new in Configuration Manager and replace update lists that were used in Configuration Manager 2007. Software update groups more effectively organize software updates in your environment. You can manually add software updates to a software updates group, or add software updates automatically to a new or existing software update group by using an automatic deployment rule. You can also deploy a software update group manually or automatically by using an automatic deployment rule. After you deploy a software update group, you can add new software updates to the group, and they are automatically deployed. Automatic deployment rules automatically approve and deploy software updates. You specify the criteria for software updates (for example, all Windows 7 software updates released in the last week), the software updates are added to a software update group, you configure deployment and monitoring settings, and decide whether to deploy the software updates in the software update group. You can deploy the software updates in the software update group or retrieve compliance information from client computers for the software updates in the software update group without deploying them. New search and expanded criteria are available when software updates are listed in the Configuration Manager console. You can add a set of criteria that makes it easy to find the software updates that you must have. You can save the search criteria to use later. For example, you can set criteria for all critical software updates for Windows 7 and for software updates that were released in the last year. After you filter for the updates that you must have, you can select the software updates and review compliance information per software update, create a software update group that contains the software updates, manually deploy the software updates, and so on. In the Configuration Manager console, you can monitor the following software updates objects and processes: Important software updates compliance and deployment views Detailed state messages for all deployments and assets Software updates error codes with additional information to help identify issues Status for software updates synchronization Alerts for important software updates issues

Software update reports are also available that provide detailed state information for software updates, software update groups, and software update deployments. Superseded software updates in Configuration Manager 2007 were automatically expired during the full software updates synchronization process for a site. In System Center 2012 Configuration Manager, you can decide whether to manage superseded software updates as in Configuration Manager 2007, or you can configure a specified time where the software update is not automatically expired after it is superseded. During this time, you can deploy superseded software updates. Configuration Manager gives users more control over when to install software updates on their computer. Configuration Manager Software Center is an application that is installed with
1606

the Configuration Manager client. Users run this application on the Start menu to manage the software that is deployed to them. This includes software updates. In Software Center, users can schedule software update installation at a convenient time before the deadline and install optional software updates. For example, you can configure your business hours and have software updates run outside those hours to minimize productivity loss. When the deadline is reached for a software update, the installation for the software update is started. The content library in System Center 2012 Configuration Manager is the location that stores all content files for software updates, applications, operating system deployment, and so on. The content library provides a single instance store for content files on the site server and distribution points, and provides an advantage over content management functionality in Configuration Manager 2007. For example, in Configuration Manager 2007, you might distribute the same content files multiple times by using different deployments and deployment packages. The result was that the same content files were stored multiple times on the site server and on distribution points and added unnecessary processing overhead and excessive hard disk space requirements. For more information about content management, see the Content Library section in the Introduction to Content Management in Configuration Manager topic. There is no longer a Deployment Templates node in the Configuration Manager console to manage your templates. Deployment templates can be created only in the Automatic Deployment Rules Wizard or Deploy Software Updates Wizard. Deployment templates store many of the deployment properties that might not change from deployment to deployment, and they can save much time for administrative users when they deploy software updates. Deployment templates can be created for different deployment scenarios in your environment. For example, you can create a template for expedited software update deployments and planned deployments. The template for the expedited deployment can suppress display notifications on client computers, set the deadline for zero (0) days from the deployment schedule, and enable system restarts outside maintenance windows. The template for a planned deployment can allow for display notifications on client computers and set the deadline for 14 days from the deployment schedule. When an Internet-based client receives a deployment, the client first tries to download the software files from Microsoft Update instead of distribution points. When the connection to Microsoft is not successful, clients fall back to a distribution point that hosts the software update files and is configured to accept communication from clients on the Internet. Although you can still deploy software updates in System Center 2012 Configuration Manager, there is no longer a visible software update deployment object. The deployment object is now nested in a software update group. There is a non-configurable limit of 1000 software updates for a software update deployment. When you create an automatic deployment rule, verify that the criterion that you specify does not result in more than 1000 software updates. When you manually deploy software updates, do not select more than 1000 updates to deploy. The Network Access Protection node in the Configuration Manager console and the New Policies Wizard are no longer available in System Center 2012 Configuration Manager. To create a NAP policy for software updates, you must select Enable NAP evaluation on the NAP Evaluation tab in software update properties.
1607

Whats New in Configuration Manager SP1

The following items are new or have changed for software updates in Configuration Manager SP1: Software update points are redesigned in Configuration Manager SP1. You can install multiple software update point site systems at a site. You can configure a software update point to be in the same forest as the site server or in a different forest, and whether to accept communication from clients on the Internet, intranet, or both. This behavior provides a level of fault tolerance without requiring a network load balancing (NLB) cluster. You cannot install more than one software update point in a secondary site. For more information, see the Determine the Software Update Point Infrastructure section in the Planning for Software Updates in Configuration Manager topic. Note The active software update point concept is deprecated in Configuration Manager SP1. You no longer have the option to configure a software update point as an NLB in the Configuration Manager console. Before you upgrade from Configuration Manager with no service pack to Configuration Manager SP1, you must remove the NLB for your active software update point. After the upgrade is complete, you have the option to configure NLB by using the Set-CMSoftwareUpdatePoint PowerShell cmdlet. For more information about a software update point configured to use an NLB, see Software Update Point Configured to Use an NLB section in the Planning for Software Updates in Configuration Manager topic. For more information about the Set-CMSoftwareUpdatePoint PowerShell cmdlet, see the SetCMSoftwareUpdatePoint topic in the System Center 2012 Configuration Manager SP1 Cmdlet Reference guide. At the top-level Configuration Manager site, you can now specify an existing WSUS server as the upstream synchronization source location. During synchronization, the site connects to this location to synchronize software updates. For example, if you have an existing WSUS server that is not part of the Configuration Manager hierarchy, you can specify the existing WSUS server to synchronize software updates. You can select from two built-in software update deployment templates from the Automatic Deployment Rule Wizard. The Definition Updates template provides common settings to use when you deploy definition software updates. The Patch Tuesday template provides common settings to use when you deploy software updates on a monthly cycle. In the software update point properties, you can provide credentials for the site server to use to connect to the WSUS server. You can specify this account to connect to a software update point in a different forest, for example. You can run an automatic deployment rule up to 3 times per day to align with the Endpoint Protection definition updates publishing frequency. You can select multiple software updates to install as a group from Software Center. You can control the behavior of the write filter on Windows Embedded devices when you deploy software updates by using the new user experience setting of Commit changes at deadline or during a maintenance windows (requires restarts). For more information about how Configuration Manager manages embedded devices that use write filters, see the
1608

Deploying the Configuration Manager Client to Windows Embedded Devices section in the Introduction to Client Deployment in Configuration Manager topic. The new Computer Agent client setting, Disable deadline randomization lets you disable the installation randomization delay for required software updates and required application deployments. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic.

See Also
Software Updates in Configuration Manager

Planning for Software Updates in Configuration Manager

Before you implement software updates in System Center 2012 Configuration Manager in a production environment, you must first plan for this implementation. Use the following sections in this topic to plan for software updates in your Configuration Manager hierarchy: Capacity Planning for the Software Update Point Determine the Software Update Point Infrastructure Software Update Points in Configuration Manager SP1 Upgrade from Configuration Manager with No Service Pack to Configuration Manager SP1 Software Update Point List Software Update Point Switching Software Update Points in an Untrusted Forest Use an Existing WSUS Server as the Synchronization Source at the Top-Level Site Software Update Point Configured to Use an NLB Software Update Point on a Secondary Site Active Software Update Point Internet-Based Software Update Point Active Software Update Point Configured to Use an NLB Software Update Point on a Secondary Site

Software Update Points in Configuration Manager with No Service Pack

Planning for Software Update Point Installation Requirements for the Software Update Point Plan for WSUS Installation Configure Firewalls Synchronization Source
1609

Plan for Synchronization Settings

Synchronization Schedule Update Classifications Products Supersedence Rules Languages Client Settings for Software Updates Client Cache Setting Group Policy Settings for Software Updates

Plan for Settings Associated with Software Updates

Capacity Planning Recommendations for Software Updates

You can use the following recommendations as a baseline that can help you determine the information for the software updates capacity planning that is appropriate to your organization. The actual capacity requirements might vary from the recommendations that are listed in this topic depending on the following criteria: your specific networking environment, the hardware that you use to host the software update point site system, the number of clients that are installed, and the site system roles that are installed on the server.

Capacity Planning for the Software Update Point

The number of supported clients depends on the version of Windows Server Update Services (WSUS) that runs on the software update point, and it also depends on whether the software update point site system role co-exists with another site system role. The software update point can support up to 25,000 clients when WSUS 3.0 Service Pack 2 (SP2) runs on the software update point computer and the software update point co-exists with another site system role. The software update point can support up to 100,000 clients when WSUS 3.0 SP2 runs on the software update point computer and the software update point does not co-exist with another site system role.
2 1

To support more than 25,000 clients, the software update point can be configured to use Network Load Balancing (NLB).
2

To support up to 100,000 clients, the software update point must meet the WSUS. For more information, see Determine WSUS Capacity Requirements.

Capacity Planning for Software Updates Objects

Use the following capacity information to plan for software updates objects. Limit of 1000 software updates in a deployment You must limit the number of software updates to 1000 for each software update deployment. When you create an automatic deployment rule, specify a criteria that limits the number of
1610

software updates that are returned. The automatic deployment rule fails when the criteria that you specify returns more than 1000 software updates. You can check the status of the automatic deployment rule from the Automatic Deployment Rules node in the Configuration Manager console. When you manually deploy software updates, do not select more than 1000 updates to deploy.

Determine the Software Update Point Infrastructure

The central administration site and all child primary sites must have a software update point where you will deploy software updates. As you plan for the software update point infrastructure, you need to determine the following dependencies: where to install the software update point for the site; which sites require a software update point that accepts communication from Internetbased clients; whether you will configure the software update point as an NLB cluster and whether you need a software update point at a secondary site. Important For information about the internal and external dependencies that are required for software updates, see Prerequisites for Software Updates in Configuration Manager.

Software Update Points in Configuration Manager SP1

Important The information in this section applies only to Configuration Manager SP1. Use the following sections to determine the software update point infrastructure in Configuration Manager SP1. Starting with Configuration Manager SP1, you can add multiple software update points at a Configuration Manager primary site. The ability to have multiple software update points at a site provides fault tolerance without requiring the complexity of NLB. However, the failover that you receive with multiple software update points is not as robust as NLB for pure load balancing, but it is rather designed for fault-tolerance. Also, the failover design of the software update point is different than the pure randomization model that is used in the design for management points. Unlike in the design of management points, in the software update points there are client and network performance costs that are associated with switching to a new software update point. When the client switches to a new WSUS server to scan for software updates, the result is an increase in the catalog size and associated client-side and network performance demands. Therefore, the client preserves affinity with the last software update point for which it successfully scanned. The first software update point that you install on a primary site is the synchronization source for all additional software update points that you add at the primary site. After you added your software update points and initiated software updates synchronization, you can view the status of

1611

the software update points and the synchronization source from the Software Update Point Synchronization Status node in the Monitoring workspace. When a software update point fails, and that software update point is configured as the synchronization source for the other software update points at the site, you must manually remove the failed software update point and select a new software update point to use as the synchronization source. For more information about how to remove a software update point, see the Remove the Software Update Point Site System Role section in the Configuring Software Updates in Configuration Manager topic.

Upgrade from Configuration Manager with No Service Pack to Configuration Manager SP1
When you upgrade an existing Configuration Manager with no service pack site to Configuration Manager SP1, consider the following: Before you upgrade from Configuration Manager with no service pack to Configuration Manager SP1, you must remove the NLB for your active software update point. After the upgrade is complete, you have the option to reconfigure the NLB by using Windows PowerShell. For more information about how to switch a software update point, see the Software Update Point Switching section in this topic. When you have an active Internet-based software update point in a Configuration Manager with no service pack site, and then you upgrade the site to Configuration Manager SP1, the active Internet-based software update point is upgraded to a software update point in the software update point list that allows connections only from clients on the Internet. When you have an active software update point (SUP01) in a Configuration Manager with no service pack site, upgrade the site to Configuration Manager SP1, and then add a second software update point (SUP02). As a result, the existing clients will automatically be assigned to SUP01. The clients will switch to SUP02 only on the condition of a failed scan. After you upgraded your site, all new clients will randomly be assigned to SUP01 or SUP02 For more information about the software update point list, see the Software Update Point List section in this topic.

Software Update Point List

Configuration Manager provides the client with a software update point list in the following scenarios: when a new client receives the policy to enable software updates, or when a client cannot contact its software update point and needs to switch to another software update point. The client randomly selects a software update point from the list, and it prioritizes the software update points that are in the same forest. Configuration Manager provides clients with a different list depending on the type of client. Intranet-based clients: Receive a list of software update points that you can configure to allow connections only from the intranet, or a list of software update points that allow Internet and intranet client connections. Internet-based clients: Receive a list of software update points that you configure to allow connections only from the Internet, or a list of software update points that allow Internet and intranet client connections.
1612

Software Update Point Switching

If you have multiple software update points at a site, and then one fails or becomes unavailable, clients will connect to a different software update point and continue to scan for the latest software updates. When a client is first assigned a software update point, it will stay assigned to that software update point unless it fails to scan for software updates on that software update point. Note When you have an active software update point (SUP01) in a Configuration Manager with no service pack site, upgrade the site to Configuration Manager SP1, and then add a second software update point (SUP02). As a result, the existing clients will only switch to SUP02 on the condition of a failed scan. All new clients will randomly be assigned to SUP01 or SUP02 after you upgraded your site to Configuration Manager SP1. The scan for software updates can fail with a number of different retry and non-retry error codes. When the scan fails with a retry error code, the client starts a retry process to scan for the software updates on the software update point. The high-level conditions that result in a retry error code are typically because the WSUS server is unavailable or because it is temporarily overloaded. The client uses the following process when it fails to scan for software updates: 1. The client scans for software updates at its scheduled time, or when it is initiated through the control panel on the client, or by using the SDK. If the scan fails, the client waits 30 minutes to retry the scan, and it uses the same software update point. 2. The client retries a minimum of four times at 30 minute intervals. After the fourth failure, and after it waits an additional two minutes, the client will move to the next software update point in the software update point list. 3. After a successful scan, the client will continue to connect to the software update point. The following list provides additional information that you can consider for software update point retry and switching scenarios: If a client is disconnected from the corporate intranet and fails to scan for software updates, it will not switch to another software update point. This is an expected failure, because the client cannot reach the corporate network or the software update point that allows connection from the intranet. The Configuration Manager client determines the availability of the intranet software update point. If Internet-based client management is enabled, and there are multiple software update points that are configured to accept communication from clients on the Internet, the switching process will follow the standard retry process that is described in the previous scenario. If the scan process started, but the client was powered down before the scan completed, it is not considered a scan failure and it does not count as one of the four retries.

Software Update Points in an Untrusted Forest

You can create one or more software update points at a site to support clients in an untrusted forest. To add a software update point in another forest, you must first install and configure a WSUS server in the forest. Then start the wizard to add a Configuration Manager site server with
1613

the software update point site system role. In the wizard, configure the following settings to successfully connect to WSUS in the untrusted forest: Specify a Site System Installation account that can access the WSUS server in the forest. Specify the WSUS Server Connection account to use to connect to the WSUS server.

For example, you have a primary site in forest A with two software update points (SUP01 and SUP02). Also, for the same primary site you have two software update points (SUP03 and SUP04) in forest B. When the switching occurs in this example, the software update points from the same forest as the client are prioritized first.

Use an Existing WSUS Server as the Synchronization Source at the TopLevel Site
Typically, the top-level site in your hierarchy is configured to synchronize software updates metadata with Microsoft Update. When your corporate security policy does not allow access to the Internet from the top-level site, you can configure the synchronization source for the top-level site to use an existing WSUS server that is not in your Configuration Manager hierarchy. For example, you might have a WSUS server installed in your DMZ that has Internet access, but your top-level site does not. You can configure the WSUS server in the DMZ as your synchronization source for software updates metadata. You must ensure that the WSUS server in the DMZ synchronizes software updates that meet the criteria that you need in your Configuration Manager hierarchy. Otherwise, the top-level site might not synchronize the software updates that you expect. When you install the software update point, configure a WSUS connection account that has access to the WSUS server in the DMZ and confirm that the firewall permits traffic for the appropriate ports. For more information about the ports that are used by the software update point to the synchronization source, see the Software Update Point -- > Upstream WSUS Server section in the Technical Reference for Ports Used in Configuration Manager topic.

Software Update Point Configured to Use an NLB

Starting with Configuration Manager SP1, software update point switching will likely address the fault tolerance needs that you have. However, NLB is more robust than software update point failover for pure load balancing, and NLB can increase the reliability and performance of a network. Though there is no option in the Configuration Manager console to configure the software update point to use NLB, you have the option to configure NLB by using the SetCMSoftwareUpdatePoint PowerShell cmdlet. For more information about the SetCMSoftwareUpdatePoint PowerShell cmdlet, see the Set-CMSoftwareUpdatePoint topic in the System Center 2012 Configuration Manager SP1 Cmdlet Reference guide. Note Before you upgrade from Configuration Manager with no service pack to Configuration Manager SP1, you must remove the NLB from your active software update point. After the upgrade is complete, you have the option to reconfigure the NLB by using Windows PowerShell.

1614

Software Update Point on a Secondary Site

The software update point is optional on a secondary site. When you install a software update point on a secondary site, the WSUS database is configured as a replica of the default software update point at the parent primary site. You can install only one software update point at a secondary site. The devices that are assigned to a secondary site are configured to use a software update point at the parent site when a software update point is not installed at the secondary site. Typically, you will install a software update point at a secondary site when there is limited network bandwidth between the devices that are assigned to the secondary site and the software update points at the parent primary site, or when the software update point approaches the capacity limit. After a software update point is successfully installed and configured at the secondary site, a site-wide policy is updated for client computers that are assigned to the site, and they will start to use the new software update point.

Software Update Points in Configuration Manager with No Service Pack

Important The information in this topic applies only to Configuration Manager with no service pack. Use the following sections to determine the software update point infrastructure in Configuration Manager with no service pack. Note For more information about how to install a software update point in an untrusted forest, see the Planning for Communications Across Forests in Configuration Manager section in the Planning for Communications in Configuration Manager topic.

Active Software Update Point

The central administration site and all child primary sites in the Configuration Manager hierarchy must have an active software update point to support software update deployments to client computers. The active software update point on a primary site uses the central administration site as the synchronization source. The software update point communicates with WSUS to configure settings and to synchronize software updates. You can configure the active software update point to accept communication only from clients on the intranet or to accept communication from clients on the intranet and Internet. When the active software update point is not configured to accept communication from clients on the Internet, you have the option to create an Internet-based software update point on a remote site system. You can add the software update site role to a secondary site, or client computers at the secondary site can connect directly to the active software update point on the parent primary site.

1615

Internet-Based Software Update Point

The Internet-based software update point accepts communication from client computers on the Internet. You can create the Internet-based software update point only when the active software update point is not configured to accept communication from client computers on the Internet. You must install the Internet-based software update point on a site system that is remote from the site server, located in a perimeter network, and accessible to Internet-based client computers. The Internet-based software update point synchronizes with the active software update point at the same site by default. When the Internet-based software update point is disconnected from the active software update point, you can manually synchronize software updates by using the export and import process. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic.

Active Software Update Point Configured to Use an NLB

NLB can increase the reliability and performance of a network. You can set up multiple WSUS servers that share a single SQL Server failover cluster, and then configure a software update point to use NLB. If you configure the active software update point site system in a NLB cluster, it does not necessarily increase client capacity, but it might provide higher availability for the software update point. Before you configure the software update point to use an NLB cluster, you must complete several configuration steps. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster.

Software Update Point on a Secondary Site

The software update point is optional on a secondary site. When you install a software update point on a secondary site, the WSUS database is configured as a replica instead of an autonomous WSUS instance that is used when you install the software update point on a primary site or central administration site. The devices that are assigned to a secondary site are configured to use the active software update point at the parent site when a software update point is not configured at the secondary site. Typically, you will install a software update point at a secondary site when there is limited network bandwidth between devices that are assigned to the secondary site and the software update points at the parent primary site, or when the software update point approaches the capacity limit. After a software update point is successfully installed and configured at the secondary site, a site-wide policy is updated for client computers that are assigned to the site, and they will start to use the new software update point.

Planning for Software Update Point Installation

Before you create a software update point site system role in Configuration Manager, there are several requirements that you must consider depending on your Configuration Manager infrastructure. When you configure the software update point to communicate by using SSL, this section is especially important to review because you must take additional steps for the software update points in your hierarchy will work properly. This section provides information about the
1616

steps that you must take to successfully plan and prepare for the software update point installation.

Requirements for the Software Update Point

The software update point site system role must be installed on a site system that meets the minimum requirements for WSUS and the supported configurations for Configuration Manager site systems. 1. For more information about the minimum requirements for WSUS 3.0 SP2, see Confirm WSUS 3.0 SP2 installation requirements in the Windows Server Update Services 3.0 SP2 documentation library. 2. For more information about the minimum requirements for the WSUS server role in Windows Server 2012, see Step 1: Prepare for Your WSUS Deployment in the Windows Server 2012 documentation library. 3. For more information about the supported configurations for Configuration Manager site systems, see the Site System Requirements section in the Supported Configurations for Configuration Manager topic.

Plan for WSUS Installation

Software updates requires that a supported version of WSUS is installed on all site system servers that you configure for the software update point site system role. Additionally, when you do not install the software update point on the site server, you must install the WSUS Administration Console on the site server computer, if it is not already installed. This allows the site server to communicate with WSUS that runs on the software update point. When you use WSUS on Windows Server 2012, you must configure additional permissions to allow WSUS Configuration Manager in Configuration Manager to connect to the WSUS in order to perform periodic health checks. Choose one of the following options to configure the permissions: Add the SYSTEM account to the WSUS Administrators group Add the NT AUTHORITY\SYSTEM account as a user for the WSUS database (SUSDB) and configure a minimum of the webService database role membership

For more information about how to install WSUS 3.0 SP2, see Install WSUS Server or Administration Console in the Windows Server Update Services 3.0 SP2 documentation library. For more information about how to install WSUS on Windows Server 2012, see Install the WSUS Server Role in the Windows Server 2012 documentation library. For Configuration Manager SP1 only: When you install more than one software update point at a primary site, use the same WSUS database for each software update point in the same Active Directory forest. If you share the same database, it significantly mitigates, but does not completely eliminate the client and the network performance impact that you might experience when clients switch to a new software
1617

update point. A delta scan still occurs when a client switches to a new software update point that shares a database with the old software update point, but the scan is much smaller than it would be if the WSUS server had its own database.

Configure WSUS to Use a Custom Web Site

When you install WSUS, you have the option to use the existing IIS Default website, or to create a custom WSUS website. Create a custom website for WSUS so that IIS hosts the WSUS services in a dedicated virtual website, instead of sharing the same web site that is used by the other Configuration Manager site systems or other applications. This is especially true when you install the software update point site system role on the site server. When you run WSUS in Windows Server 2012 or you configure a custom website for WSUS 3.0 SP2, WSUS is configured by default to use port 8530 for HTTP and port 8531 for HTTPS. You must specify these port settings when you create the software update point at a site.

Use an Existing WSUS Infrastructure

You can use a WSUS server that was active in your environment before you installed Configuration Manager. When the software update point is configured, you must specify the synchronization settings. Configuration Manager connects to the WSUS that runs on the software update point and configures the WSUS server with the same settings. When the WSUS server was previously synchronized with products or classifications that you did not configure as part of the software update point synchronization settings, the software updates metadata for the products and classifications are synchronized for all of the software updates metadata in the WSUS database regardless of the synchronization settings for the software update point. This might result in unexpected software updates metadata in the site database. You will experience the same behavior when you add products or classifications directly in the WSUS Administration console, and then immediately initiate synchronization. Every hour, by default, Configuration Manager connects to the WSUS that runs on the software update point and resets any settings that were modified outside of Configuration Manager. Starting with Configuration Manager SP1, the software updates that do not meet the products and classifications that you specify in synchronization settings are set to expired, and then they are removed from the site database.

Configure WSUS as a Replica Server

When you create a software update point site system role on a primary site server, you cannot use a WSUS server that is configured as a replica. When the WSUS server is configured as a replica, Configuration Manager fails to configure the WSUS server, and the WSUS synchronization fails as well. When a software update point is created on a secondary site, Configuration Manager configures WSUS to be a replica server of the WSUS that runs on the software update point at the parent primary site. Starting with Configuration Manager SP1, the first software update point that you install at a primary site is the default software update point. Additional software update points at the site are configured as replicas of the default software update point.
1618

Decide Whether to Configure WSUS to Use SSL

You can use the SSL protocol to help secure the WSUS that runs on the software update point. WSUS uses SSL to authenticate client computers and downstream WSUS servers to the WSUS server. WSUS also uses SSL to encrypt software update metadata. When you choose to secure WSUS with SSL, you must prepare the WSUS server before you install the software update point. For more information about how to configure WSUS for SSL, see the Secure WSUS with the Secure Sockets Layer Protocol in the WSUS 3.0 SP2 documentation library. When you install and configure the software update point, you must select the Enable SSL communications for the WSUS Server setting. Otherwise, Configuration Manager will configure WSUS not to use SSL. When you enable SSL for WSUS that runs on a software update point, WSUS that runs on the software update point at any child sites must also be configured to use SSL.

Configure Firewalls
Software updates on a Configuration Manager central administration site communicate with the WSUS that runs on the software update point, which in turn communicates with the synchronization source to synchronize software updates metadata. Software update points on a child site communicate with the software update point at the parent site. When there is a remote active Internet-based software update point at a Configuration Manager with no service pack site, the site server must communicate with the active Internet-based software update point, and the Internet-based software update point must communicate with the active software update point of the site, so that the synchronization completes successfully. Starting with Configuration Manager SP1, when there is more than one software update point at a primary site, the additional software update points must communicate with the first software update point that is installed at the site, which is the default software update point. The firewall might need to be configured to accept the HTTP or HTTPS ports that are used by WSUS in following scenarios: when you have a corporate firewall between the Configuration Manager software update point and the Internet; when you have a software update point and its upstream synchronization source; when you have an active Internet-based software update point and the active software update point for the Configuration Manager with no service pack site, or when you have the additional software update points and the default software update point at a Configuration Manager SP1 site. The connection to Microsoft Update is always configured to use port 80 for HTTP and port 443 for HTTPS. You can use a custom port for the connection from WSUS that runs on the software update point at a child site to WSUS that runs on the software update point at the parent site. During software updates synchronization, WSUS that runs on the Internet-based software update point always connects to WSUS that runs on the active software update point by using HTTPS. When your security policy does not allow an HTTPS connection, you must use the export and import synchronization method. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic. For more information about the ports that are used by WSUS, see How to Determine the Port Settings Used by WSUS.

1619

Restrict Access to Specific Domains

If your organization does not allow the ports and protocols to be open to all addresses on the firewall between the active software update point and the Internet, you can restrict access to the following domains, so that WSUS and Automatic Updates can communicate with Microsoft Update: http://windowsupdate.microsoft.com http://*.windowsupdate.microsoft.com https://*.windowsupdate.microsoft.com http://*.update.microsoft.com https://*.update.microsoft.com http://*.windowsupdate.com http://download.windowsupdate.com http://download.microsoft.com http://*.download.windowsupdate.com http://test.stats.update.microsoft.com http://ntservicepack.microsoft.com

You might need to add the following addresses to the firewall that is located between the two site systems in the following cases: if child sites have a software update point or if there is a remote active Internet-based software update point at a site: Software update point on the child site http://<FQDN for software update point on child site> https://<FQDN for software update point on child site> http://<FQDN for software update point on parent site> https://<FQDN for software update point on parent site > http://<FQDN for active software update point for site> https://<FQDN for active software update point for site> http://<FQDN for active Internet-based software update point> https://<FQDN for active Internet-based software update point>

Internet-based software update point

Plan for Synchronization Settings

The software updates synchronization in Configuration Manager is the process of retrieving the software updates metadata based on criteria that you configure. The top-level site in your hierarchy, the central administration site or stand-alone primary site synchronizes software updates from Microsoft Update. Starting with Configuration Manager SP1, you have the option to configure the software update point on the top-level site to synchronize with an existing WSUS server, not in the Configuration Manager hierarchy. The child primary sites synchronize software updates metadata from the software update point on the central administration site. Before you
1620

install and configure a software update point, use this section to plan for the synchronization settings.

Synchronization Source
The synchronization source settings for the software update point specify the location for where the software update point retrieves software updates metadata, and whether the WSUS reporting events are created during the synchronization process. Synchronization source: The software update point at the top-level site configures the synchronization source for Microsoft Update by default. Starting in Configuration Manager SP1, you have the option to synchronize the top-level site with an existing WSUS server. The software update point on a child primary site configures the synchronization source as the software update point at the central administration site by default. Note When you have a remote Internet-based software update point, the upstream update server is the software update point for the same site. Note Starting with Configuration Manager SP1, the first software update point that you install at a primary site, which is the default software update point, synchronizes with the central administration site. Additional software update points at the primary site synchronize with the default software update point at the primary site. When a software update point is disconnected from Microsoft Update or from the upstream update server, you can configure the synchronization source not to synchronize with a configured synchronization source, but instead to use the export and import function of the WSUSUtil tool to synchronize software updates. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic. WSUS reporting events: The Windows Update Agent on client computers can create event messages that are used for WSUS reporting. These events are not used by software update in Configuration Manager, and therefore, the Do not create WSUS reporting events option is selected by default. When these events are not created, the only time that the client computer should connect to the WSUS server is during software update evaluation and compliance scans. If these events are needed for reporting outside of software updates in Configuration Manager, you will need to modify this setting to create WSUS reporting events.

Synchronization Schedule
You can configure the synchronization schedule only at the software update point on the top-level site in the Configuration Manager hierarchy. When you configure the synchronization schedule, the software update point synchronizes with the synchronization source at the date and time that you specified. The custom schedule allows you to synchronize software updates on a date and time when the demands from the WSUS server, site server, and network are low, such as 2:00 AM once a week. Alternatively, you can initiate synchronization on the top-level site by using the
1621

Synchronization Software Updates action from the All Software Updates or Software Update Groups node in the Configuration Manager console. Tip Schedule the software updates synchronization to run by using a timeframe that is appropriate for your environment. One common scenario is to set the software updates synchronization schedule to run shortly after the Microsoft regular security update release on the second Tuesday of each month, which is typically referred to as Patch Tuesday. Another common scenario is to set the software updates synchronization schedule to run daily when you use software updates to deliver the Endpoint Protection definition and engine updates. After the software update point successfully completes synchronization, a synchronization request is sent to child sites. Starting with Configuration Manager SP1, if you have additional software update points at a primary site, a synchronization request is sent to each software update point. In Configuration Manager with no service pack, a synchronization request is sent to the active Internet-based software update point, if it is installed. The process is repeated on every site in the hierarchy.

Update Classifications
Every software update is defined with an update classification that helps to organize the different types of updates. During the synchronization process, the software updates metadata for the specified classifications will be synchronized. Configuration Manager allows you to synchronize software updates with the following update classifications: Critical Updates: Specifies a broadly released update for a specific problem that addresses a critical, non-security-related bug. Definition Updates: Specifies an update to virus or other definition files. Feature Packs: Specifies new product features that are distributed outside of a product release and feature that are typically included in the next full product release. Security Updates: Specifies a broadly released update for a product-specific, securityrelated issue. Service Packs: Specifies a cumulative set of hotfixes that are applied to an application. These hotfixes can include security updates, critical updates, software updates, and so on. Tools: Specifies a utility or feature that helps to complete one or more tasks. Update Rollups: Specifies a cumulative set of hotfixes that are packaged together for easy deployment. These hotfixes can include security updates, critical updates, updates, and so on. An update rollup generally addresses a specific area, such as security or a product component. Updates: Specifies an update to an application or file that is currently installed.

The update classification settings are configured only on the top-level site. The update classification settings are not configured on the software update point on child sites, because the software updates metadata is replicated from the top-level site to child primary sites. When you

1622

select the update classifications, be aware that the more classifications that you select, the longer it takes to synchronize the software updates metadata. Warning As a best practice, clear all classifications before you synchronize software updates for the first time. After the initial synchronization, select the classifications from Software Update Point Component properties, and then re-initiate synchronization.

Products
The metadata for each software update defines one or more products for which the update is applicable. A product is a specific edition of an operating system or application,. An example of a product is Microsoft Windows Server 2008. A product family is the base operating system or application from which the individual products are derived. An example of a product family is Microsoft Windows, of which Microsoft Windows Server 2008 is a member. You can specify a product family or individual products within a product family. When software updates are applicable to multiple products, and at least one of the products is selected for synchronization, all of the products will appear in the Configuration Manager console even if some products were not selected. For example, if Windows Server 2008 is the only operating system that you subscribed to, and if a software update applies to Windows Server 2008 and Windows Server 2008 Datacenter Edition, both products will be in the site database. The product settings are configured only on the top-level site. The product settings are not configured on the software update point for child sites because the software updates metadata is replicated from the top-level site to child primary sites. When you select products, be aware that the more products that you select, the longer it will take to synchronize the software updates metadata. Important Configuration Manager stores a list of products and product families that you can choose from when you first install the software update point. Products and product families that are released after Configuration Manager is released might not be available to select until you complete software updates synchronization, which updates the list of available products and product families from which you can choose. As a best practice, clear all products before you synchronize software updates for the first time. After the initial synchronization, select the products from Software Update Point Component properties, and then reinitiate synchronization.

Supersedence Rules
Typically, a software update that supersedes another software update does one or more of the following actions: Enhances, improves, or updates the fix that was provided by one or more previously released updates.
1623

Improves the efficiency of the superseded update file package, which is installed on client computers if the update is approved for installation. For example, the superseded update might contain files that are no longer relevant to the fix or to the operating systems that are supported by the new update, so those files are not included in the superseding file package of the update. Updates newer versions of a product. In other words, it updates versions that are no longer applicable to older versions or configurations of a product. Updates can also supersede other updates if modifications were made to expand language support. For example, a later revision of a product update for Microsoft Office might remove the support for an older operating system, but it might add additional support for new languages in the initial update release.

In the properties for the software update point, you can specify that the superseded software updates are immediately expired, which prevents them from being included in new deployments and flags the existing deployments to indicate that they contain one or more expired software updates. Or, you can specify a period of time before the superseded software updates are expired, which allows you to continue to deploy them. Consider the following scenarios in which you might need to deploy a superseded software update: If a superseding software update supports only newer versions of an operating system, and some of your client computers run earlier versions of the operating system. If a superseding software update has more restricted applicability than the software update it supersedes. This would make it inappropriate for some client computers. If a superseding software update was not approved for deployment in your production environment.

Languages
The language settings for the software update point allow you to configure the languages for which the summary details (software updates metadata) are synchronized for software updates, and the software update file languages that will be downloaded for software updates.

Software Update File

The languages that you configure for the Software update file setting in the properties for the software update point provide the default set of languages that are available when you download software updates at a site. You can modify the languages that are selected by default each time that the software updates are downloaded or deployed. During the download process, the software update files for the configured languages are downloaded to the deployment package source location, if the software update files are available in the selected language. Then they are copied to the content library on the site server, and then they are copied to the distribution points that are configured for the package. The software update file language settings should be configured with the languages that are most often used in your environment. For example, if client computers that are assigned to the site use mostly English and Japanese languages for the operating system or applications, and there are
1624

very few other languages that are used at the site, then select English and Japanese in the Software Update File column when you download or deploy the software update and clear the other languages. This allows you to use the default settings on the Language Selection page of the deployment and to download wizards. This also prevents unneeded update files from being downloaded. This setting is configured at each software update point in the Configuration Manager hierarchy.

Summary Details
During the synchronization process, the summary details information (software updates metadata) is updated for software updates in the languages that you specify. The metadata provides the information about the software update, such as name, description, products that the update supports, update classification, article ID, download URL, applicability rules, and so on. The summary details settings are configured only on the top-level site. The summary details are not configured on the software update point on child sites because the software updates metadata is replicated from the central administration site down to these sites by using file-based replication. When you select the summary details languages, select only the languages that you need in your environment. The more languages that you select, the longer it takes to synchronize the software updates metadata. Configuration Manager displays the software updates metadata in the locale of the operating system in which the Configuration Manager console runs. If the localized properties for the software updates are not available in the locale of the operating system, the software updates information displays in English. Important It is important that you select all of the summary details languages that you will need in your Configuration Manager hierarchy. When the software update point on top-level site synchronizes with the synchronization source, the selected summary details languages determine the software updates metadata that is retrieved. If you modify the summary details languages after synchronization ran at least one time, the software updates metadata is retrieved for the modified summary details languages only for new or updated software updates. The software updates that have already been synchronized are not updated with new metadata for the modified languages unless there is a change to the software update on the synchronization source.

Plan for Settings Associated with Software Updates

The software updates client settings in Configuration Manager are site-wide and are configured with default values. There are software updates and network access protection (NAP) client settings that affect when software updates are scanned for compliance, and how and when software updates are installed on client computers. There are also Group Policy settings on the client computer that might need to be configured depending on your environment. For more information about how to configure settings that are associated with software updates, see the
1625

Configure the Settings Associated with Software Updates section in the Configuring Software Updates in Configuration Manager topic.

Client Settings for Software Updates

After you install the software update point, the software updates client agent is enabled by default and you are not required to configure specific client settings, but you should review the settings to ensure that the default values meet your needs. You configure software updates and NAP client settings in Client Settings in the Administration workspace. For more information about how to configure the settings that are associated with software updates, see the Configure Client Settings for Software Updates section in the Configuring Software Updates in Configuration Manager topic. Important The Enable software updates on clients setting is enabled by default. If you clear this setting, Configuration Manager removes the existing deployment policies from client. Also, NAP and compliance settings policies that rely on the software updates device setting will no longer function.

Group Policy Settings for Software Updates

There are specific Group Policy settings that are used by Windows Update Agent (WUA) on client computers to connect to the WSUS that runs on the active software updates point, successfully scan for software update compliance, and automatically update the software updates and the WUA. Warning If you have an Active Directory Group Policy object assigned to clients that specify a WSUS server that is not a Configuration Manager software update point, it will override the local Group Policy setting that is configured by Configuration Manager. Before you can assess software updates compliance and manage software update deployments on these clients, you must reconfigure the Active Directory Group Policy setting, or move client computers to an organizational unit (OU) that does not have this Group Policy setting applied. For more information about how to configure the settings that are associated with software updates, see the Group Policy Settings for Software Updates section in the Configuring Software Updates in Configuration Manager topic.

Client Cache Setting

The Configuration Manager client downloads the content for required software updates to the local client cache soon after it receives the deployment. However, the client waits download the content until after the Software available time setting for the deployment. The client does not download software updates in optional deployments (deployments that do not have a scheduled installation deadline) until the user manually initiates the installation. When the configured
1626

deadline passes, the software updates client agent performs a scan to verify that the software update is still required, then the software updates client agent checks the local cache on the client computer to verify that the software update source file is still available, and then installs the software update. If the content was deleted from the client cache to make room for another deployment, the client downloads the software updates to the cache. Software updates are always downloaded to the client cache regardless of the configured maximum client cache size. For other deployments, such as applications or packages, the client only downloads content that is within the maximum cache size that you configure for the client. Cached content is not automatically deleted, but it remains in the cache for at least one day after the client used that content.

Supplemental Topics for Planning Software Updates

Use the following topics to plan for software updates in Configuration Manager. Prerequisites for Software Updates in Configuration Manager Best Practices for Software Updates in Configuration Manager

See Also
Software Updates in Configuration Manager

Prerequisites for Software Updates in Configuration Manager

This topic lists the prerequisites for software updates and Network Access Protection (NAP) in System Center 2012 Configuration Manager. For each of these, the external dependencies and internal dependencies are listed in separate tables.

Prerequisites for Software Updates in Configuration Manager

This section includes the internal and external prerequisites for software updates in Configuration Manager.

Software Update Dependencies External to Configuration Manager

The following table lists the external dependencies for software updates.

1627

Requirement

More information

Internet Information Services (IIS) on the site system servers in order to run the software update point, the management point, and the distribution point

See the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic.

Windows Server Update Services (WSUS)

WSUS is necessary for software updates synchronization and for the software updates compliance assessment scan on clients. The WSUS server must be installed before you create the software update point site system role. Important For Configuration Manager SP1 only: When you have multiple software update points at a site, ensure that they are all running the same version of WSUS.

WSUS Administration Console

The WSUS Administration Console is required on the Configuration Manager site server when the software update point is on a remote site system server and WSUS is not already installed on the site server. Important The WSUS version on the site server must be the same as the WSUS version running on the software update points. Important Do not use the WSUS Administration Console to configure WSUS settings. Configuration Manager connects to WSUS that is running on the software update point and configures the appropriate settings.

Windows Update Agent (WUA)

The WUA client is required on clients to enable them to connect to the WSUS server and retrieve the list of software updates that must
1628

Requirement

More information

be scanned for compliance. When you install Configuration Manager, the latest version of the WUA is downloaded. Then, when the Configuration Manager client is installed, the WUA is upgraded if necessary. However, if the installation fails, you must use a different method to upgrade the WUA.

Software Update Dependencies Internal to Configuration Manager

The following table lists the dependencies for software updates in Configuration Manager.
Requirement More information

Management point

Management points transfer information between client computers and the Configuration Manager site. They are required for software updates.

Software update point

You must install a software update point on the WSUS server to be able to deploy software updates in Configuration Manager. For more information, see Configuring Software Updates in Configuration Manager

Distribution point

Distribution points are required to store the content for software updates. For more information about how to install distribution points and manage content, see Configuring Content Management in Configuration Manager

Client settings for software updates

By default, software updates is enabled for clients. However there are other available settings that control how and when clients assess compliance for the software updates and control how the software updates are installed. For more information, see the following:
1629

Requirement

More information

The Configure Client Settings for Software Updates section in the Configuring Software Updates in Configuration Manager topic. The Software Updates section in the About Client Settings in Configuration Manager topic.

Reporting services point

The reporting services point site system role can display reports for software updates. This role is optional, but recommended. For more information about how to create a reporting services point, see Configuring Reporting in Configuration Manager.

Prerequisites for Network Access Protection in Configuration Manager

This section includes the internal and external prerequisites for Network Access Protection (NAP) in System Center 2012 Configuration Manager.

NAP Dependencies External to Configuration Manager

The following table lists the external dependencies for when you use software updates and NAP.
Requirement More information

NAP enforcement technology installed and configured appropriately for one or more of the following: DHCP, IPsec, VPN, or 802.1X. Note All Windows NAP enforcement solutions require a server that runs a version of the operating system that is at least Windows Server 2008.

Documentation is published on the Network Access Protection website.

One or more Network Policy Servers configured Documentation is published in the Network appropriately with remediation server groups, Access Protection Design Guide health policies, connection request policies, and network policies Perimeter devices configured to enable traffic See Technical Reference for Ports Used in
1630

Requirement

More information

between communicating servers

Configuration Manager.

NAP Dependencies Internal to Configuration Manager

The following table lists the Configuration Manager dependencies for when you use software updates and NAP.
Requirement More information

Client settings for NAP

By default, clients are not enabled to support NAP in Configuration Manager. Optionally, you can set the client setting Enable Network Access Protection on clients to True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1). For more information, see the following: The Configure Client Settings for Software Updates section in the Configuring Software Updates in Configuration Manager topic. The Network Access Protection (NAP) section in the About Client Settings in Configuration Manager topic. Note You do not have to enable the software updates client settings to support NAP in Configuration Manager.

An Active Directory forest with the schema extended with the Configuration Manager schema extensions, and provisioned with a System Management container in at least one domain

The site server publishes Configuration Manager NAP health state references to Active Directory Domain Services. The System Health Validator point retrieves them. Publishing to Active Directory Domain Services requires that the schema is extended, but you can select which forest to use. See the Configure Active Directory Forest Discovery section in the Configuring Discovery in Configuration Manager topic. For more information about how to install a site system role, see Install and Configure Site
1631

Configuration Manager sites that are enabled for NAP configured to publish site information to Active Directory Domain Services The installation of at least one System Health Validator point on Windows Server 2008 with

Requirement

More information

the server role of Network Policy Server

System Roles for Configuration Manager. Note Although the System Health Validator can be installed in a different Active Directory forest than the site server's forest, it must be installed in a domain and is not supported in a workgroup.

Software updates configured, which includes software update deployment packages

Although the software updates client settings do not have to be enabled for clients, you must provide the software updates infrastructure, such as a software update point and synchronized software updates. For more information, see Configuring Software Updates in Configuration Manager.

Reporting services point

The reporting services point site system role can display reports for software updates and NAP in Configuration Manager. This role is optional, but recommended. For more information about how to create a reporting services point, see Configuring Reporting in Configuration Manager.

See Also
Planning for Software Updates in Configuration Manager

Best Practices for Software Updates in Configuration Manager

This topic includes best practices for software updates in Microsoft System Center 2012 Configuration Manager. The information is sorted into best practices for initial installation and best practices for ongoing operations.

Installation Best Practices

Use the following best practices when you install software updates in Configuration Manager:
1632

Use a Shared WSUS Database for Software Update Points

For Configuration Manager SP1 only: When you install more than one software update point at a primary site, use the same WSUS database for each software update point in the same Active Directory forest. By sharing the same database you can significantly mitigate the client and network performance impact that can occur when clients switch to a new software update point. When a client switches to a new software update point that shares a database with the old software update point, a delta scan still occurs, but this scan is much smaller than it would be if the WSUS server had its own database. For more information about software update point switching, see the Software Update Point Switching section in the Planning for Software Updates in Configuration Manager topic.

When Configuration Manager and WSUS use the same SQL Server, configure one of these to use a named instance and the other to use the default instance of SQL Server
When the Configuration Manager and WSUS databases use the same SQL Server and share the same instance of SQL Server, you cannot easily determine the resource usage between the two applications. When you use a different SQL Server instance for Configuration Manager and WSUS, it is easier to troubleshoot and diagnose resource usage issues that might occur for each application.

Use a custom website for the WSUS installation

When you install WSUS 3.0, you can specify whether to use the default Internet Information Services (IIS) website or create a new custom WSUS 3.0 website. As a best practice, select Create a Windows Server Update Services 3.0 Web site so that IIS hosts the WSUS 3.0 services in a dedicated website instead of sharing the same website with other Configuration Manager site systems or other software applications. When you use a custom website for WSUS 3.0, WSUS configures port 8530 for HTTP and port 8531 for HTTPS. You must specify these port settings when you create the software update point for the site.

Specify the "Store updates locally" setting for the WSUS installation
When you install WSUS 3.0, select the Store updates locally setting. When this setting is selected, the license terms that are associated with software updates are downloaded during the synchronization process and stored on the local hard drive for the WSUS server. When this setting is not selected, client computers might fail to scan for software updates compliance for software updates that have license terms. When you install the software update point, WSUS Synchronization Manager verifies that this setting is enabled every 60 minutes, by default.

1633

Operational Best Practices

Use the following best practices when you use software updates:

Limit software updates to 1000 in a single software update deployment

You must limit the number of software updates to 1000 for each software update deployment. When you create an automatic deployment rule, verify that the criteria that you specify does not result in more than 1000 software updates. When you manually deploy software updates, do not select more than 1000 updates to deploy.

Create a new software update group each time an automatic deployment rule runs for Patch Tuesday and for general deployment
There is a limit of 1000 software updates for a software update deployment. When you create an automatic deployment rule, you specify whether to use an existing update group or create a new update group each time the rule runs. When you specify criteria in an automatic deployment rule that results in multiple software updates and the rule runs on a recurring schedule, specify to create a new software update group each time the rule runs. This will prevent the deployment from surpassing the limit of 1000 software updates per deployment.

Use an existing software update group for automatic deployment rules for Endpoint Protection definition updates
Always use an existing software update group when you use an automatic deployment rule to deploy Endpoint Protection definition updates on a frequent basis. Otherwise, potentially hundreds of software update groups will be created over time. Typically, definition update publishers will set definition updates to expire when they are superseded by four newer updates. Therefore, the software update group that is created by the automatic deployment rule will never contain more than four definition updates for the publisher: one active and three superseded.

See Also
Planning for Software Updates in Configuration Manager

Configuring Software Updates in Configuration Manager

Before the compliance assessment data of the software update displays in the System Center 2012 Configuration Manager console and before you can deploy software
1634

updates to client computers, you must complete the following steps: install and configure a software update point, synchronize the software updates metadata, and verify the configuration for settings that are associated with software updates. When you have a Configuration Manager hierarchy, install and configure the software update point at the central administration site first, and then install and configure the software update points on other sites. Some settings are only available when you configure the software update point on the top-level site, which is the central administration site or the stand-alone primary site. There are different configuration options that you must consider depending on where the software update point is installed. Use the steps in the following table to install and configure the software update point, synchronize software updates, and configure the settings that are associated with software updates.

Configure Software Updates

Use the following steps and procedures in this topic to configure software updates in Configuration Manager.
Step Details More information

Step 1: Install and configure a software update point

The software update point is required on the central administration site and on the primary sites to enable the software updates compliance assessment and to deploy software updates to clients. The software update point is optional on secondary sites. Synchronize software updates on a connected software update point The synchronization of software updates is the process of retrieving software updates metadata from the Microsoft Update site and the replication of the metadata to all sites that are enabled for software updates in the Configuration Manager hierarchy. The software update point on the central administration site or on a

For more information, see the detailed Step 1: Install and Configure a Software Update Point in this topic.

Step 2: Synchronize software updates

For more information, see the detailed Step 2: Synchronize Software Updates in this topic.

1635

Step

Details

More information

stand-alone primary site retrieves software updates metadata from Microsoft Update. The child primary sites, secondary sites, and remote Internet-based software update points retrieve the software updates metadata from the software update point that is identified as the upstream update source. You must have access to the upstream update source to successfully synchronize software updates. Synchronize software updates on a disconnected software update point. Automatic synchronization of software updates is not possible when the software update point at the central administration site or standalone primary site is disconnected from the Internet, or when an Internet-based software update point is disconnected from the active software update point for the site. To retrieve the latest software updates for a disconnected software update point, you must use the WSUSUtil tool to export the software updates metadata and the license terms files from a software update source, and then you must import the metadata and files to the disconnected software update point. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic.

1636

Step

Details

More information

Step 3: Configure classifications and products to synchronize

Perform this configuration on the central administration site or stand-alone primary site. After you synchronize software updates without any classifications or products selected, you must configure the software updates classifications and products in the Software Update Point Component properties. After you configure the properties, repeat step 2 to initiate the software updates synchronization to retrieve the software updates that meet the configured criteria for classification and products.

For more information, see the detailed Step 3: Configure Classifications and Products to Synchronize in this topic.

Step 4: Verify software updates client settings and Group Policy configurations

There are Configuration Manager client settings and group policy configurations that are associated with software updates, and that you must verify before you deploy software updates.

For more information, see the detailed Step 4: Verify Software Updates Client Settings and Group Policy Configurations in this topic.

Step 1: Install and Configure a Software Update Point

Important Before you install the software update point site system role, you must verify that the server meets the required dependencies and determines the software update point infrastructure on the site. For more information about how to plan for software updates and to determine your software update point infrastructure, see Planning for Software Updates in Configuration Manager. The software update point is required on the central administration site and on the primary sites in order to enable software updates compliance assessment and to deploy software updates to clients. The software update point is optional on secondary sites. The software update point site system role must be created on a server that has WSUS installed. The software update point
1637

interacts with the WSUS services to configure the software update settings and to request synchronization of software updates metadata. When you have a Configuration Manager hierarchy, install and configure the software update point on the central administration site first, then on child primary sites, and then optionally, on secondary sites. When you have a standalone primary site, not a central administration site, install and configure the software update point on the primary site first, and then optionally, on secondary sites. Some settings are only available when you configure the software update point on a top-level site. There are different options that you must consider depending on where you installed the software update point. Important For Configuration Manager SP1 only: Starting with Configuration Manager SP1, you can install more than one software update points on a site. The first software update point that you install is configured as the synchronization source, which synchronizes the updates from Microsoft Update or from the upstream synchronization source. The other software update points on the site are configured as replicas of the first software update point. Therefore, some settings are not available after you install and configure the initial software update point. You can add the software update point site system role to an existing site system server or you can create a new one. On the System Role Selection page of the Create Site System Server Wizard or Add Site System Roles Wizard , depending on whether you add the site system role to a new or existing site server, select Software update point, and then configure the software update point settings in the wizard. The settings are different depending on the version of Configuration Manager that you use. For more information about how to install site system roles, see the Install Site System Roles section in the Install and Configure Site System Roles for Configuration Manager topic. Use the following sections for information about the software update point settings on a site.

Proxy Server Settings

You can configure the proxy server settings on different pages of the Create Site System Server Wizard or Add Site System Roles Wizard depending on the version of Configuration Manager that you use. For Configuration Manager SP1 only: You must configure the proxy server, and then specify when to use the proxy server for software updates. Configure the following settings: Configure the proxy server settings on the Proxy page of the wizard or on the Proxy tab in Site system Properties. The proxy server settings are site system specific, which means that all site system roles use the proxy server settings that you specify. Configure whether to use the proxy server when Configuration Manager synchronizes the software updates and when it downloads content by using an automatic deployment rule. Note

1638

The Use a proxy when downloading content by using automatic deployment rules setting is available but it is not used for a software update point on a secondary site. Only the software update point on the central administration site and primary site downloads content from the Microsoft Update page. For Configuration Manager with no service pack only: Configure the proxy server settings on the Active Software Update Point page of the wizard or on the General tab in Software Update Point Component Properties. The proxy server settings are associated only with the software update point at the site. Important By default, the Local System account for the server on which an automatic deployment rule was created is used to connect to the Internet and download software updates when the automatic deployment rules run. When this account does not have access to the Internet, software updates fail to download and the following entry is logged to ruleengine.log: Failed to download the update from internet. Error = 12007 . Configure the credentials to connect to the proxy server when the Local System account does not have Internet access.

WSUS Settings
You must configure WSUS settings on different pages of the wizard, and in some cases, only in the properties for the software update point, also known as Software Update Point Component Properties. Use the information in the following sections to configure the WSUS settings.

WSUS Port Settings

You must configure the WSUS port settings on different pages of the wizard depending on the version of the Configuration Manager that you use. For Configuration Manager SP1 only: You must configure the WSUS port settings on the Software Update Point page of the wizard or in the properties of the software update point. For Configuration Manager with no service pack only: You can configure the WSUS port settings on the Active Settings page of the wizard or on the General tab in Software Update Point Component Properties. Warning You have the option to configure the WSUS port settings for the active Internet-based software update point. For more information, see the Active Internet-Based Software Update Point section in this topic. To determine the website and port configurations in WSUS, see How to Determine the Port Settings Used by WSUS.

1639

Configure SSL Communications to WSUS

You can use the SSL protocol to help secure the WSUS that runs on the software update point. You can configure SSL on different pages of the wizard depending on the version of Configuration Manager that you use. For Configuration Manager SP1 only: You can configure SSL communication on the General page of the wizard or on the General tab in the properties of the software update point. For Configuration Manager with no service pack only: You can configure SSL communication on the General tab in Software Update Point Component Properties. This setting is not available in the wizard. For more information about how to use SSL, see the Deciding Whether to Configure WSUS to Use SSL section in the Planning for Software Updates in Configuration Manager topic.

WSUS Connection Account

You can configure an account to be used by the site server when it connects to WSUS that runs on the software update point. When you do not configure this account, the Configuration Manager uses the computer account for the site server to connect to WSUS. You can configure the account in different places of the wizard depending on the version of Configuration Manager that you use. For Configuration Manager SP1 only: You can configure the WSUS Server Connection Account on the General page of the wizard, or on the General tab in the software update point properties. For Configuration Manager with no service pack only: You can configure the Software Update Point Connection account on the General tab in Software Update Point Component Properties. This setting is not available in the wizard. For more information about Configuration Manager accounts, see Technical Reference for Accounts Used in Configuration Manager.

Active Software Update Point

Important This section is for Configuration Manager with no service pack only. Specify the active software update point for the site on the Active Settings page of the wizard or on the General tab in Software Update Point Component Properties. In Software Update Point Component Properties, you can change the location for the active software update point or choose to configure the software update point to use NLB. When the active software update point is installed on a remote site system server, the Active software update point and Software Update Point Connection Account settings are available for you to configure. In Active software update point you can only select the remote site system servers that have the software update point site system role installed. You can have only one active software
1640

update point for a site, but multiple site system servers can have the software update point site system role installed and they can be available to select as the active software update. Important When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster.

Active Internet-Based Software Update Point

Important This section is for Configuration Manager with no service pack. You can specify the active Internet-based software update point for the site on the Internetbased tab in Software Update Point Component Properties. You can configure the following settings: Important The settings on the Internet-based tab are configurable only when the active software update point is configured for intranet-only client connections, where the Allow intranetonly client connections setting is selected on the General tab, and when you have installed a non-active software update point on a remote site system computer. Internet-based software update point: Specifies whether the Internet-based software update point is configured, and if so, whether it is installed on a remote site system server or configured to use NLB. Note When the active software update point only accepts communication from clients on the intranet and the Internet-based software update point is not configured, clients on the Internet will not scan for software updates compliance. When the active software update point is installed on a remote site system server, the Active server name and Software Update Point Connection Account settings are displayed on this page. Important When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster. Port number: Specifies the HTTP port number that is configured on the WSUS server. The site server uses this port when it communicates with the WSUS server. This setting is configured when you install the software update point. Tip

1641

For information about how to find the port numbers that are used by WSUS, see How to Determine the Port Settings Used by WSUS. SSL port number: Specifies the SSL (HTTPS) port number that is configured on the WSUS server. When the Enable SSL for this WSUS server setting is enabled, software updates uses this port when it synchronizes the software updates with the WSUS server. This setting is configured when you install the software update point. Software Update Point Connection Account: Specifies the account that is used by the site server when it connects to a remote software update point or to an active software update point that is configured as an NLB cluster. When this account is not specified, the computer account for the site server is used to connect to the software update point. Important The account that is used to connect to the remote software update point must have local Administrator rights on the remote site system server computer. Do not synchronize from the software update point located on the intranet : Specifies that the Internet-based software update point does not synchronize with the active software update point. Select this option if the Internet-based software update point is disconnected from the active software update point. For more information about how to synchronize software updates on a disconnected software updates point, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic. Important Even though the Internet-based software update point accepts client connections from the Internet only, the web server certificate must contain both the Internet FQDN and the intranet FQDN.

Synchronization Source
You can configure the upstream synchronization source for software updates synchronization on the Synchronization Source page of the wizard, or on the on the Sync Settings tab in Software Update Point Component Properties. Your options for the synchronization source vary depending on the site. For more information, see the Synchronization Source section in the Planning for Software Updates in Configuration Manager topic. Use the following table for the available options when you configure the software update point at a site.
Site Available synchronization source options

Central administration site Stand-alone primary site

Synchronize from the Microsoft Update website Synchronize from an upstream data source 1 location Do not synchronize from Microsoft Update or upstream data source
1642

Site

Available synchronization source options

Additional software update points at a site Child primary site Secondary site

Synchronize from an upstream data source 3 location

The following list provides more information about each option that you can use as the synchronization source: Synchronize from Microsoft Update: Use this setting to synchronize software updates metadata from Microsoft Update. The central administration site must have Internet access; otherwise, synchronization will fail. This setting is available only when you configure the software update point on the top-level site. Note When there is a firewall between the active software update point and the Internet, the firewall might need to be configured to accept the HTTP and HTTPS ports that are used for the WSUS Web site. You can also choose to restrict access on the firewall to limited domains. For more information about how to plan for a firewall that supports software updates, see the Configuring Firewalls section in the Planning for Software Updates in Configuration Manager topic. Synchronize from an upstream data source location : Use this setting to synchronize software updates metadata from the upstream synchronization source. The child primary sites and secondary sites are automatically configured to use the parent site URL for this setting. Starting with Configuration Manager SP1, you have the option to synchronize software updates from an existing WSUS server. Specify a URL, such as https://WSUSServer:8531, where 8531 is the port that is used to connect to the WSUS server. Do not synchronize from Microsoft Update or upstream data source : Use this setting to manually synchronize software updates when the software update point at the top-level site is disconnected from the Internet. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic.
1 2

Starting with Configuration Manager SP1, you have the option to synchronize software updates from a WSUS server that is not in your Configuration Manager hierarchy.
2

Starting with Configuration Manager SP1, you have the option to add multiple software update points at a site.
3

In Configuration Manager with no service pack this setting is Synchronize from an upstream update server. Note When there is a firewall between the active software update point and the Internet, the firewall might need to be configured to accept the HTTP and HTTPS ports that are used for the WSUS Web site. You can also choose to restrict access on the firewall to limited domains. For more information about how to plan for a firewall that supports software
1643

updates, see the Configuring Firewalls section in the Planning for Software Updates in Configuration Manager topic. You can also configure whether to create WSUS reporting events on the Synchronization Source page of the wizard or on the on the Sync Settings tab in Software Update Point Component Properties. Configuration Manager does not use these events; therefore, you will normally choose the default setting Do not create WSUS reporting events.

Synchronization Schedule
Configure the synchronization schedule on the Synchronization Schedule page of the wizard or in the Software Update Point Component Properties. This setting is configured only on the software update point at the top-level site. If you enable the schedule, you can configure a recurring simple or custom synchronization schedule. When you configure a simple schedule, the start time is based on the local time for the computer that runs the Configuration Manager console at the time when you create the schedule. When you configure the start time for a custom schedule, it is based on the local time for the computer that runs the Configuration Manager console. Tip Schedule software updates synchronization to run by using a timeframe that is appropriate for your environment. One typical scenario is to set the software updates synchronization schedule to run shortly after the Microsoft regular security update release on the second Tuesday of each month, which is normally referred to as Patch Tuesday. Another typical scenario is to set the software updates synchronization schedule to run daily when you use software updates to deliver the Endpoint Protection definition and engine updates. Note When you choose not to enable software updates synchronization on a schedule, you can manually synchronize software updates from the All Software Updates or Software Update Groups node in the Software Library workspace. For more information, see the Step 2: Synchronize Software Updates section in this topic.

Supersedence Rules
Configure the supersedence settings on the Supersedence Rules page of the wizard or on the Supersedence Rules tab in Software Update Point Component Properties. You can configure the supersedence rules only on the top-level site. On this page, you can specify that the superseded software updates are immediately expired, which prevents them from being included in new deployments and flags the existing deployments to indicate that the superseded software updates contain one or more expired software updates. Or, you can specify a period of time before the superseded software updates are expired, which allows you to continue to deploy them. For more information, see the Supersedence Rules section in the Planning for Software Updates in Configuration Manager topic.
1644

Note For Configuration Manager SP1 only: The Supersedence Rules page of the wizard is available only when you configure the first software update point at the site. This page is not displayed when you install additional software update points.

Classifications
Configure the classifications settings on the Classifications page of the wizard, or the on the Classifications tab in Software Update Point Component Properties. For more information about software update classifications, see the Update Classifications section in the Planning for Software Updates in Configuration Manager topic. Note For Configuration Manager SP1 only: The Classifications page of the wizard is available only when you configure the first software update point at the site. This page is not displayed when you install additional software update points. Tip When you first install the software update point on the top-level site, clear all of the software updates classifications. After the initial software updates synchronization, configure the classifications from an updated list, and then re-initiate synchronization. This setting is configured only on the software update point at the top-level site.

Products
Configure the product settings on the Products page of the wizard, or the on the Products tab in Software Update Point Component Properties. Note For Configuration Manager SP1 only: The Products page of the wizard is available only when you configure the first software update point at the site. This page is not displayed when you install additional software update points. Tip When you first install the software update point on the top-level site, clear all of the products. After the initial software updates synchronization, configure the products from an updated list, and then re-initiate synchronization. This setting is configured only on the software update point at the top-level site.

Languages
Configure the language settings on the Languages page of the wizard, or the on the Languages tab in Software Update Point Component Properties. Specify the languages for which you want to synchronize software update files and summary details. The Software Update File setting is configured at each software update point in the Configuration Manager hierarchy. The Summary
1645

Details settings are configured only on the top-level software update point. For more information, see the Languages section in the Planning for Software Updates in Configuration Manager topic. Note For Configuration Manager SP1 only: The Languages page of the wizard is available only when you install the software update point at the central administration site. You can configure the Software Update File languages at child sites from the Languages tab in Software Update Point Component Properties.

Step 2: Synchronize Software Updates

Software updates synchronization in Configuration Manager is the process of retrieving the software updates metadata that meets the criteria that you configure on the top-level site. The software update point on the top-level site retrieves the metadata from the Microsoft Update website or from an existing WSUS server on a schedule, or you can manually initiate synchronization from the Configuration Manager console. To successfully complete the synchronization, the software update point must have access to its upstream synchronization source. When the software update point is disconnected from the upstream synchronization source, you must use the WSUSUtil tool to export software updates metadata from a software updates source and import the metadata to the disconnected software update point. The following table lists the software update point types and the upstream synchronization source for which the software update point requires access.
Software update point Upstream synchronization source

Central administration site

Microsoft Update (Internet) Existing WSUS server

2

Stand-alone primary site

Microsoft Update (Internet) Existing WSUS server

2

Child primary site Secondary site Remote Internet-based software update point
1

Central administration site Parent primary site Active software update point for the site
1

When the software update point is disconnected from the upstream update source, you can manually perform software updates synchronization. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic.
2

Starting with Configuration Manager SP1, you can specify an existing WSUS server that is not part of your Configuration Manager hierarchy as the upstream synchronization source.

1646

Synchronize Software Updates from a Connected Software Update Point

Typically, the software update points in your Configuration Manager hierarchy will have access to the upstream update source. In this scenario, the software update point at the top-level site will connect to the Internet and synchronize software updates from the Microsoft Update site, and then the top-level site will send a synchronization request to other sites to initiate the synchronization process. When a site receives the synchronization request from the top-level site, the software update point for the site retrieves software updates metadata from its upstream synchronization source. Note The software update point on child primary sites and secondary sites must be connected to their upstream synchronization source to synchronize software updates. When a software update point is disconnected from its upstream synchronization source, you can use the export and import method to synchronize software updates. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic. When software updates synchronization is initiated on a configured schedule, the top-level software update point initiates synchronization with Microsoft Update at the scheduled date and time. The custom schedule allows you to synchronize software updates on a date and time when the demands of the WSUS server, site server, and network are low, for example when it synchronizes every week at 2:00 AM. During the scheduled synchronization, all changes to the software updates metadata since the last scheduled synchronization are inserted into the site database. This includes new software updates metadata or metadata that has been modified, removed, or is now expired. After the synchronization with the upstream synchronization source is complete, a synchronization request is sent to software update points on child primary or secondary sites. You can also manually initiate software updates synchronization on the top-level site in the Configuration Manager console from the All Software Updates node in the Software Library workspace. Use the following procedures on the top-level site to schedule or to manually initiate software updates synchronization. To schedule software updates synchronization 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. In the results pane, click the central administration site or stand-alone primary site. 4. On the Home tab, in the Settings group, expand Configure Site Components, and then click Software Update Point. 5. In the Software Update Point Component Properties dialog box, select Enable synchronization on a schedule, and then specify the synchronization schedule.

1647

To manually initiate software updates synchronization 1. In the Configuration Manager console that is connected to the central administration site or stand-alone primary site, click Software Library. 2. In the Software Library workspace, expand Software Updates and click All Software Updates or Software Update Groups. 3. On the Home tab, in the Create group, click Synchronize Software Updates. Click Yes in the dialog box to confirm that you want to initiate the synchronization process.

After you initiate the synchronization process on the software update point, you can monitor the synchronization process from the Configuration Manager console for all software update points in your hierarchy. Use the following procedure to monitor the software updates synchronization process. To monitor the software updates synchronization process 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Software Update Point Synchronization Status. The software update points in your Configuration Manager hierarchy are displayed in the results pane. From this view, you can monitor the synchronization status for all software update points. When you want more detailed information about the synchronization process, you can review the wsyncmgr.log file that is located in <ConfigMgrInstallationPath>\Logs on each site server. Top of page

Synchronize Software Updates from a Disconnected Software Update Point

When the software update point at the top-level site is disconnected from the Internet, you must use the export and import functions of the WSUSUtil tool to synchronize software updates metadata. Starting with Configuration Manager SP1, you can choose an existing WSUS that is not in your Configuration Manager hierarchy as the synchronization source. This section provides information about how to use the export and import functions of the WSUSUtil tool. To export and import software updates metadata, you must export software updates metadata from the WSUS database on a specified export server, then copy the locally stored license terms files to the disconnected software update point, and then import the software updates metadata to the WSUS database on the disconnected software update point. Warning In Configuration Manager with no service pack, you have the option to synchronize an Internet-based software update point that is disconnected from the active software update point for the site.
1648

Use the following table to identify the export server in which to export the software updates metadata.
Software update point Upstream update source for connected software update points Export server for a disconnected software update point

Central administration site

Microsoft Update (Internet) Existing WSUS server

2

Choose a WSUS server that is synchronized with Microsoft Update by using the software update classifications, products, and languages that you need in your Configuration Manager environment. Choose a WSUS server that is synchronized with Microsoft Update by using the software update classifications, products, and languages that you need in your Configuration Manager environment. Choose the software update point for the central administration site or choose the active software update point for the same site, if possible. However, you can choose any other software update point in the Configuration Manager hierarchy as long as it contains the most recent software updates.

Stand-alone primary site

Microsoft Update (Internet) Existing WSUS server

2

For Configuration Manager with Active software update point no service pack only: for the site Remote Internet-based software update point

Starting with Configuration Manager SP1, you can specify an existing WSUS server that is not part of your Configuration Manager hierarchy as the upstream synchronization source. Before you start the export process, verify that software updates synchronization is completed on the selected export server to ensure that the most recent software updates metadata is synchronized. To verify that software updates synchronization has completed successfully, use the following procedure. To verify that software updates synchronization has completed successfully on the export server
1649

1. Open the WSUS Administration console and connect to the WSUS database on the export server. 2. In the WSUS Administration console, click Synchronizations. A list of the software updates synchronization attempts are displayed in the results pane. 3. In the results pane, find the latest software updates synchronization attempt and verify that it completed successfully. Important The WSUSUtil tool must be run locally on the export server to export the software updates metadata, and it also must be run on the disconnected software update point server to import the software updates metadata. In addition, the user that runs the WSUSUtil tool must be a member of the local Administrators group on each server.

Export Process for Software Updates

The export process for software updates consists of two main steps: to copy the locally stored license terms files to the disconnected software update point, and to export software updates metadata from the WSUS database on the export server. Use the following procedure to copy the local license terms metadata to the disconnected software update point. To copy local files from the export server to the disconnected software update point server 1. On the export server, navigate to the folder where software updates and the license terms for software updates are stored. By default, the WSUS server stores the files at <WSUSInstallationDrive>\WSUS\WSUSContent\, where WSUSInstallationDrive is the drive on which WSUS is installed. 2. Copy all files and folders from this location to the WSUSContent folder on the disconnected software update point server. Use the following procedure to export the software updates metadata from the WSUS database on the export server. To export software updates metadata from the WSUS database on the export server 1. At the command prompt on the export server, navigate to the folder that contains WSUSutil.exe. By default, the tool is located at % ProgramFiles%\Update Services\Tools. For example, if the tool is located in the default location, type cd %ProgramFiles%\Update Services\Tools. 2. Type the following to export the software updates metadata to a package file: wsusutil.exe export packagename logfile For example: wsusutil.exe export export.cab export.log The format can be summarized as follows: WSUSutil.exe is followed by the export option,
1650

the name of the export .cab file that is created during the export operation, and the name of a log file. WSUSutil.exe exports the metadata from the export server and creates a log file of the operation. Note The package (.cab file) and the log file name must be unique in the current folder. 3. Move the export package to the folder that contains WSUSutil.exe on the import WSUS server. Note If you move the package to this folder, the import experience can be easier. You can move the package to any location that is accessible to the import server, and then specify the location when you run WSUSutil.exe.

Import Software Updates Metadata

Use the following procedure to import software updates metadata from the export server to the disconnected software update point. Important Never import any exported data from a source that you do not trust. If you import content from a source that you do not trust, it might compromise the security of your WSUS server. To import metadata to the database of the import server 1. At the command prompt on the import WSUS server, navigate to the folder that contains WSUSutil.exe. By default, the tool is located at % ProgramFiles%\Update Services\Tools. 2. Type the following: wsusutil.exe import packagename logfile For example: wsusutil.exe import export.cab import.log The format can be summarized as follows: WSUSutil.exe is followed by the import command, the name of package file (.cab) that is created during the export operation, the path to the package file if it is in a different folder, and the name of a log file. WSUSutil.exe imports the metadata from the export server and creates a log file of the operation. Top of page

Classifications
Configure the classifications settings on the Classifications page of the wizard or the on the Classifications tab in Software Update Point Component Properties. For more information about
1651

software update classifications, see the Update Classifications section in the Planning for Software Updates in Configuration Manager topic. Note For Configuration Manager SP1 only: The Classifications page of the wizard is available only when you configure the first software update point that you configure on a standalone primary site. This page is not displayed when you install additional software update points. Tip When you first install the software update point on the top-level site, clear all of the software updates classifications. After the initial software updates synchronization, you must configure the classifications from an updated list, and then reinitiate synchronization. This setting is configured only on the software update point at the toplevel site.

Products
Configure the product settings on the Products page of the wizard or the on the Products tab in Software Update Point Component Properties. Note For Configuration Manager SP1 only: The Products page of the wizard is available only when you configure the first software update point that you configure on a stand-alone primary site. This page is not displayed when you install additional software update points. Tip When you first install the software update point on the top-level site, clear all of the products. After the initial software updates synchronization, you must configure the products from an updated list, and then reinitiate synchronization. This setting is configured only on the software update point at the top-level site.

Step 3: Configure Classifications and Products to Synchronize

Note Use the procedure from this section only on the top-level site. In Step 1, you cleared the list classifications and products. In Step 2, you initiated software update synchronization to update the list of classifications and products in Configuration Manager and WSUS. In step 3, you must select the classifications and products to synchronize. Use the following procedure to configure classifications and products to synchronize.

1652

To configure classifications and products to synchronize 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then select the central administration site or stand-alone primary site. 3. On the Home tab, in the Settings group, click Configure Site Components, and then click Software Update Point. 4. On the Classifications tab, specify the software update classifications for which you want to synchronize software updates. Note Every software update is defined with an update classification that helps to organize the different types of updates. During the synchronization process, the software updates metadata for the specified classifications are synchronized. Configuration Manager provides the ability to synchronize software updates with the following update classifications: Critical Updates: Specifies a broadly released update for a specific problem that addresses a critical, non-security-related bug. Definition Updates: Specifies an update to virus or other definition files. Feature Packs: Specifies new product features that are distributed outside of a product release and that are typically included in the next full product release. Security Updates: Specifies a broadly released update for a product-specific, security-related issue. Service Packs: Specifies a cumulative set of hotfixes that are applied to an application. These hotfixes can include: security updates, critical updates, software updates, and so on. Tools: Specifies a utility or feature that helps to complete one or more tasks. Update Rollups: Specifies a cumulative set of hotfixes that are packaged together for easy deployment. These hotfixes can include security updates, critical updates, updates, and so on. An update rollup generally addresses a specific area, such as security or a product component. Updates: Specifies an update to an application or file that is currently installed.

5. On the Products tab, specify the products for which you want to synchronize software updates, and then click Close. Note The metadata for each software update defines the products for which the update is applicable. A product is a specific edition of an operating system or application, such as Windows Server 2008. A product family is the base operating system or application from which the individual products are derived. An example of a product family is Windows, of which Windows Server 2008 is a member. You can specify a product family or individual products within a product family. The more products that you select, the longer it will take to synchronize
1653

software updates. When software updates are applicable to multiple products, and at least one of the products was selected for synchronization, all of the products will appear in the Configuration Manager console even if some products were not selected. For example, if Windows Server 2008 is the only operating system that you selected, and if a software update applies to Windows 7 and Windows Server 2008, both products will be displayed in the Configuration Manager console. Important Configuration Manager stores a list of products and product families from which you can choose when you first install the software update point. Products and product families that are released after Configuration Manager is released might not be available to select until you complete software updates synchronization, which updates the list of available products and product families from which you can choose. 6. Repeat Step 2: Synchronize Software Updates to manually initiate software updates synchronization.

Step 4: Verify Software Updates Client Settings and Group Policy Configurations
There are client settings and group policy configurations that you must verify before you deploy software updates.

Client Settings for Software Updates

After you install the software update point, software updates is enabled on clients by default, and the settings on the Network Access Protection (NAP) and Software Updates pages in client settings have default values. Before you deploy software updates, verify that the client settings on these pages are appropriate for the software updates at your site. Important The Enable software updates on clients setting is enabled by default. If you clear this setting, Configuration Manager removes the existing deployment policies from the client. Also, NAP and compliance settings policies that rely on the software updates device setting will no longer function. For information about how to configure client settings, see How to Configure Client Settings in Configuration Manager. For more information about the client settings, see About Client Settings in Configuration Manager.

1654

Group Policy Settings for Software Updates

There are specific Group Policy settings that are used by Windows Update Agent (WUA) on client computers to connect to WSUS that runs on the software updates point. These Group Policy settings are also used to successfully scan for software update compliance, and to automatically update the software updates and the WUA.

Specify Intranet Microsoft Update Service Location Local Policy

When the software update point is created for a site, clients receive a machine policy that provides the software update point server name and configures the Specify intranet Microsoft update service location local policy on the computer. The WUA retrieves the server name that is specified in the Set the intranet update service for detecting updates setting, and then it connects to this server when it scans for software updates compliance. When a domain policy is created for the Specify intranet Microsoft update service location setting, it overrides the local policy, and the WUA might connect to a server other than the active software update point. If this happens, the client might scan for software update compliance based on different products, classifications, and languages. Therefore, you should not configure the Active Directory policy for client computers.

Allow Signed Content from Intranet Microsoft Update Service Location Group Policy
You must enable the Allow signed content from intranet Microsoft update service location Group Policy setting before the WUA on computers will scan for software updates that were created and published with System Center Updates Publisher. When the policy setting is enabled, WUA will accept software updates that are received through an intranet location if the software updates are signed in the Trusted Publishers certificate store on the local computer. For more information about the Group Policy settings that are required for Updates Publisher, see Updates Publisher 2011 Documentation Library.

Automatic Updates Configuration

Automatic Updates allows security updates and other important downloads to be received on client computers. Automatic Updates is configured through the Configure Automatic Updates Group Policy setting or through the Control Panel on the local computer. When Automatic Updates is enabled, client computers will receive update notifications and, depending on the configured settings, the client computers will download and install the required updates. When Automatic Updates coexists with software updates, each client computer might display notification icons and popup display notifications for the same update. Also, when a restart is required, each client computer might display a restart dialog box for the same update.

Self Update
When Automatic Updates is enabled on client computers, the WUA automatically performs a selfupdate when a newer version becomes available or when there are problems with a WUA
1655

component. When Automatic Updates is not configured or is disabled, and client computers have an earlier version of the WUA, the client computers must run the WUA installation file.

Remove the Software Update Point Site System Role

You can remove the software update point site system role at a site from the Configuration Manager console. The client policy is updated to remove the software update point from the list. When you remove the last software update point at the site, the software update point list will contain no software update points, and software updates is essentially disabled at the site. Starting with Configuration Manager SP1, when you have more than one software update point at a primary site and you remove the software update point that is configured as the synchronization source, you must choose another software update point at the site to be the new synchronization source. Note When you remove the software update point site role from a site system, wait at least 15 minutes before you reinstall the software update point site role. Use the following procedure to remove a software update point. To remove the software update point 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles. 3. Select the site system server with the software update point to remove, and then in Site System Roles, select Software update point. 4. On the Site Role tab, in the Site Role group, click Remote Role. Confirm that you want to remove the software update point. Or, in Configuration Manager SP1, select a new synchronization source for the other software update points at the site.

See Also
Software Updates in Configuration Manager

How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1.
1656

This topic provides the steps for how to configure Network Load Balancing (NLB) in Configuration Manager with no service pack. NLB can increase the reliability and performance of a network. You can set up multiple WSUS servers that share a single SQL Server failover cluster, and then configure a software update point to use the NLB, but this configuration requires that you perform additional steps during WSUS setup. Note The maximum number of WSUS servers that can be configured as part of a network load balancing cluster is four. Use the following sections to configure an active software update point to use an NLB cluster: Prepare the network environment for network load balanced software update point site systems. Install WSUS 3.0 (on each server that will host the software update point site system role). Install the software update point site system role (on each server that will be part of the software update point network load balancing cluster). Configure the Windows Server network load balancing cluster for installed software update site systems. Configure the active software update point component for the Configuration Manager site as the software update point network load balancing cluster.

Configure WSUS for Network Load Balancing

Prepare the Network Environment for NLB Software Update Point Site Systems
Use the following procedure to prepare the network environment for the software update point to use an NLB cluster. To prepare the network environment for NLB software update point site systems 1. Create or identify a domain user account to be used as the Software Update Point Connection account. 2. Add the computer accounts of each site system that will be configured as part of the software update point NLB cluster to the local Administrators group on each server that will be part of the NLB cluster. Note The computer accounts for the cluster nodes must be able to write to the WSUS database. If the local Administrators group is removed from the SysAdmin role on the SQL server, the computer accounts will not be able to write to the WSUS database, and the software update point will fail to install until the computer accounts are added to the SysAdmin role. 3. Create a DFS share or a standard network shared folder that is available to all of the WSUS servers that will be part of the software update point NLB cluster to be used as the
1657

WSUS resource content share. Each of the remote WSUS servers should be given change permissions on the root of the shared folder (all standard NTFS permissions except for Full Control). If the share is created on one of the site systems that will be part of the NLB cluster, the Network Access Account for the site system must have change permissions on the root of the shared folder. The user account used to run WSUS Setup must also have the same permissions to the share. 4. Identify the computer running SQL Server to host the WSUS database. The WSUS database can be installed on the same SQL Server database server instance that hosts the site database or a different SQL Server database server. Note For a list of supported SQL Server versions that you can use for site systems in Configuration Manager, see SQL Server Site Database Configurations. 5. The WSUS 3.0 Administration console must be installed on the primary site server to allow the site server and remote Configuration Manager consoles to configure and synchronize with WSUS. 6. If the Configuration Manager site is configured to communicate by using SSL authentication, Web server signing certificates must be configured on each of the software update point site systems that will be configured as part of the NLB. For more information about configuring Web server signing certificates for network load balanced software update points, see PKI Certificate Requirements for Configuration Manager.

Install WSUS 3.0 (on each server that will host the software update point site system role)
Note The following procedure must be performed on each server that will be part of the software update point NLB cluster. To install WSUS 3.0 to support the Configuration Manager software update point site system role 1. On a server that will be part of the software update point NLB cluster, create the following folder: <Program Files directory>\Update Services. 2. Install WSUS 3.0 on each server that will be a member of the software update point NLB cluster. For more information about installing WSUS, see Install the WSUS 3.0 SP2 Server Software Though the User Interface in the Windows Server Update Services documentation library. During installation, consider the following settings: On the Select Update Source page, select the Store updates locally check box and enter the path <Program Files directory>\Update Services. On the Database Options page, do one of the following. If you are running WSUS Setup on the server hosting the WSUS SQL Server database, select Use an existing database server on this computer select the
1658

instance name to be used from the drop-down list. If you are running WSUS Setup on a computer that will not host the WSUS SQL Server database, select Use an existing database server on a remote computer and enter the FQDN of the SQL Server that will host the WSUS database followed by the instance name (if not using the default instance). Warning If another WSUS Server that will be part of the NLB cluster has been configured to use the same SQL Server database server, select Use existing database. 3. Add the Software Update Point Connection Account to the local WSUS Administrators group on the server. 4. On the SQL Server computer that hosts the WSUS database, provide dbo_owner rights on the SUSDB database for the Software Update Point Connection Account. 5. Configure Internet Information Services (IIS) to enable content share access. a. Open the Internet Information Services (IIS) Manager console. b. Expand <server name>, expand Sites, and then expand the Site node for the WSUS Web site (either Default Web Site or WSUS Administration). c. Configure the virtual directory Content to use the UNC share name of the share created in step 3 of the To prepare the network environment for NLB software update point site systems procedure in this topic.

d. Configure the credentials used to connect to the virtual directory with the user name and password of the Software Update Point Connection Account created in step 1 of the To prepare the network environment for NLB software update point site systems procedure in this topic. 6. Configure SSL authentication in Internet Information Services (IIS). Important This step is only required if the software update point will be configured to communicate by using SSL. If you are not configuring the software update point to use SSL, skip to step 6. a. Open Internet Information Services (IIS) Manager. b. Expand Web Sites, and then expand the WSUS administration Web site (either Default Web Site or WSUS Administration). c. Configure the following virtual directories of the WSUS administration Web site to use SSL:APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService.

d. Close Internet Information Services (IIS) Manager. e. Run the following command from <WSUS Installation Folder>\Tools: WSUSUtil.exe configuressl <Intranet FQDN of the software update point site system node>. 7. Move the local content directory to the WSUS resource content share created in step 3 of the To prepare the network environment for NLB software update point site systems procedure in this topic.
1659

Important This step must be followed for each of the front-end WSUS servers that are not on the same server as the WSUS resource content share a. Open a command window and navigate to the WSUS tools directory on the WSUS server: cd Program Files\Update Services\Tools b. On the first WSUS server to be configured, at the command prompt, type the following command: wsusutil movecontent<WSUSContentsharename><logfilename> Where <WSUSContentsharename> is the name of the WSUS content resource location share to which the content should be moved, and logfilename is the name of the log file that will be used to record the content move procedure. c. On the successive WSUS servers to be configured, at the command prompt type the following command: wsusutil movecontent<WSUSContentsharename><logfilename>/skipcopy Where <WSUSContentsharename> is the name of the WSUS content resource location share to which the content should be moved, and logfilename is the name of the log file that will be used to record the content move procedure. Note To verify that the content move was successful, review the log file created during the procedure and use registry editor to review the HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup|ContentDir registry key to ensure that the value has been changed to the WSUS content resource location share name.

Install the Software Update Point Site System Role

Use the following procedure on each software update point that will be part of the software update point NLB cluster. To install the software update point site system role on servers that will be part of the network load balancing cluster 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration and click Servers and Site System Roles. 3. Add the software update point site system role to a new or existing site system server by using the associated step: Note For more information about installing site system roles, see Install and Configure
1660

Site System Roles for Configuration Manager. New site system server: On the Home tab, in the Create group, click Create Site System Server. The Create Site System Server Wizard opens. Existing site system server: Click the server in which you want to install the software update point site system role. When you click a server, a list of the site system roles that are already installed on the server are displayed in the details pane. On the Home tab, in the Server group, click Add Site System Role. The Add Site System Roles Wizard opens. 4. On the General page, specify the general settings for the site system server. When you add the software update point to an existing site system server, verify the values that were previously configured. 5. On the System Role Selection page, select Software update point from the list of available roles, and then click Next. 6. On the Software Update Point page, specify whether the site server will use a proxy server when software updates are synchronized and when downloading software update files, and whether to use credentials to connect to the proxy server. Click Next. 7. On the Active Settings page, click Next, and then click Close to exit the wizard and create the non-active software update point.

Configure the Windows Server Network Load Balancing Cluster for Installed Software Update Point Site Systems
To configure the Windows Server network load balancing cluster for installed software update point site systems 1. To configure the Windows Server NLB cluster for installed software update point site systems, follow the instructions for deploying NLB for the operating system running on the site system. For Windows Server 2008 and Windows Server 2008 R2, see the Network Load Balancing Deployment Guide. 2. After you verify that the NLB cluster is operating successfully, you can configure the active software update point to use the NLB cluster.

Configure the Active Software Update Point to Use an NLB Cluster

Use the following procedure to configure the active software update point for the site to use an NLB cluster. To configure the active software update point to use an NLB cluster
1661

1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration and click Servers and Site System Roles. 3. On the Home tab, click Configure Site Components, and then click Software Update Point. The Software Update Point Component Properties opens. 4. On the General tab, select Use Network Load Balancing cluster for active software update point. 5. 6. Click Settings and configure the following NLB settings: a. NLB address type: Select FQDN. b. Intranet FQDN or IP address: Enter the FQDN that you created in step 6 of Prepare the Network Environment for NLB Software Update Point Site Systems. Click OK. 7. Click Set, and then select to configure the Software Update Point Connection Account to use the Windows user account that you created in step 1 of the To prepare the network environment for NLB software update point site systems procedure in this topic. Select Existing account to specify a Windows user account that has previously been configured as a Configuration Manager account or select New account to specify a Windows user account that is not currently configured as a Configuration Manager account. The user is displayed in the Accounts subfolder of the Security node in the Administration workspace with the Software Update Point Connection Account name. Click OK 8. Determine the communication settings that you want to use for the active software update point, and then click OK.

See Also
Configuring Software Updates in Configuration Manager

How to Determine the Port Settings Used by WSUS

When you install and configure a software update point in System Center 2012 Configuration Manager, the port settings used by the Microsoft Windows Server Update Services (WSUS) server must be specified. Use one of the following procedures to determine the port settings used by WSUS. To determine the port settings in IIS 6.0 1. On the WSUS server, open Internet Information Services (IIS) Manager.
1662

2. Expand Web Sites, right-click the Web site for the WSUS server, and then click Properties. 3. Click the Web Site tab. The HTTP port setting is displayed in TCP port, and the HTTPS port setting is displayed in SSL port. To determine the port settings used in IIS 7.0 1. On the WSUS server, open Internet Information Services (IIS) Manager. 2. Expand Sites, right-click the Web site for the WSUS server, and then click Edit Bindings. In the Site Bindings dialog, the HTTP and HTTPS port values are displayed in the Port column.

See Also
Configuring Software Updates in Configuration Manager

How to Enable CRL Checking for Software Updates

By default, the certificate revocation list (CRL) is not checked when verifying the signature on System Center 2012 Configuration Manager software updates. Checking the CRL each time a certificate is used offers more security against using a certificate that has been revoked, but it introduces a connection delay and incurs additional processing on the computer performing the CRL check. If used, CRL checking must be enabled on the Configuration Manager consoles that process software updates. To enable CRL checking On the computer performing the CRL check, from the product DVD, run the following from a command prompt: \SMSSETUP\BIN\X64\<language>\UpdDwnldCfg.exe /checkrevocation. For example, for English (US) you would run \SMSSETUP\BIN\X64\00000409\UpdDwnldCfg.exe /checkrevocation

See Also
Configuring Software Updates in Configuration Manager

1663

Operations and Maintenance for Software Updates in Configuration Manager

The overall process for software updates in System Center 2012 Configuration Manager includes four main operational phases: synchronization, compliance assessment, deployment, and monitoring. The synchronization phase is the process of synchronizing the software update metadata from Microsoft Update and inserting it into the site server database. The compliance assessment phase is the process that client computers perform to scan for compliance of software updates and report the compliance state for the software updates. The deployment phase is the process of manually or automatically deploying the software updates to clients. Finally, the monitoring phase is the process of follow-on monitoring for software update deployment compliance. Important Before software update compliance assessment data is displayed in the Configuration Manager console and before you can deploy the software updates to clients, you must carefully plan for the software updates in your hierarchy and configure the software update dependences to meet the needs of your environment. For more information about planning for software updates, see Planning for Software Updates in Configuration Manager. For more information about configuring software updates, see Configuring Software Updates in Configuration Manager. The following sections in this topic will help you with the operational phases for software updates in Configuration Manager: Synchronize Software Updates Download Software Updates Manage Software Update Settings Review Software Updates Information Software Update Details Content Information Custom Bundle Information Supersedence Information Set Maximum Run Time Enable Network Access Protection (NAP) Evaluation Set Custom Severity

Configure Software Updates Settings

Add Software Updates to an Update Group Deploy Software Updates Manually Deploy Software Updates Automatically Deploy Software Updates

Monitor software updates

1664

Synchronize Software Updates

Software update synchronization in Configuration Manager is the process of retrieving the software update metadata that meets the criteria that you configure. The software update point on the central administration site, or on a stand-alone primary site, retrieves the metadata from Microsoft Update on a predetermined schedule. Alternatively, you can manually initiate metadata synchronization from the Configuration Manager console. After the software update synchronization is complete at a central administration site, the site sends the child primary sites a synchronization request that instructs them to initiate synchronization. For more information about software update synchronization, see the Software Updates Synchronization section in the Introduction to Software Updates in Configuration Manager topic. You configure software update synchronization to run on a schedule as part of the properties for the software update point on the top-level site. After you configure the synchronization schedule you will typically not change the schedule as part of normal operations. However, you can manually initiate software update synchronization when it is necessary. For information about configuring the software update synchronization schedule, see the Synchronize Software Updates section in the Configuring Software Updates in Configuration Manager topic. Use the following procedure to manually initiate software update synchronization. To manually initiate software updates synchronization on the central administration site 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Software Updates, and click All Software Updates or Software Update Groups. 3. On the Home tab, in the Create group, click Synchronize Software Updates. Click Yes to confirm that you want to initiate the synchronization process. After you initiate the synchronization process, you can use the Configuration Manager console to monitor the process for all software update points in your hierarchy. Use the following procedure to monitor the software update synchronization process. To monitor the software update synchronization process 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Software Update Point Synchronization Status. The results pane displays the software update points in your Configuration Manager hierarchy. From this view, you can monitor the synchronization status for all software update points. To obtain more detailed information about the synchronization process, review the wsyncmgr.log file, which is located in <ConfigMgrInstallationPath>\Logs on each site server.

1665

Download Software Updates

There are several methods available to you for downloading software updates in Configuration Manager. When you create an automatic deployment rule or manually deploy software updates, the software updates are downloaded to the content library on the site server, and then copied to the content library on the distribution points that are associated with the configured deployment package. If you want to download the software updates before you deploy them, you can use the Download Updates Wizard. Doing this will enable you to verify that the software updates are available on distribution points before you deploy the software updates to client computers. Note For information about monitoring content status, see the Content Status Monitoring section in this topic. Use the following procedure to download software updates by using the Download Software Updates Wizard. To download software updates 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, click Software Updates. 3. Choose the software update to download by using one of the following methods: Select one or more software update groups from Software Update Groups, and then, on the Home tab, in the Update Group group, click Download. Select one or more software updates from All Software Updates, and then, on the Home tab, in the Update group, click Download. Note On the All Software Updates node, Configuration Manager displays only software updates with a Critical and Security classification that have been released in the last 30 days. Tip Click Add Criteria to filter the software updates that are displayed in the All Software Updates node, save search criteria that you often use, and then manage saved searches on the Search tab. The Download Software Updates Wizard opens. 4. On the Deployment Package page, configure the following settings: a. Select deployment package: Choose this setting to select an existing deployment package for the software updates that are in the deployment. Note Software updates that have already been downloaded to the selected deployment package will not be downloaded again. b. Create a new deployment package: Select this setting to create a new deployment
1666

package for the software updates that are in the deployment. Configure the following settings: Name: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. Description: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. Package source: Specifies the location of the software update source files. Type a network path for the source location, for example, \\server\sharename\path, or click Browse to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. Note The deployment package source location that you specify cannot be used by another software deployment package. Security The SMS Provider computer account and the user that is running the wizard to download the software updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location in order to reduce the risk of attackers tampering with the software update source files. Important You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. Click Next. 5. On the Distribution Points page, specify the distribution points or distribution point groups that will host the software update files, and then click Next. For more information about distribution points, see Planning for Content Management in Configuration Manager. Note The Distribution Points page is available only when you create a new software update deployment package. 6. On the Distribution Settings page, specify the following settings: Distribution priority: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium
1667

priority. Distribute the content for this package to preferred distribution points: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see Planning for Preferred Distribution Points and Fallback in Planning for Content Management in Configuration Manager. Prestaged distribution point settings: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: Automatically download content when packages are assigned to distribution points: Use this setting to ignore the prestage settings and distribute content to the distribution point. Download only content changes to the distribution point : Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. Manually copy the content in this package to the distribution point : Use this setting to always prestage content on the distribution point. This is the default setting.

For more information about prestaging content to distribution points, see the Prestage Content section in the Operations and Maintenance for Content Management in Configuration Manager topic. Click Next. 7. On the Download Location page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: Download software updates from the Internet: Select this setting to download the software updates from the location on the Internet. This is the default setting. Download software updates from a location on the local network: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. Note When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. Click Next. 8. On the Language Selection page, specify the languages for which the selected software updates are to be downloaded, and then click Next. Configuration Manager downloads the software updates only if they are available in the selected languages. Software
1668

updates that are not language-specific are always downloaded. 9. On the Summary page, verify the settings that you selected in the wizard, and then click Next to download the software updates. 10. On the Completion page, verify that the software updates were successfully downloaded, and then click Close.

Manage Software Update Settings

The software update properties provide information about software updates and associated content. You can also use these properties to configure settings for software updates. When you open the properties for multiple software updates, only the Maximum Run Time and Custom Severity tabs are displayed. The NAP Evaluation tab is also displayed if all selected software updates have been downloaded. Use the following procedure to open software update properties. To open software update properties 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Software Updates, and click All Software Updates. 3. Select one or more software updates, and then, on the Home tab, click Properties in the Properties group. Note On the All Software Updates node, Configuration Manager displays only the software updates that have a Critical and Security classification and that have been released in the last 30 days.

Review Software Updates Information

In software update properties, you can review detailed information about a software update. The detailed information is not displayed when you select more than one software update. The following sections describe the information that is available for a selected software update.

Software Update Details

In the Update Details tab, you can view the following summary information about the selected software update: Bulletin ID: Specifies the bulletin ID that is associated with security software updates. You can find security bulletin details by searching on the bulletin ID at the Microsoft Security Bulletin Search Web page. Article ID: Specifies the article ID for the software update. The referenced article provides more detailed information about the software update and the issue that the software update fixes or improves.
1669

Date revised: Specifies the date that the software update was last modified. Maximum severity rating: Specifies the vendor-defined severity rating for the software update. Description: Provides an overview of what condition the software update fixes or improves. Applicable languages: Lists the languages for which the software update is applicable. Affected products: Lists the products for which the software update is applicable.

Content Information
In the Content Information tab, review the following information about the content that is associated with the selected software update: Content ID: Specifies the content ID for the software update. Downloaded: Indicates whether Configuration Manager has downloaded the software update files. Language: Specifies the languages for the software update. Source Path: Specifies the path to the software update source files. Size (MB): Specifies the size of the software update source files.

Custom Bundle Information

In the Custom Bundle Information tab, review the custom bundle information for the software update. When the selected software update contains bundled software updates that are contained in the software update file, they are displayed in the Bundle information section. This tab does not display bundled software updates that are displayed in the Content Information tab, such as update files for different languages.

Supersedence Information
On the Supersedence Information tab, you can view the following information about the supersedence of the software update: This update has been superseded by the following updates: Specifies the software updates that supersede this update, which means that the updates listed are newer. In most cases, you will deploy one of the software updates that supersedes the software update. The software updates that are displayed in the list contain hyperlinks to webpages that provide more information about the software updates. When this update is not superseded, None is displayed. This update supersedes the following updates: Specifies the software updates that are superseded by this software update, which means this software update is newer. In most cases, you will deploy this software update to replace the superseded software updates. The software updates that are displayed in the list contain hyperlinks to web pages that provide more information about the software updates. When this update does not supersede any other update, None is displayed.

1670

Configure Software Updates Settings

In the properties, you can configure software update settings for one or more software updates. You can configure most software update settings only at the central administration site or standalone primary site. The following sections will help you to configure settings for software updates.

Set Maximum Run Time

In the Maximum Run Time tab, set the maximum amount of time a software update is allotted to complete on client computers. If the update takes longer than the maximum run-time value, Configuration Manager creates a status message and stops monitoring the deployment for the software updates installation. You can configure this setting only on the central administration site or a stand-alone primary site. Configuration Manager also uses this setting to determine whether to initiate the software update installation within a configured maintenance window. If the maximum run-time value is greater than the available remaining time in the maintenance window, the software updates installation is postponed until the start of the next maintenance window. When there are multiple software updates to be installed on a client computer with a configured maintenance window (timeframe), the software update with the lowest maximum run time installs first, then the software update with the next lowest maximum run time installs next, and so on. Before it installs each software update, the client verifies that the available maintenance window will provide enough time to install the software update. After a software update starts installing, it will continue to install even if the installation goes beyond the end of the maintenance window. For more information about maintenance windows, see the Configure Maintenance Windows section in the Configuring Settings for Client Management in Configuration Manager topic. On the Maximum Run Time tab, you can view and configure the following settings: Maximum run time: Specifies the maximum number of minutes allotted for a software update installation to complete before the installation is no longer monitored by Configuration Manager. This setting is also used to determine whether there is enough available time remaining to install the update before the end of a maintenance window. The default setting is 60 minutes for service packs and 5 minutes for all other software update types. Values can range from 5 to 9999 minutes. Important Be sure to set the maximum run time value smaller than the configured maintenance window time. Otherwise, the software update installation will never initiate.

Enable Network Access Protection (NAP) Evaluation

Use the settings on the NAP Evaluation tab to specify whether the software update is required for compliance when using NAP. You can enable NAP evaluation to include the software update in a NAP policy that will become effective on clients according to the configured schedule. When the policy becomes effective, these clients might have restricted access until they comply with the selected software update. Network restriction and remediation behavior depends upon how the

1671

policies are configured on the Windows Network Policy Server. You can configure this setting only on the central administration site or a stand-alone primary site. You can configure the following settings on the NAP Evaluation tab: Set the effective data for all selected objects: Specifies whether the selected software updates are included in the NAP policy and evaluated on clients. This setting is displayed only when you select more than one software update. Enable NAP evaluation: Specifies whether the selected software updates are included in the NAP policy and evaluated on clients. As soon as possible: Specifies that the software update is included in the NAP policy and becomes effective on clients as soon as possible. Date and time: Specifies that the software update is included in the NAP policy and becomes effective on clients on the specified date and time.

Client Behavior When Effective Date Becomes Current The effective date is when a Configuration Manager NAP policy becomes active on specified clients. When the effective date occurs, the client computer will assess its compliance status by verifying whether it requires the software update that is listed in the policy. If it is not compliant, the required software update can be enforced through remediation. The client might have restricted network access until remediation is successful. Remediation and restriction are controlled by policies configured on the Microsoft Windows Network Policy Server. Considerations for Configuring the Effective Date Most Configuration Manager clients will have the required software updates installed through the normal software update deployment. It is a precautionary measure to set an effective date after the deadline for a software update deployment in order to handle the few computers that do not install the software update through standard operating procedures. However, unlike the standard software update process, NAP has the ability to restrict network access until the software updates in the Configuration Manager NAP policy are installed. Setting an aggressive effective date has the following risks: More clients might have restricted network access until remediation is successful. This, in turn, increases the load on remediation servers, such as the distribution points that host the software updates, and the software update points. The deployment packages that contain the required software updates might not have sufficient time to replicate to the remediation distribution points before the effective date occurs.

You can configure the effective date in a Configuration Manager NAP policy to be a date in the future, or As soon as possible. Select As soon as possible only if one of the following applies: The Windows Network Policy Server will not restrict network access for non-compliant computers. The risk of a non-compliant computer having full network access is greater than the risk of it having restricted network access and being unable to remediate in the event that the software update is not yet replicated to the remediation distribution points.
1672

Set Custom Severity

In the properties for a software update, you can use the Custom Severity tab to configure custom severity values for the software updates. This may be necessary if the predefined severity values do not meet your needs. The custom values are listed in the Custom Severity column in the Configuration Manager console. You can sort the software updates by the defined custom severity values and can also create queries and reports that can filter on these values. You can configure this setting only on the central administration site or stand-alone primary site. You can configure the following settings on the Custom Severity tab. Custom severity: Sets a custom severity value for the software updates. Select Critical, Important, Moderate, or Low from the list. By default, the custom severity value is empty.

Add Software Updates to an Update Group

Software update groups provide you with an effective method to organize software updates in your environment. You can manually add software updates to a software update group or automatically add software updates to a software update group by using an automatic deployment rule. You can also deploy a software update group manually or deploy the group automatically by using an automatic deployment rule. After you deploy a software update group, you can add new software updates to the group and Configuration Manager will automatically deploy them. Use the following procedures to add software updates to a new or existing software update group. To add software updates to a new software update group 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Software Updates, and then click All Software Updates. 3. Select the software updates to be added to the new software update group. 4. On the Home tab, in the Update group, click Create Software Update Group. 5. Specify the name for the software update group and optionally provide a description. Use a name and description that provide enough information for you to determine what type of software updates are in the software update group. To proceed, click Create. 6. Click Software Update Groups to display the new software update group. 7. Select the software update group, and in the Home tab, in the Update group, click Show Members to display a list of the software updates that are included in the group. To add software updates to an existing software update group 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Software Updates, and then click All Software Updates. 3. Select the software updates that you want to add to the new software update group.

1673

Note On the All Software Updates node, by default, Configuration Manager displays only software updates with a Critical and Security classification and that were released in the last 30 days. 4. On the Home tab, in the Update group, click Edit Membership. 5. Select the software update group into which you want to add the software updates. 6. Click the Software Update Groups node to display the software update group. 7. Select the software update group, and in the Home tab, in the Update group, click Show Members to display a list of the software updates that are included in the software update group.

Deploy Software Updates

The software update deployment phase is the process of deploying the software updates. Typically, you add software updates to a software update group and then deploy the software update group to clients. When you create the deployment, the software update policy is sent to client computers, the software update content files are downloaded from a distribution point to the local cache on the client computer, and then the software updates are available for installation on the client. Clients on the Internet download content from Microsoft Update. Note Starting in Configuration Manager SP1, you can configure a client on the intranet to download software updates from Microsoft Update if a distribution point is not available. Note Unlike other deployment types, software updates are all downloaded to the client cache regardless of the maximum cache size setting on the client. For more information about the client cache setting, see the Configure the Client Cache for Configuration Manager Clients section in the How to Manage Clients in Configuration Manager topic. If you configure a required software update deployment, the software updates are automatically installed at the scheduled deadline. Alternatively, the user on the client computer can schedule or initiate the software update installation prior to the deadline. After the attempted installation, client computers send state messages back to the site server to report whether the software update installation was successful. For more information about software update deployments, see the Software Update Deployment Workflows section in the Introduction to Software Updates in Configuration Manager topic. There are two main scenarios for deploying software updates: manual deployment and automatic deployment. Typically, you will initially manually deploy software updates to create a baseline for your client computers, and then you will manage software updates on clients by using automatic deployment. The following sections provide information and procedures for manual and automatic deployment workflows for software updates.
1674

Manually Deploy Software Updates

A manual software update deployment is the process of selecting software updates from the Configuration Manager console and manually initiating the deployment process. Or, you can add selected software updates to an update group, and then manually deploy the update group. You will typically use manual deployment to get your client devices up-to-date with required software updates before you create automatic deployment rules that will manage ongoing monthly software update deployments. You will also use a manual method to deploy out-of-band software updates. The following sections provide the general workflow for manual deployment of software updates.

Step 1: Specify Search Criteria for Software Updates

There are potentially thousands of software updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying software updates is to identify the software updates that you want to deploy. For example, you could provide criteria that retrieves all software updates that are required on more than 50 client devices and that have a Security or Critical software update classification. Important The maximum number of software updates that can be included in a single software update deployment is 1000. To specify search criteria for software updates 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Software Updates, and click All Software Updates. The synchronized software updates are displayed. Note On the All Software Updates node, Configuration Manager displays only software updates with a Critical and Security classification and have been released in the last 30 days. 3. In the search pane, filter to identify the software updates that you need by using one or both of the following steps: In the search text box, type a search string that will filter the software updates. For example, type the article ID or bulletin ID for a specific software update, or enter a string that would appear in the title for several software updates. Click Add Criteria, select the criteria that you want to use to filter software updates, click Add, and then provide the values for the criteria.

4. Click Search to filter the software updates. Tip You have the option to save the filter criteria on the Search tab and in the Save group.
1675

Step 2: Create a Software Update Group that Contains the Software Updates
Software update groups provide an effective method for you to organize software updates in preparation for deployment. You can manually add software updates to a software update group or Configuration Manager can automatically add software updates to a new or existing software update group by using an automatic deployment rule. Use the following procedures to manually add software updates to a new software update group. To manually add software updates to a new software update group 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, click Software Updates. 3. Select the software updates that are to be added to the new software update group. 4. On the Home tab, in the Update group, click Create Software Update Group. 5. Specify the name for the software update group and optionally provide a description. Use a name and description that provide enough information for you to determine what type of software updates are in the software update group. To proceed, click Create. 6. Click the Software Update Groups node to display the new software update group. 7. Select the software update group, and in the Home tab, in the Update group, click Show Members to display a list of the software updates that are included in the group.

Step 3: Download the Content for the Software Update Group

Optionally, before you deploy the software updates, you can download the content for the software updates that are included in the software update group. You might choose to do this so you can verify that the content is available on the distribution points before you deploy the software updates. This will help you to avoid any unexpected issues with the content delivery. You can skip this step and the content will be downloaded and copied to the distribution points as part of the deployment process. Use the following procedure to download the content for software updates in the software update group. To download content for the software update group 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Software Updates, and click Software Update Groups. 3. Select the software update group for which you want to download content. 4. On the Home tab, in the Update Group group, click Download. The Download Software Updates Wizard opens. 5. On the Deployment Package page, configure the following settings: a. Select deployment package: Select this setting to use an existing deployment package for the software updates in the deployment. Note
1676

Software updates that have already been downloaded to the selected deployment package are not downloaded again. b. Create a new deployment package: Select this setting to create a new deployment package for the software updates in the deployment. Configure the following settings: Name: Specifies the name of the deployment package. This must be a unique name that describes the package content. It is limited to 50 characters. Description: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. Package source: Specifies the location of the software update source files. Type a network path for the source location, for example, \\server\sharename\path, or click Browse to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. Note The deployment package source location that you specify cannot be used by another software deployment package. Security The SMS Provider computer account and the user that is running the wizard to download the software updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location in order to reduce the risk of attackers tampering with the software update source files. Important You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. Click Next. 6. On the Distribution Points page, select the distribution points or distribution point groups that are used to host the software update files defined in the new deployment package, and then click Next. 7. On the Distribution Settings page, specify the following settings: Distribution priority: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Distribution packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. Distribute the content for this package to preferred distribution points : Use this
1677

setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see the Planning for Preferred Distribution Points and Fallback section in the Planning for Content Management in Configuration Manager topic. Prestaged distribution point settings: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: Automatically download content when packages are assigned to distribution points: Use this setting to ignore the prestage settings and distribute content to the distribution point. Download only content changes to the distribution point : Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. Manually copy the content in this package to the distribution point : Use this setting to always prestage content on the distribution point. This is the default setting.

For more information about prestaging content to distribution points, see the Prestage Content section in the Operations and Maintenance for Content Management in Configuration Manager topic. Click Next. 8. On the Download Location page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: Download software updates from the Internet: Select this setting to download the software updates from the location on the Internet. This is the default setting. Download software updates from a location on the local network: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. Note When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. Click Next. 9. On the Language Selection page, specify the languages for which the selected software updates are to be downloaded, and then click Next. Configuration Manager downloads the software updates only if they are available in the selected languages. Software updates that are not language-specific are always downloaded.
1678

10. On the Summary page, verify the settings that you selected in the wizard, and then click Next to download the software updates. 11. On the Completion page, verify that the software updates were successfully downloaded, and then click Close. 12. To monitor the content status for the software updates, click Monitoring in the Configuration Manager console. 13. In the Monitoring workspace, expand Distribution Status, and then click Content Status. 14. Select the software update package that you previously identified to download the software updates in the software update group. 15. On the Home tab, in the Content group, click View Status.

Step 4: Deploy the Software Update Group

After you determine which software updates you intend to deploy and add these software updates to a software update group, you can manually deploy the software updates in the software update group. Use the following procedure to manually deploy the software updates in a software update group. To manually deploy the software updates in a software update group 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Software Updates, and click Software Update Groups. 3. Select the software update group that you intend to deploy. 4. On the Home tab, in the Deployment group, click Deploy. The Deploy Software Updates Wizard opens. 5. On the General page, configure the following settings: Name: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment, and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: Microsoft Software Updates - <date><time> Description: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. Software Update/Software Update Group: Verify that the displayed software update group, or software update, is correct. Select Deployment Template: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar
1679

deployments and to save time. Collection: Specify the collection for the deployment, as applicable. Members of the collection receive the software updates that are defined in the deployment. Type of deployment: Specify the deployment type for the software update deployment. Select Required to create a mandatory software update deployment in which the software updates are automatically installed on clients before a configured installation deadline. Select Available to create an optional software update deployment that is available for users to install from Software Center. Important After you create the software update deployment, you cannot later change the type of deployment. Use Wake-on-LAN to wake up clients for required deployments: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. Warning Before you can use this option, computers and networks must be configured for Wake On LAN. Detail level: Specify the level of detail for the state messages that are reported by client computers. Schedule evaluation: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. Software available time: Select one of the following settings to specify when the software updates will be available to clients: As soon as possible: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. Specific time: Select this setting to make the software updates in the deployment available to clients at a specific date and time. When the deployment is created, the client policy is updated and clients are made aware of the deployment at their next client policy polling cycle. However, the software updates in the deployment are not available for installation until after the specified date and time.

6. On the Deployment Settings page, configure the following settings:

7. On the Scheduling page, configure the following settings:

Installation deadline: Select one of the following settings to specify the installation
1680

deadline for the software updates in the deployment. Note You can configure the installation deadline setting only when Type of deployment is set to Required on the Deployment Settings page. As soon as possible: Select this setting to automatically install the software updates in the deployment as soon as possible. Specific time: Select this setting to automatically install the software updates in the deployment at a specific date and time. Note The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Starting in Configuration Manager SP1, you can configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic. 8. On the User Experience page, configure the following settings: User notifications: Specify whether to display notification of the software updates in Software Center on the client computer at the configured Software available time and whether to display user notifications on the client computers. When Type of deployment is set to Available on the Deployment Settings page, you cannot select Hide in Software Center and all notifications. Deadline behavior: Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see the Configure Maintenance Windows section in the Configuring Settings for Client Management in Configuration Manager topic. Device restart behavior: Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. Important Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. . Write filter handling for Windows Embedded devices: For Configuration
1681

Manager SP1 only: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. Note When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. You can configure the Deadline behavior and Device restart behavior settings only when Type of deployment is set to Required on the Deployment Settings page. 9. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when Type of deployment is set to Required on the Deployment Settings page. Warning You can review recent software updates alerts from the Software Updates node in the Software Library workspace. 10. On the Download Settings page, configure the following settings: Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. Allow clients to share content with other clients on the same subnet : Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see the Planning for BranchCache Support section in the Planning for Content Management in Configuration Manager topic. For Configuration Manager SP1 only: Specify whether to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. For Configuration Manager SP1 only: Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. Note Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see the Planning for Preferred Distribution Points and Fallback section in the Planning for Content Management in
1682

Configuration Manager topic. 11. If you have performed Step 3: Download the Content for the Software Update Group, then the Deployment Package, Distribution Points, and Language Selection pages are not displayed, and you can skip to step 15 of the wizard. Important Software updates that have been previously downloaded to the content library on the site server are not downloaded again. This is true even when you create a new deployment package for the software updates. If all software updates have already been previously downloaded, the wizard skips to the Language Selection page (step 15). 12. On the Deployment Package page, select an existing deployment package or configure the following settings to specify a new deployment package: a. Name: Specify the name of the deployment package. This must be a unique name that describes the package content. It is limited to 50 characters. b. Description: Specify a description that provides information about the deployment package. The description is limited to 127 characters. c. Package source: Specify the location of the software update source files. Type a network path for the source location, for example, \\server\sharename\path, or click Browse to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. Note The deployment package source location that you specify cannot be used by another software deployment package. Security The SMS Provider computer account and the user that is running the wizard to download the software updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location in order to reduce the risk of attackers tampering with the software update source files. Important You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. d. Sending priority: Specify the sending priority for the deployment package. Configuration Manager uses the sending priority for the deployment package when it sends the package to distribution points. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority.
1683

13. On the Distribution Points page, specify the distribution points or distribution point groups that will host the software update files. For more information about distribution points, see Planning for Content Management in Configuration Manager. 14. On the Download Location page, specify whether to download the software update files from the Internet or from your local network. Configure the following settings: Download software updates from the Internet: Select this setting to download the software updates from a specified location on the Internet. This setting is enabled by default. Download software updates from a location on the local network: Select this setting to download the software updates from a local folder or shared network folder. This setting is useful when the computer that runs the wizard does not have Internet access. The software updates can be preliminarily downloaded from any computer that has Internet access and stored in a location on the local network for subsequent access for installation.

15. On the Language Selection page, select the languages for which the selected software updates are downloaded. The software updates are downloaded only if they are available in the selected languages. Software updates that are not language specific are always downloaded. By default, the wizard selects the languages that you have configured in the software update point properties. At least one language must be selected before proceeding to the next page. When you select only languages that are not supported by a software update, the download will fail for the software update. 16. On the Summary page, review the settings. To save the settings to a deployment template, click Save As Template, enter a name and select the settings that you want to include in the template, and then click Save. To change a configured setting, click the associated wizard page and change the setting. Warning The template name can consist of alphanumeric ASCII characters as well as \ (backslash) or (single quotation mark). 17. Click Next to deploy the software update. After you have completed the wizard, Configuration Manager downloads the software updates to the content library on the site server, distributes the software updates to the configured distribution points, and then deploys the software update group to clients in the target collection. For more information about the deployment process, see the Software Update Deployment Process section in the Introduction to Software Updates in Configuration Manager topic.

Automatically Deploy Software Updates

You can automatically deploy software updates by adding new software updates to an update group that has an active deployment or by using automatic deployment rules.

Add software updates to a deployed update group

After you create and deploy a software update group, you can add software updates to the update group and they will also be automatically deployed.
1684

Important When you add software updates to an existing software update group that has already been deployed, it might take several minutes before the additional software updates are added to the deployment. Use the following procedure to add software updates to an existing update group. To add software updates to an existing software update group 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, click Software Updates. 3. Select the software updates that are to be added to the new software update group. 4. On the Home tab, in the Update group, click Edit Membership. 5. Select the software update group to which you want to add the software updates as members. 6. Click the Software Update Groups node to display the software update group. 7. Click the software update group, and in the Home tab, in the Update group, click Show Members to display a list of the software updates in the group.

Create an Automatic Deployment Rule

You can automatically approve and deploy software updates by using an automatic deployment rule. This is a common method of deployment for monthly software updates ("Patch Tuesday") and for managing definition updates. When the automatic deployment rule runs, the software updates that meet a specified criteria are added to a software update group, the content files for the software updates are downloaded and copied to distribution points, and the software updates are deployed to client devices in the target collection. Warning Before you create an automatic deployment rule for the first time, verify that software updates synchronization has completed at the site. This is particularly important when you run Configuration Manager with a non-English language because software update classifications are displayed in English before the first synchronization, and then displayed in the localized language after software update synchronization completes. Rules that you create before you synchronize software updates might not work properly after synchronization because the text string might not match. Use the following procedure to create an automatic deployment rule. To create an automatic deployment rule 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Software Updates, and click Automatic Deployment Rules.
1685

3. On the Home tab, in the Create group, click Create Automatic Deployment Rule. The Create Automatic Deployment Rule Wizard opens. 4. On the General page, configure the following settings: Name: Specify the name for the automatic deployment rule. The name must be unique, help to describe the objective of the rule, and identify it from others in the Configuration Manager site. Description: Specify a description for the automatic deployment rule. The description should provide an overview of the deployment rule and any other relevant information that helps to identify and differentiate the rule among others in the Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. Select Deployment Template: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties that can then be used when creating automatic deployment rules. These templates help to ensure consistency across similar deployments and to save time. For Configuration Manager SP1 only: You can select from two built-in software update deployment templates from the Automatic Deployment Rule Wizard. The Definition Updates template provides common settings to use when you deploy definition software updates. The Patch Tuesday template provides common settings to use when you deploy software updates on a monthly cycle. Collection: Specifies the target collection to be used for the deployment. Members of the collection receive the software updates that are defined in the deployment. Decide whether to add software updates to a new or existing software update group. In most cases, you will probably choose to create a new software update group when the automatic deployment rule is run. However, you might choose to use an existing group if the rule runs on a more aggressive schedule. For example, if you will run the rule daily for definition updates, then you could add the software updates to an existing software update group. Enable the deployment after this rule is run: Specify whether to enable the software update deployment after the automatic deployment rule runs. Regarding this specification, consider the following: When you enable the deployment, the software updates that meet the criteria defined in the rule are added to a software update group, the software update content is downloaded as necessary, the content is copied to the specified distribution points, and the software updates are deployed to the clients in the target collection. When you do not enable the deployment, the software updates that meet the criteria defined in the rule are added to a software update group and the software updates deployment policy is configured but the software updates are not downloaded or deployed to clients. This situation provides you time as needed to prepare to deploy the software updates, verify that the software updates that meet the criteria are adequate, and then enable the deployment at a later time.

5. On the Deployment Settings page, configure the following settings:

1686

Use Wake-on-LAN to wake up clients for required deployments: Specifies whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled. Warning Before you can use this option, you must configure computers and networks for Wake On LAN.

Detail level: Specify the level of detail for the state messages that are reported by client computers. Important When you deploy definition updates, set the detail level to Error only to have the client report a state message only when a definition update fails to be delivered to the client. Otherwise, the client will report a large number of state messages that might impact performance on the site server.

License terms setting: Specify whether to automatically deploy software updates with associated license terms. Some software updates include license terms, such as a service pack. When you automatically deploy software updates, the license terms are not displayed and there is not an option to accept the license terms. You can choose to automatically deploy all software updates regardless of an associated license terms or only deploy software updates that do not have associated license terms. Warning To review the license terms for a software update, you can select the software update in the All Software Updates node of the Software Library workspace, and then on the Home tab, in the Update group, click Review License. To find software updates with associated license terms, you can add the License Terms column to the results pane in the All Software Updates node, and then click the heading for the column to sort by the software updates with license terms.

6. On the Software Updates page, configure the criteria for the software updates that the automatic deployment rule retrieves and adds to the software update group. Important The limit for software updates in the automatic deployment rule is 1000 software updates. To ensure that the criteria that you specify on this page retrieves less than 1000 software updates, consider setting the same criteria on the All Software Updates node in the Software Library workspace. 7. On the Evaluation Schedule page, specify whether to enable the automatic deployment
1687

rule to run on a schedule. When enabled, click Customize to set the recurring schedule. Important The software update point synchronization schedule is displayed to help you determine the frequency of the evaluation schedule. You should never set the evaluation schedule with a frequency that exceeds the software updates synchronization schedule. The start time configuration for the schedule is based on the local time of the computer that runs the Configuration Manager console. Note To manually run the automatic deployment rule, select the rule, and then click Run Now on the Home tab in the Automatic Deployment Rule group. Before you manually run the automatic deployment rule, verify that software updates synchronization has been run since the last time you ran the rule. Important The automatic deployment rule evaluation can run as often as three times per day. 8. On the Deployment Schedule page, configure the following settings: Schedule evaluation: Specify whether Configuration Manager evaluates the available time and installation deadline times by using UTC or the local time of the computer that runs the Configuration Manager console. Software available time: Select one of the following settings to specify when the software updates are available to clients: As soon as possible: Select this setting to make the software updates that are included in the deployment available to the client computers as soon as possible. When you create the deployment with this setting selected, Configuration Manager updates the client policy. Then, at the next client policy polling cycle, clients become aware of the deployment and can obtain the updates that are available for installation. Specific time: Select this setting to make the software updates that are included in the deployment available to the client computers at a specific date and time. When you create the deployment with this setting enabled, Configuration Manager updates the client policy. Then, at the next client policy polling cycle, clients become aware of the deployment. However, the software updates in the deployment are not available for installation until after the configured date and time.

Installation deadline: Select one of the following settings to specify the installation deadline for the software updates in the deployment: As soon as possible: Select this setting to automatically install the software updates in the deployment as soon as possible. Specific time: Select this setting to automatically install the software updates in the deployment at a specific date and time. Configuration Manager determines the deadline to install software updates by adding the configured Specific time
1688

interval to the Software available time. Note The actual installation deadline time is the displayed deadline time plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Starting in Configuration Manager SP1, you can configure the Computer Agent client setting Disable deadline randomization to disable the installation randomization delay for required software updates. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic. 9. On the User Experience page, configure the following settings: User notifications: Specify whether to display notification of the software updates in Software Center on the client computer at the configured Software available time and whether to display user notifications on the client computers. Deadline behavior: Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see the Configure Maintenance Windows section in the Configuring Settings for Client Management in Configuration Manager topic. Device restart behavior: Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. Important Suppressing system restarts can be useful in server environments or in cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. Write filter handling for Windows Embedded devices: For Configuration Manager SP1 only. When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. Note When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured
1689

maintenance window. 10. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. Warning You can review recent software updates alerts from the Software Updates node in the Software Library workspace. 11. On the Download Settings page, configure the following settings: Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. Allow clients to share content with other clients on the same subnet : Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see the Planning for BranchCache Support section in the Planning for Content Management in Configuration Manager topic. For Configuration Manager SP1 only: Specify whether to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. For Configuration Manager SP1 only: Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. Note Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, deployment package, and the settings on this page. For more information, see the Planning for Preferred Distribution Points and Fallback section in the Planning for Content Management in Configuration Manager topic. 12. On the Deployment Package page, select an existing deployment package or configure the following settings to create a new deployment package: a. Name: Specify the name of the deployment package. This must be a unique name that describes the package content. It is limited to 50 characters. b. Description: Specify a description that provides information about the deployment package. The description is limited to 127 characters. c. Package source: Specifies the location of the software update source files. Type a network path for the source location, for example, \\server\sharename\path, or click Browse to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. Note
1690

The deployment package source location that you specify cannot be used by another software deployment package. Security The SMS Provider computer account and the user that is running the wizard to download the software updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location in order to reduce the risk of attackers tampering with the software update source files. Important You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. d. Sending priority: Specify the sending priority for the deployment package. Configuration Manager uses the sending priority for the deployment package when it sends the package to distribution points. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. 13. On the Distribution Points page, specify the distribution points or distribution point groups that will host the software update files. For more information about distribution points, see Planning for Content Management in Configuration Manager. Note This page is available only when you create a new software update deployment package. 14. On the Download Location page, specify whether to download the software update files from the Internet or from your local network. Configure the following settings: Download software updates from the Internet: Select this setting to download the software updates from a specified location on the Internet. This setting is enabled by default. Download software updates from a location on the local network: Select this setting to download the software updates from a local directory or shared folder. This setting is useful when the computer that runs the wizard does not have Internet access. Any computer with Internet access can preliminarily download the software updates and store them in a location on the local network that is accessible from the computer that runs the wizard.

15. On the Language Selection page, select the languages for which the selected software updates are downloaded. The software updates are downloaded only if they are available in the selected languages. Software updates that are not language specific are always downloaded. By default, the wizard selects the languages that you have configured in the software update point properties. At least one language must be selected before proceeding to the next page. When you select only languages that are not supported by a
1691

software update, the download will fail for the software update. 16. On the Summary page, review the settings. To save the settings to a deployment template, click Save As Template, enter a name and select the settings that you want to include in the template, and then click Save. To change a configured setting, click the associated wizard page and change the setting. Warning The template name can consist of alphanumeric ASCII characters as well as \ (backslash) or (single quotation mark). 17. Click Next to create the automatic deployment rule. After you have completed the wizard, the automatic deployment rule will run. It will add the software updates that meet the specified criteria to a software update group, download the software updates to the content library on the site server, distribute the software updates to the configured distribution points, and then deploy the software update group to clients in the target collection. For more information about the deployment process, see the Software Update Deployment Process section in the Introduction to Software Updates in Configuration Manager topic.

Monitor software updates

To help you to monitor software updates objects, processes, and compliance information, the Configuration Manager console provides the following: Alerts for Software updates Software update synchronization status Software update deployment status Software update reports Content distribution status for software update files

Alerts for Software Updates

You can configure alerts for software updates to notify administrative users when compliance levels for software update deployments are below the configured percentage. You can configure alerts for software update deployments in the following locations: Automatic deployment rule setting: You can configure the alerts settings in the Automatic Deployment Rule Wizard and in the properties for the automatic deployment rule. Deployment setting: You can configure the alerts settings in the Deploy Software Updates Wizard and in deployment properties.

After you configure the alert settings, if the specified conditions occur, Configuration Manager generates an alert. You can review software update alerts at the following locations: 1. Review recent alerts in the Software Updates node in the Software Library workspace. 2. Manage the configured alerts in the Alerts node in the Monitoring workspace.

1692

Software Updates Synchronization Status

After you initiate the synchronization process, you can monitor the synchronization process from the Configuration Manager console for all software update points in your hierarchy. Use the following procedure to monitor the software update synchronization process. To monitor the software updates synchronization process 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Software Update Point Synchronization Status. The software update points in your Configuration Manager hierarchy are displayed in the results pane. From this view, you can monitor the synchronization status for all software update points. To see more detailed information about the synchronization process, you can review the wsyncmgr.log file, which is located in < ConfigMgrInstallationPath>\Logs on each site server.

Software Update Deployment Status

After you deploy the software updates in a software update group or deploy an individual software update, you can monitor the deployment status. Use the following procedure to monitor the deployment status for a software update group or software update. To monitor deployment status 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Deployments. 3. Click the software update group or software update for which you want to monitor the deployment status. 4. On the Home tab, in the Deployment group, click View Status.

Software Updates Reports

The state messages for software updates provide information about the compliance of software updates and about the evaluation and enforcement state of software update deployments. You can run software update reports to display these state messages. There are more than 30 predefined software update reports available. They are organized in several categories and can be used to report on specific information about software updates and deployments. In addition to using the preconfigured reports, you can also create custom software update reports according to the needs of your enterprise. For more information, see Operations and Maintenance for Reporting in Configuration Manager.

Monitoring Content
You can monitor content in the Configuration Manager console to review the status for all package types in relation to the associated distribution points. This can include the content
1693

validation status for the content in the package, the status of content assigned to a specific distribution point group, the state of content assigned to a distribution point, and the status of optional features for each distribution point (content validation, PXE, and multicast).

Content Status Monitoring

The Content Status node in the Monitoring workspace provides information about content packages. You can review general information about the package, distribution status for the package, and detailed status information about the package. Use the following procedure to view content status. To monitor content status 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Distribution Status, and then click Content Status. The packages are displayed. 3. Select the package for which to view detailed status information. 4. On the Home tab, click View Status. Detailed status information for the package is displayed.

Distribution Point Group Status

The Distribution Point Group Status node in the Monitoring workspace provides information about distribution point groups. You can review general information about the distribution point group, such as distribution point group status and compliance rate, as well as detailed status information for the distribution point group. Use the following procedure to view distribution point group status. To monitor distribution point group status 1. In the Configuration Manager console, click Monitoring. 2. In the monitoring workspace, expand Distribution Status, and then click Distribution Point Group Status. The distribution point groups are displayed. 3. Select the distribution point group for which to view detailed status information. 4. On the Home tab, click View Status. Detailed status information for the distribution point group is displayed.

Distribution Point Configuration Status

The Distribution Point Configuration Status node in the Monitoring workspace provides information about the distribution point. You can review which attributes are enabled for the distribution point, such as the PXE, Multicast, and content validation. You can also view detailed status information for the distribution point. Use the following procedure to view distribution point configuration status.

1694

To monitor distribution point configuration status 1. In the Configuration Manager console, click Monitoring. 2. In the monitoring workspace, expand Distribution Status, and then click Distribution Point Configuration Status. The distribution points are displayed. 3. Select the distribution point for which to view distribution point status information. 4. In the results pane, click the Details tab. Status information for the distribution point is displayed.

See Also
Software Updates in Configuration Manager

Security and Privacy for Software Updates in Configuration Manager

Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security and privacy information for software updates in System Center 2012 Configuration Manager.

Security Best Practices for Software Updates

Use the following security best practices when you deploy software updates to clients:
Security best practice More information

Do not change the default permissions on software update packages.

By default, software update packages are set to allow administrators Full Control and users to have Read access. If you change these permissions, it might allow an attacker to add, remove, or delete software updates. The computer accounts for the SMS Provider, the site server, and the administrative user who will actually download the software updates to the download location require Write access to the download location. Restrict access to the download location to reduce the risk of
1695

Control access to the download location for software updates.

Security best practice

More information

attackers tampering with the software updates source files in the download location. In addition, if you use a UNC share for the download location, secure the network channel by using IPsec or SMB signing to prevent tampering of the software updates source files when they are transferred over the network. Use UTC for evaluating deployment times. If you use local time instead of UTC, users could potentially delay installation of software updates by changing the time zone on their computers Identify and follow the security best practices for the version of WSUS that you use with Configuration Manager. Important If you configure the software update point to enable SSL communications for the WSUS server, you must configure virtual roots for SSL on the WSUS server. Enable CRL checking. By default, Configuration Manager does not check the certificate revocation list (CRL) to verify the signature on software updates before they are deployed to computers. Checking the CRL each time a certificate is used offers more security against using a certificate that has been revoked, but it introduces a connection delay and incurs additional processing on the computer performing the CRL check. For more information about how to enable CRL checking for software updates, see How to Enable CRL Checking for Software Updates. Configure WSUS to use a custom website. When you install WSUS on the software update point, you have the option to use the existing IIS Default Web site or to create a custom WSUS website. Create a custom website for WSUS so that IIS hosts the WSUS services in a dedicated virtual website instead of sharing the same web site that is used by the other
1696

Enable SSL on WSUS and follow the best practices for securing Windows Server Update Services (WSUS).

Security best practice

More information

Configuration Manager site systems or other applications. For more information, see the Configuring WSUS to Use a Custom Web Site section in the Planning for Software Updates in Configuration Manager topic. Network Access Protection (NAP): Do not rely on NAP to secure a network from malicious users. Network Access Protection is designed to help administrators maintain the health of the computers on the network, which in turn helps maintain the networks overall integrity. For example, if a computer has all the software updates required by the Configuration Manager NAP policy, the computer is considered compliant, and it will be granted the appropriate access to the network. Network Access Protection does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or disabling the NAP agent. Use DHCP NAP in a secured, testing environment or for monitoring purposes only. When you use DHCP NAP, attackers can modify the statement of health packets between the client and the NAP health policy server, and users can circumvent the NAP process. Misconfigured NAP policy could result in clients accessing the network when they should be restricted or valid clients being erroneously restricted. The more complicated your NAP policy design, the higher the risk of misconfiguration. Configure the Configuration Manager NAP client agent and Configuration Manager System Health Validator points to use the same settings throughout the hierarchy, or through additional hierarchies in the organization if clients might roam between them. Important If a Configuration Manager client with
1697

Network Access Protection (NAP): Do not use DHCP NAP enforcement in a production environment.

Network Access Protection (NAP): Use consistent NAP policies throughout the hierarchy to minimize confusion.

Security best practice

More information

the Network Access Protection client agent enabled roams into a different Configuration Manager hierarchy and has its client statement of health validated by a System Health Validator point from outside its hierarchy, the validation process will fail the site check. This will result in a client health state of unknown, which by default is configured on the NAP health policy server as non-compliant. If the NAP health policy server has network policies configured for limited network access, these clients cannot be remediated and risk being unable to access the full network. An exemption policy on the NAP health policy server could give Configuration Manager clients that roam outside their Configuration Manager hierarchy unrestricted network access. Network Access Protection (NAP): Do not enable Network Access Protection as a client setting immediately on new Configuration Manager sites. Although the site servers publish the Configuration Manager health state reference to a domain controller when Configuration Manager NAP policies are modified, this new data might not be immediately available for retrieval by the System Health Validator point until Active Directory replication has completed. If you enable Network Access Protection on Configuration Manager clients before replication has completed, and if your NAP health policy server will give noncompliant clients limited network access, you can potentially cause a denial of service attack against yourself. When you designate an Active Directory forest to store the health state reference, specify two different accounts because they require different sets of permissions: The Health State Reference Publishing Account requires Read, Write, and Create
1698

Network Access Protection (NAP): If you store the health state reference in a designated forest, specify two different accounts for publishing and retrieving the health state reference.

Security best practice

More information

permissions to the Active Directory forest that stores the health state reference. The Health State Reference Querying Account requires only Read permission to the Active Directory forest that stores the health state reference. Do not grant this account interactive logon rights.

Network Access Protection (NAP): Do not rely on Network Access Protection as an instantaneous or real-time enforcement mechanism.

There are inherent delays in the NAP enforcement mechanism. While NAP helps keep computers compliant over the long run, typical enforcement delays may be on the order of several hours or more due to a variety of factors, including the settings of various configuration parameters.

Privacy Information for Software Updates

Software updates scans your client computers to determine which software updates you require, and then sends that information back to the site database. During the software updates process, Configuration Manager might transmit information between clients and servers that identify the computer and logon accounts. Configuration Manager maintains state information about the software deployment process. State information is not encrypted during transmission or storage. State information is stored in the Configuration Manager database and it is deleted by the database maintenance tasks. No state information is sent to Microsoft. The use of Configuration Manager software updates to install software updates on client computers might be subject to software license terms for those updates, which is separate from the Software License Terms for Microsoft System Center 2012 Configuration Manager. Always review and agree to the Software Licensing Terms prior to installing the software updates by using Configuration Manager. Configuration Manager does not implement software updates by default and requires several configuration steps before information is collected. Before you configure software updates, consider your privacy requirements.

See Also
Software Updates in Configuration Manager

1699

Technical Reference for Software Updates in Configuration Manager

Technical Reference Topics
Technical Reference for the Icons Used for Software Updates Example Scenario for Using Configuration Manager to Deploy and Monitor the Security Software Updates Released Monthly by Microsoft

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Software Updates in Configuration Manager

Technical Reference for the Icons Used for Software Updates

Synchronized software updates are displayed in the Configuration Manager console, and the first column for each software update contains an icon that indicates a specific state. Software update groups are also represented with an icon that provides information about the state of the software updates contained in the group. This section provides information about the software update icons and what each icon represents.

Icons for Software Updates

Synchronized software updates are represented by one of the following icons.

Normal Icon
The icon with the green arrow represents a normal software update. Description: Normal software updates have been synchronized and are available for software deployment. Operational Concerns: There are no operational concerns.

1700

Expired Icon
The icon with the black X represents an expired software update. You can also identify expired software updates by viewing the Expired column for the software update when it displays in the Configuration Manager console. Description: Expired software updates were previously deployable to client computers, but once a software update is expired, new deployments can no longer be created for the software updates. Expired software updates contained in active deployments continue to be available to clients. Operational Concerns: Replace expired software updates when possible. When software updates become expired, Configuration Manager does not remove the software updates contained within active software update deployments. Configuration Manager continues to assess software update compliance on expired software updates in deployments, but they are considered not required for reporting purposes.

Superseded Icon
The icon with the yellow star represents a superseded software update. You can also identify superseded software updates by viewing the Superseded column for the software update when it displays in the Configuration Manager console. Description: Superseded software updates have been replaced with newer versions of the software update. Typically, a software update that supersedes another software update does one or more of the following: Enhances, improves, or adds to the fix provided by one or more previously released software updates. Improves the efficiency of its software update file package, which clients install if the software update is approved for installation. For example, the superseded software update might contain files that are no longer relevant to the fix or to the operating systems now supported by the new software update, so those files are not included in the superseding software update's file package. Updates newer versions of a product, or in other words, is no longer applicable to older versions or configurations of a product. Software updates can also supersede other software updates if modifications have been made to expand language support. For example, a later revision of a product update for Microsoft Office might remove support for an older operating system, but add additional support for new languages in the initial software update release.

On the Supersedence Rules tab in the Software Update Point Component properties, you can specify how to manage superseded software updates. For more information, see the Supersedence Rules section in the Planning for Software Updates in Configuration Manager topic. Operational Concerns:
1701

When possible, deploy the superseding software update to client computers instead of the superseded software update. You can display a list of the software updates that supersede the software update on the Supersedence Information tab in the software update properties.

Invalid Icon
The icon with the red X represents an invalid software update. Description: Invalid software updates are in an active deployment, but for some reason the content (software update files) is not available. The following are scenarios in which this state can occur: You successfully deploy the software update, but the software update file is removed from the deployment package and is no longer available. You create a software update deployment at a site and the deployment object is successfully replicated to a child site, but the deployment package has not successfully replicated to the child site.

Operational Concerns: When the content is missing for a software update, clients are unable to install the software update until the content becomes available on a distribution point. You can redistribute the content to distribution points by using the Redistribute action. When content is missing for a software update in a deployment created at a parent site, the software update must be replicated or redistributed to the child site. For more information about content redistribution, see the Redistribute Content on Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager topic.

Metadata-Only Icon
The icon with the blue arrow represents a metadata-only software update. Description: Metadata-only software updates are available in the Configuration Manager console for reporting. You cannot deploy or download metadata-only software updates because a software update file is not associated with the software updates metadata. Operational Concerns: Metadata-only software updates are available for reporting purposes and are not intended for software update deployment.

Icons for Software Update Groups

Software update groups are represented by one of the following icons.

Normal Icon
The icon with the green arrow represents a software update group that contains only normal software updates.
1702

Operational Concerns: There are no operational concerns.

Expired Icon
The icon with the black X represents a software update group that contains one or more expired software updates. Operational Concerns: Remove or replace expired software updates in the software update group when possible.

Superseded Icon
The icon with the yellow star represents a software update group that contains one or more superseded software updates. Operational Concerns: Replace the superseded software update in the software update group with the superseding software update when possible.

Invalid Icon
The icon with the red X represents a software update group that contains one or more invalid software updates. Operational Concerns: When the content is missing for a software update, clients are unable to install the software update until the content becomes available on a distribution point. You can redistribute the content to distribution points by using the Redistribute action. When content is missing for a software update in a deployment created at a parent site, the software update needs to replicated or redistributed to the child site. For more information about content redistribution, see the Redistribute Content on Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager topic.

See Also
Technical Reference for Software Updates in Configuration Manager

1703

Example Scenario for Using Configuration Manager to Deploy and Monitor the Security Software Updates Released Monthly by Microsoft
Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. This topic provides an example scenario of how you can use software updates in Microsoft System Center 2012 Configuration Manager to deploy and monitor the security software updates that Microsoft releases monthly. In this scenario, John is the Configuration Manager administrator at Woodgrove Bank. John needs to create a software update deployment strategy with the following conditions and requirements: Active software update deployment occurs one week after Microsoft releases the security software updates on the second Tuesday of each month. This event is typically referred to as Patch Tuesday. Software updates are downloaded and staged on distribution points. Then a deployment is tested to a subset of clients before John fully deploys the software updates in his production environment. John must be able to monitor the software updates' compliance by month or by year.

This scenario assumes that the software update point infrastructure has already been implemented. Use the information in the following table to plan for and configure software updates in System Center 2012 Configuration Manager.
Process Reference

Review the key concepts for software updates.

Introduction to Software Updates in Configuration Manager Planning for Software Updates in Configuration Manager

Plan for software updates. This information helps you to plan for capacity considerations, determine the software update point infrastructure, software update point installation, synchronization settings, and client settings for software updates. Configure software updates. This information helps you to install and configure software update points in your hierarchy and helps to

Configuring Software Updates in Configuration Manager

1704

Process

Reference

configure and synchronize software updates. Important John configures the software updates synchronization schedule to occur on the second Wednesday of each month to ensure that he retrieves the latest security software updates from Microsoft.

The following sections in this topic provide example procedural steps to help you to deploy and monitor System Center 2012 Configuration Manager security software updates in your organization: Step 1: Create a Software Update Group for Yearly Compliance Step 2: Create an Automatic Deployment Rule for the Current Month Step 3: Verify That Software Updates Are Ready to Deploy Step 4: Deploy the Software Update Group Step 5: Monitor Compliance for Deployed Software Updates Step 6: Add Monthly Software Updates to the Yearly Update Group

Step 1: Create a Software Update Group for Yearly Compliance

John creates a software update group that he can use to monitor compliance for all of the security software updates that he releases in 2012. He performs the steps in the following table.
Process Reference

From the All Software Updates node in the Configuration Manager console, John adds criteria to display only security software updates that are released or revised in year 2012 that meet the following criteria: Criteria: Date Released or Revised Condition: is greater than or equal to specific date Value: 1/1/2012 Criteria: Update Classification

No additional information

1705

Process

Reference

Value: Security Updates Criteria: Expired Value: No John adds all of the filtered software updates to a new software update group with the following requirements: Name: Compliance Group - Microsoft Security Updates 2012 Description: Software updates For the steps to add software updates to an update group, see the Add Software Updates to an Update Group section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

Step 2: Create an Automatic Deployment Rule for the Current Month

John creates an automatic deployment rule for the security software updates that are released by Microsoft for the current month. He performs the steps in the following table.
Process Reference

John creates an automatic deployment rule with For more information about creating an the following requirements: automatic deployment rule, see the Automatically Deploy Software Updates section 1. On the General tab, John configures the in the Operations and Maintenance for following: Software Updates in Configuration Manager He specifies Monthly Security topic. Updates for the name. He selects a test collection with limited clients. He selects Create a new Software Update Group. He verifies that Enable the deployment after this rule is run is not selected.

2. On the Deployment Settings tab, John selects the default settings. 3. On the Software Updates page, John configures the following property filters and search criteria: Date Released or Revised Last 1 month. Update Classification Security
1706

Process

Reference

Updates. 4. On the Evaluation page, John enables the rule to run on a schedule for the second Thursday of every month. John also verifies that his synchronization schedule is set to run on the second Wednesday of every month. 5. John uses the default settings on the Deployment Schedule, User Experience, Alerts, and Download Settings pages. 6. On the Deployment Package page, John specifies a new deployment package. 7. John uses the default settings on the Download Location and Language Selection pages.

Step 3: Verify That Software Updates Are Ready to Deploy

On the second Thursday of every month, John verifies that the software updates are ready to deploy. He performs the step in the following table.
Process Reference

John verifies that software updates synchronization completed successfully.

For more information about creating an automatic deployment rule, see the Automatically Deploy Software Updates section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

Step 4: Deploy the Software Update Group

After John verifies that the software updates are ready to deploy, he deploys the software updates. He performs the steps in the following table.
Process Reference

John creates two test deployments for the new

For more information about how to deploy

1707

Process

Reference

software update group. He considers the following environments for each deployment: Workstation test deployment: John considers the following for the workstation test deployment: He specifies a deployment collection that contains a subset of workstation clients to verify the deployment. He configures the deployment settings that are appropriate for the workstation clients in his environment.

software updates, see the Deploy Software Updates section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

Server test deployment: John considers the following for the server test deployment: He specifies a deployment collection that contains a subset of server clients to verify the deployment. He configures the deployment settings that are appropriate for the server clients in his environment. For more information about how to monitor a software update deployment, see the Monitor Software Updates section in the Operations and Maintenance for Software Updates in Configuration Manager topic. No additional information

John verifies that the test deployments have successfully deployed.

John updates the two deployments with new collections that include his production workstations and servers.

Step 5: Monitor Compliance for Deployed Software Updates

John monitors compliance of his software update deployments. He performs the step in the following table.
Process Reference

John monitors the software updates deployment status in the Configuration

For the steps to monitor a software update deployment, see the Monitor Software Updates
1708

Process

Reference

Manager console and checks the software update deployment reports available from the console.

section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

Step 6: Add Monthly Software Updates to the Yearly Update Group

John adds the software updates from the monthly software update group to the yearly software update group. He performs the step in the following table.
Process Reference

John selects the software updates from the monthly software update group and adds the software updates to the software updates group that he created for yearly compliance. He tracks the software update compliance and creates various reports for his management.

For the steps to add software updates to an update group, see the Add Software Updates to an Update Group section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

John has successfully completed his monthly deployment for security software updates. He continues to monitor and report on software update compliance to ensure that the clients in his environment are within acceptable compliance levels.

Recurring Monthly Process to Deploy Software Updates

After the first month that John deploys software updates, he performs steps three through six to deploy the monthly security software updates released by Microsoft.

See Also
Technical Reference for Software Updates in Configuration Manager

Operating System Deployment in Configuration Manager

Operating system deployment provides Microsoft System Center 2012 Configuration Manager administrative users with a tool for creating operating system images that they can deploy to
1709

computers that are managed by Configuration Manager and to unmanaged computers by using bootable media such as a CD set, DVD, or USB flash drives. The operating system image, in a Windows Imaging Format (WIM) format file, contains the required version of a Windows operating system and any line-of-business applications that have to be installed on the computer.

Operating system deployment provides the following functionality: You can capture an image of the operating system that you want to deploy. You can capture and restore user state by using the User State Migration Tool (USMT). You can deploy the operating system image to a collection of computers. You can create task sequences that perform multiple actions on a computer at the commandline level that do not require user intervention.

Operating System Deployment Topics

The following topics provide information to help you deploy operating systems in System Center 2012 Configuration Manager: Introduction to Operating System Deployment in Configuration Manager Planning How to Deploy Operating Systems in Configuration Manager Configuring Configuration Manager for Operating System Deployments Operations and Maintenance for Deploying Operating Systems in Configuration Manager Security and Privacy for Deploying Operating Systems in Configuration Manager Technical Reference for Deploying Operating Systems in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Deploying Software and Operating Systems in System Center 2012 Configuration Manager

Introduction to Operating System Deployment in Configuration Manager

The following sections explain some of the concepts that are used to deploy operating systems in your System Center 2012 Configuration Manager environment: The Operating System Deployment Process Methods Used to Deploy Operating Systems Capturing and Deploying an Operating System Image Installing Device Drivers on Destination Computers
1710

Media Used to Deploy Operating Systems Managing User State Unknown Computer Deployments Supporting User Device Affinity Deploying Operating Systems to NAP-enabled Environments Whats New in Configuration Manager Whats New in Configuration Manager SP1

For an example scenario that shows how you might deploy an operating system, see Example Scenario for PXE-Initiated Operating System Deployment by Using Configuration Manager.

The Operating System Deployment Process

Configuration Manager provides several methods that you can use to deploy an operating system. Regardless of the deployment method that you use, there are several actions that you must take. These actions include the following: Identify any Windows device drivers that are required to run the boot image or the operating system image that you have to deploy. Identify the boot image that you want to use to start the destination computer. Configuration Manager provides two default boot images. Capture an image of the operating system that you want to deploy by using a task sequence. Distribute the boot image, operating system image, and any related content to a distribution point. Create a task sequence that deploys the boot image and the operating system image. Deploy the task sequence to the collection that contains the destination computer. If there are multiple computers in the collection, the task sequence is deployed to each computer in the collection.

Methods Used to Deploy Operating Systems

There are several methods that you can use to deploy operating systems to Configuration Manager client computers. PXE initiated deployments: PXE-initiated deployments let client computers request a deployment over the network. In this method of deployment, the operating system image and a Windows PE boot image are sent to a distribution point that is configured to accept PXE boot requests. For more information about PXE-initiated deployments, see Planning for PXEInitiated Operating System Deployments in Configuration Manager. Multicast deployments: Multicast deployments conserve network bandwidth by concurrently sending data to multiple clients instead of sending a copy of the data to each client over a separate connection. In this method of deployment, the operating system image is sent to a distribution point. This in turn deploys the image when client computers request the deployment. For more information about deploying operating systems to multiple clients, see Planning a Multicast Strategy in Configuration Manager.
1711

Bootable Media Deployments: Bootable media deployments let you deploy the operating system when the destination computer starts. When the destination computer starts, it retrieves the task sequence, the operating system image, and any other required content from the network. Because that content is not included on the media, you can update the content without having to re-create the media. For more information about bootable media, see the Operating System Deployments by Using Bootable Media section of the Planning for Media Operating System Deployments in Configuration Manager topic.

Stand-alone Media Deployments: Stand-alone media deployments let you deploy operating systems in the following conditions: In environments where it is not practical to copy an operating system image or other large packages over the network. In environments without network connectivity or low bandwidth network connectivity.

For more information about stand-alone media, see the Operating System Deployments by Using Stand-Alone Media section of the Planning for Media Operating System Deployments in Configuration Manager topic. Pre-staged Media deployments: Pre-staged media deployments let you deploy an operating system to a computer that is not fully provisioned. The pre-staged media is a Windows Imaging Format (WIM) file that can be installed on a bare-metal computer by the manufacturer or at an enterprise staging center that is not connected to the Configuration Manager environment. Later, when the computer starts in the System Center 2012 Configuration Manager environment, the computer starts by using the boot image provided by the media, and then connects to the site management point for available task sequences that complete the download process. This method of deployment can reduce network traffic because the boot image and operating system image are already on the destination computer. Starting at Configuration Manager SP1, you can specify applications, packages, and driver packages to include in the pre-staged media. For more information about pre-staged media, see the Operating System Deployments by Using Prestaged Media section of the Planning for Media Operating System Deployments in Configuration Manager topic. Note For information about the advantages and disadvantages of each method, see Determine the Operating System Deployment Method to Use in Configuration Manager.

Capturing and Deploying an Operating System Image

There are three basic actions that you have to take when you want to use Configuration Manager to deploy an operating system image to a collection of one or more destination computers: 1. Build and capture an image and distribute it to distribution points.
1712

2. Create and configure the task sequence that installs the operating system image. 3. Deploy the task sequence.

Create the Image and Distribute it to Distribution Points

Operating system images are WIM files and represent a compressed collection of reference files and folders that are required to successfully install and configure an operating system on a computer. The operating system image is built and captured from a reference computer that you configure with all the required operating system files, support files, software updates, tools, and other software applications. You can build the reference computer manually or use a task sequence to automate some or all of the build steps. Similar to other Configuration Manager content, the operating system image is distributed to the distribution point as a package. When the package arrives at the distribution point, the content of the package is stored on the distribution point. For more information about operating system images, see Planning for Deploying Operating System Images in Configuration Manager.

Create and Configure the Appropriate Deployment Task Sequence

After you have created the reference computer and captured an operating system image from that computer, you can use a task sequence to configure how to deploy that image to a destination computer. For information about how you can use task sequences, see Planning a Task Sequences Strategy in Configuration Manager.

Deploy the Task Sequence

After you create your task sequences, you can deploy the task sequence to the collections that contain the destination computers. For information about how to deploy a task sequence, see the How to Deploy a Task Sequence section of the How to Manage Task Sequences in Configuration Manager topic. Tip You can use System Center 2012 Configuration Manager Upgrade Assessment Tool to determine whether the operating system on computers that are managed by Configuration Manager can run Windows 7 or Windows 8. Download the Upgrade Assessment Tool from the Microsoft Download Center site. For more information, see Configuration Manager Upgrade Assessment Tool.

1713

Installing Device Drivers on Destination Computers

You can install device drivers on destination computers without including them in the operating system image that is being deployed. Configuration Manager provides a driver catalog that contains references to all the device drivers that you import into Configuration Manager. The driver catalog is located in the Software Library workspace and consists of two nodes: Drivers and Driver Packages. The Drivers node lists all the drivers that you have imported into the driver catalog. You can use this node to discover the details about each imported driver, to change what driver package or boot image a driver belongs to, to enable or disable a driver, and more. The Driver Packages node lists all the driver packages that you create. You can create these packages when you import drivers into the driver catalog, or you can create them directly in the Driver Packages node. For more information about how to use the driver catalog when you deploy operating systems, see Planning a Device Driver Strategy in Configuration Manager. For information about how to manage the driver catalog, see How to Manage the Driver Catalog in Configuration Manager.

Installing Additional Packages with the Operating System

When you deploy an operating system, you can also install applications, deployment tools, packages, and software update on the destination computer. The following task sequence steps are used to install these packages: Install Application Install Deployment Tools Install Package Install Software Updates

For more information about how to add steps to task sequences, see the How to Edit a Task Sequence section in the How to Manage Task Sequences in Configuration Manager topic.

Media Used to Deploy Operating Systems

You can create several kinds of media that can be used to deploy operating systems. This includes capture media that is used to capture operating system images and stand-alone, prestaged, and bootable media that is used to deploy an operating system. By using media, you can deploy operating systems on computers that do not have a network connection or that have a low bandwidth connection to your Configuration Manager site. For more information about how to use media, see Planning for Media Operating System Deployments in Configuration Manager.

1714

Managing User State

When you deploy operating systems, you can save the user state from the destination computer, deploy the operating system, and then restore the user state after the operating systems is deployed. This process is typically used when you upgrade the operating system on a Configuration Manager client computer. The user state information is captured and restored by using task sequences. When the user state information is captured, the information can be stored in one of the following ways: You can store the user state data remotely by configuring a state migration point. The Capture task sequence sends the data to the state migration point. Then, after the operating system is deployed, the Restore task sequence retrieves the data and restores the user state on the destination computer. You can store the user state data locally to a specific location. In this scenario, the Capture task sequence copies the user data to a specific location on the destination computer. Then, after the operating system is deployed, the Restore task sequence retrieves the user data from that location. You can specify hard links that can be used to restore the user data to its original location. In this scenario, the user state data remains on the drive when the old operating system is removed. Then, after the operating system is deployed, the Restore task sequence uses the hard links to restore the user state data to its original location.

For more information about capturing and restoring user state, see How to Manage the User State in Configuration Manager.

Unknown Computer Deployments

You can deploy an operating system to computers that are not managed by Configuration Manager. There is no record of these computers in the Configuration Manager database. These computers are referred to as unknown computers. Unknown computers include the following: A computer where the Configuration Manager client is not installed A computer that is not imported into Configuration Manager A computer that is not discovered by Configuration Manager

For more information about how to configure Configuration Manager for unknown computer deployments, see How to Manage Unknown Computer Deployments in Configuration Manager.

Supporting User Device Affinity

When you deploy an operating system, you can associate users with the destination computer to support user device affinity actions. When you associate a user with the destination computer, the administrative user can later perform actions on whichever computer is associated with that user, such as deploying an application to the computer of a specific user. However, when you deploy an operating system, you cannot deploy the operating system to the computer of a specific user.
1715

For more information about how to associate the destination computer to users, see How to Associate Users with a Destination Computer. For more information about how to manage user device affinity, see How to Manage User Device Affinity in Configuration Manager.

Deploying Operating Systems to NAP-enabled Environments

You can deploy operating systems in environments that use Network Access Protection (NAP). NAP provides a mechanism to manage the compliance of software updates on Configuration Manager clients. When you deploy operating systems to the destination computers, you must make sure that the NAP enforcement mechanism and the Windows Network Access Protection Service are enabled and interact correctly with the Configuration Manager client on the destination computer. For more information about how to deploy operating systems to NAP-enabled environments, see Planning for Operating System Deployments in a NAP-Enabled Environment.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed since Configuration Manager 2007: You can apply Windows Updates by using Component-Based Servicing to update the WIM files that are stored in the Image node of the Software Library workspace. The Task Sequence Media Wizard includes steps to add prestart command files (formerly pre-execution hooks) to pre-staged media, bootable media, and stand-alone media. For more information about how to deploy operating systems, including using prestart commands when you create media, see one of the following sections in the How to Deploy Operating Systems by Using Media in Configuration Manager topic: How to Create Prestaged Media How to Create Bootable Media How to Create Stand-alone Media

When you create media that deploys an operating system, you can configure the Task Sequence Media Wizard to suppress the Task Sequence wizard during operating system installation. This configuration enables you to deploy operating systems without end-user intervention. For more information about how to create media by using the Task Sequence Media Wizard, see How to Deploy Operating Systems by Using Media in Configuration Manager.

You can define a deployment in a prestart command that overrides existing deployments to the destination computer. Use the SMSTSPreferredAdvertID task sequence variable to
1716

configure the task sequence to use the specific Offer ID that defines the conditions for the deployment. You can use the same task sequence media to deploy operating systems to computers anywhere in the hierarchy. For more information about how to create media by using the Task Sequence Media Wizard, see How to Deploy Operating Systems by Using Media in Configuration Manager. The Capture User State task sequence action and the Restore User State task sequence steps support new features from the User State Migration Tool (USMT) version 4. For more information about capturing and restoring the user state, see How to Manage the User State in Configuration Manager. You can use the Install Application task sequence step to deploy applications when you deploy an operating system. For more information about task sequences, see Planning a Task Sequences Strategy in Configuration Manager. You can associate a user with the computer where the operating system is deployed to support user device affinity actions. For more information about creating an association between users and the destination computer, see How to Associate Users with a Destination Computer. For more information about how to manage user device affinity, see How to Manage User Device Affinity in Configuration Manager. The functionality of the PXE service point and its configuration is moved to the distribution point to increase scalability. For more information about creating a distribution point that accepts PXE requests, see the Creating Distribution Points that Accept PXE Requests section of the How to Deploy Operating Systems by Using PXE in Configuration Manager topic. CMTrace, the Configuration Manager log viewer tool, is added to all boot images that are added to the Software Library. For more information about boot images, see Planning for Boot Image Deployments in Configuration Manager.

Whats New in Configuration Manager SP1

The following items are new or have changed for operating system deployment in Configuration Manager SP1: Changes to Configuration Manager Setup: Configuration Manager SP1 uses the Windows Assessment and Deployment Kit (Windows ADK) instead of Windows Automated Installation Kit (Windows AIK) to deploy an operating system. Before you run Setup, you must download and install Windows ADK on the site server and the provider computer. The USMT for Windows 8 is installed as part of the Windows ADK. At the top-level site, Setup automatically creates the package for this new version of USMT at the site.
1717

Setup automatically updates default boot images at the site. You must manually update any custom boot images. The default task sequences were changed to optimize the deployment of operating systems starting with Windows 7. Support for computers that are in Unified Extensible Firmware Interface (UEFI) mode. The task sequence sets the SMSTSBootUEFI built-in task sequence variable when it detects a computer that is in UEFI mode. The default task sequence automatically partitions the computer based on whether it was booted in UEFI mode or BIOS mode (conditioned based on the value of the _SMSTSBootUEFI variable). The build and capture task sequence was updated to apply an operating system image instead of running Setup.exe for installation. You can still run Setup.exe for Windows 8 deployments by editing the task sequence in the task sequence editor. Support for operating system deployments to devices with limited available disk space, such as embedded devices. You can configure the Apply Operating System Image step to install the image directly from a distribution point even if the task sequence deployment is configured to download content to the task sequence cache first. You can control the behavior of write filters on Windows Embedded devices when you deploy task sequences. Note For information about task sequences, see Planning a Task Sequences Strategy in Configuration Manager.

Changes to task sequence:

Changes to how you create pre-staged media: You can specify applications, packages, and driver packages to deploy with the operating system. When you deploy the task sequence by using pre-staged media, the wizard checks the local task sequence cache for valid content first, and if the content cannot be found or has been revised, the content is downloaded from the distribution point. Note For information about how to create pre-staged media, see the How to Create Prestaged Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic.

Changes to BitLocker support: Use the Pre-provision BitLocker task sequence step to encrypt the disk drive from Windows PE and only encrypt the space that is used by data. The result is much faster encryption times. For more information, see the Pre-provision BitLocker section in the Task Sequence Steps in Configuration Manager topic. TPM and PIN is now available as one of the key management options for the current operating system drive in the Enable BitLocker task sequence step. For more information, see the Enable BitLocker section in the Task Sequence Steps in Configuration Manager topic.
1718

You can configure the Windows PE scratch space in the boot image properties. For more information, see the How to Modify a Boot Image section in the How to Manage Boot Images in Configuration Manager topic. Added language neutral boot images: You can use the SMSTSLanguageFolder built-in variable to change the language for information displayed by Windows PE. Languages are auto-detected and used when boot images are started from Software Center. Note For information about boot image deployments, see Planning for Boot Image Deployments in Configuration Manager.

Added the following task sequence built-in variables: SMSTSPersistContent: Use this variable to temporarily persist content in the task sequence cache. SMSTSPostAction: Use this variable to run a command after the task sequence is completed. SMSTSLanguageFolder: Use this variable to change the display language of a language neutral boot image. OSDPreserveDriveLetter: This variable determines whether or not the task sequence uses the drive letter on the operating system image WIM file. In Configuration Manager with no service pack, the drive letter on the WIM file was used when it applied the operating system image WIM file. In Configuration Manager SP1, you can set the value for this variable to False to use the drive letter that you specify in the task sequence. SMSTSDownloadProgram: Use this variable to specify an Alternate Content Provider, a downloader program that is used to download content instead of the default Configuration Manager downloader, for the task sequence. As part of the content download process, the task sequence checks the variable for a specified downloader program. If specified, the task sequence runs the program to perform the download. SMSTSAssignmentsDownloadInterval: Use this variable to specify the number of seconds to wait before the client tries to download the task sequence policy since the last attempt that returned no policies. You can set this variable by using a prestart command from media or PXE. SMSTSAssignmentsDownloadRetry: Use this variable to specify the number of times a client will attempt to download the task sequence policy after no policies are found on the first attempt. You can set this variable by using a prestart command from media or PXE. _SMSTSBootUEFI: The task sequence sets the _SMSTSBootUEFI variable when it detects a computer that boots in UEFI mode. _SMSTSWTG: Specifies if the computer is running as a Windows To Go device. Note For more information about built-in task sequence variables, see the Task Sequence Built-in Variables in Configuration Manager topic.
1719

Changes to software update installation to offline operating system images: Ability to continue updating an image even when one or more software updates cannot be installed. Software updates are copied from the content library on the site server instead of the package source.

Ability to provision Windows To Go in Configuration Manager. Windows To Go is an operating system stored on a USB-connected external drive. You can provision the Windows To Go drive the same as you pre-stage media in Configuration Manager. For more information about how to provision Windows To Go, see How to Provision Windows To Go in Configuration Manager. Better monitoring and status for task sequence content and task sequence deployments. New deployment setting lets you deploy task sequences that are available only in Windows PE. You can manage Windows PE optional components from the Optional Components tab in the properties for boot images. You can export and import driver packages from the Driver Packages node in the Software Library workspace.

See Also
Operating System Deployment in Configuration Manager

Planning How to Deploy Operating Systems in Configuration Manager

This section provides the planning tasks that System Center 2012 Configuration Manager requires to deploy an operating system, including information about the prerequisites that are required to deploy an operating system and information about how to determine which deployment method to use.

Operating System Deployment Planning Topics

Use the following topics to help you plan how to deploy operating systems in Configuration Manager: Prerequisites For Deploying Operating Systems in Configuration Manager Supported Operating Systems and Hard Disk Configurations for Operating System Deployment Determine the Operating System Deployment Method to Use in Configuration Manager Planning Site System Roles for Operating System Deployments in Configuration Manager Planning for Deploying Operating System Images in Configuration Manager
1720

Planning for Capturing Operating System Images in Configuration Manager Planning for Boot Image Deployments in Configuration Manager Planning a Device Driver Strategy in Configuration Manager Planning for PXE-Initiated Operating System Deployments in Configuration Manager Planning a Multicast Strategy in Configuration Manager Planning for Media Operating System Deployments in Configuration Manager Planning a Task Sequences Strategy in Configuration Manager Planning for Operating System Deployments in a NAP-Enabled Environment Planning for Operating System Deployment Interoperability

Other Resources for This Product

TechNet Library main page for System Center 2012 Configuration Manager Operating System Deployment in Configuration Manager

Prerequisites For Deploying Operating Systems in Configuration Manager

Operating system deployment in System Center 2012 Configuration Manager has external dependencies and dependencies within the product.

Dependencies External to Configuration Manager

The following table provides information about external tools, installation kits, and operating systems that are required to deploy operating systems in Configuration Manager.
Dependency More information

User State Migration Tool (USMT)

To capture and restore the user state as part of your operating system deployment, you will need a USMT package that points to the USMT source files. Create this package in the Packages node under Application Management in the Software Library workspace. Note When you install Configuration Manager SP1 at the top-level site, Setup automatically creates the USMT 5.0 package.
1721

Dependency

More information

The required version of USMT is dependent on the operating system version that you deploy. The following table provides information about the required USMT versions.
Destination Operating System USMT version

Windows 8 Windows 7

USMT 5.0 USMT 5.0 USMT 4.0 USMT 3.0.1

Windows Vista SP2 Windows XP SP3

1

You can only deploy Windows 8 from a site server that is running Configuration Manager SP1. You can install the USMT versions at the following locations: USMT 5.0 is distributed in Windows Assessment and Deployment Kit (Windows ADK) to capture the user state from one operating system and then restore it on another operating system. For a description of different migration scenarios for USMT 5.0, see Common Migration Scenarios. USMT 4.0 is distributed in Windows Automated Installation Kit (Windows AIK), to capture the user state from one operating system and then restore it to another operating system. For a description of different migration scenarios for USMT 4.0, see Common Migration Scenarios. USMT 3.0.1 is available from the Microsoft Download Center.

For more information about capturing and restoring user state, see How to Manage the User State in Configuration Manager.

1722

Dependency

More information

Windows PE

Windows PE is a Windows operating system with limited services that is used during the preinstallation and deployment of Windows operating systems. For more information about the boot images that provide Windows PE, see Planning for Boot Image Deployments in Configuration Manager. For Configuration Manager SP1 only: Configuration Manager uses Windows PE 4, which is built on the Windows 8 operating system platform. Windows PE 4 is distributed as part of the Windows ADK for Windows 8. For Configuration Manager with no service pack only: Configuration Manager uses Windows PE 3, which is built on the Windows 7 operating system platform. Windows PE 3 is distributed as part of the Windows AIK for Windows 7.

For Configuration Manager SP1 only: Windows Assessment and Deployment Kit (Windows ADK) for Windows 8

Windows ADK is a set of tools and documentation that support the configuration and deployment of Windows operating systems. Starting in Configuration Manager SP1, Configuration Manager uses Windows ADK to automate Windows installations, capture Windows images, migrate user profiles and data, and so on. The following features of the Windows ADK must be installed on site server of the top-level site of the hierarchy, and on the site server of each primary site in the hierarchy: User State Migration Tool (USMT) Windows Deployment Tools Windows Preinstallation Environment (Windows PE) Note You must manually install the Windows ADK on each computer that will host a
1723

Dependency

More information

central administration site or primary site server before you install the Configuration Manager site. Before you can upgrade Configuration Manager with no service pack, you must first uninstall the Windows Automated Installation Kit (Windows AIK) before you can install the Windows ADK. For more information about Windows ADK, see Windows Deployment with the Windows ADK.. For Configuration Manager with no service pack only: Windows Automated Installation Kit (Windows AIK) for Windows 7 Windows AIK is a set of tools and documentation that support the configuration and deployment of Windows operating systems. Configuration Manager with no service pack, uses Windows AIK to automate Windows installations, capture Windows images, migrate user profiles and data, and so on. For more information about Windows AIK, see Windows Automated Installation Kit for Windows 7. Note When you use Configuration Manager without service pack to install a central administration site or primary site, Configuration Manager automatically installs the Windows AIK on the site server if Windows AIK is not already installed. Internet Information Services (IIS) on the site system servers to run the distribution point, state migration point, and management point For more information about this requirement, see the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic.

Windows Deployment Services (WDS)

WDS is needed for PXE deployments and when you use multicast to optimize bandwidth in your deployments. For more information, see Windows Deployment Services (WDS) in this topic.

1724

Dependency

More information

Dynamic Host Configuration Protocol (DHCP)

DHCP is required for PXE deployments. You must have a functioning DHCP server with an active host to deploy operating systems by using PXE. For more information about PXE deployments, see Planning for PXE-Initiated Operating System Deployments in Configuration Manager.

Supported operating systems and hard disk configurations

For more information about the operating system versions and hard disk configurations that are supported by Configuration Manager when you deploy operating systems, see Supported Operating Systems and Hard Disk Configurations for Operating System Deployment. Windows device drivers can be used when you install the operating system on the destination computer and when you run Windows PE by using a boot image. For more information about device drivers, see Planning a Device Driver Strategy in Configuration Manager.

Windows device drivers

Configuration Manager Dependencies

The following table provides information about Configuration Manager operating system deployment prerequisites.
Dependency More information

Operating system image

Depending on the method that you plan to use to deploy operating system images, there are several dependencies that must be considered. For more information about these dependencies, see Determine the Operating System Deployment Method to Use in Configuration Manager. To deploy a device driver, you must import the device driver, enable it, and make it available on a distribution point that the Configuration
1725

Driver catalog

Dependency

More information

Manager client can access. For more information about the driver catalog, see Planning a Device Driver Strategy in Configuration Manager. Management point Management points transfer information between client computers and the Configuration Manager site. The client uses a management point to run any task sequences that are required to complete the operating system deployment. For more information about task sequences, see Planning a Task Sequences Strategy in Configuration Manager Distribution point Distribution points are used in most deployments to store the data that is used to deploy an operating system, such as the operating system image or device driver packages. Task sequences typically retrieve data from a distribution point to deploy the operating system. For more information about task sequences, see Planning a Task Sequences Strategy in Configuration Manager For more information about how to install distribution points and manage content, see Configuring Content Management in Configuration Manager PXE-enabled distribution point To deploy PXE-initiated deployments, you must configure a distribution point to accept PXE requests from clients. For more information about how to configure the distribution point, see Planning for PXE-Initiated Operating System Deployments in Configuration Manager. To optimize your operating system deployments by using multicast, you must configure a distribution point to support multicast. For more information about how to configure the distribution point to support
1726

Multicast-enabled distribution point

Dependency

More information

multicast, see Planning a Multicast Strategy in Configuration Manager. State migration point When you capture and restore user state data for side-by-side and refresh deployments, you must configure a state migration point to store the user state data on another computer. For more about how to configure the state migration point, see Install Site System Roles For information about how to capture and restore user state, see How to Manage the User State in Configuration Manager. Reporting services point To use Configuration Manager reports for operating system deployments, you must install and configure a reporting services point. For more information, see Configuring Reporting in Configuration Manager. Security permissions for operating system deployments The Operating System Deployment Manager security role is a built-in role that cannot be changed. However, you can copy the role, make changes, and then save these changes as a new custom security role. Here are some of the permissions that apply directly to operating system deployments: Boot Image Package: Create, Delete, Modify, Modify Folder, Move Object, Read, Set Security Scope Device Drivers: Create, Delete, Modify, Modify Folder, Modify Report, Move Object, Read, Run Report Driver Package: Create, Delete, Modify, Modify Folder, Move Object, Read, Set Security Scope Operating System Image: Create, Delete, Modify, Modify Folder, Move Object, Read, Set Security Scope Operating System Installation Package : Create, Delete, Modify, Modify Folder, Move Object, Read, Set Security Scope Task Sequence Package: Create, Create Task Sequence Media, Delete, Modify,
1727

Dependency

More information

Modify Folder, Modify Report, Move Object, Read, Run Report, Set Security Scope For more information about custom security roles, see the Create Custom Security Roles section in the Configuring Security for Configuration Manager topic. Security scopes for operating system deployments Use security scopes to provide administrative users with access to the securable objects used in operating system deployments, such as operating system and boot images, driver packages, and task sequence packages. For more information about security scopes, see Planning for Security Scopes in the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic.

Windows Deployment Services (WDS)

Windows Deployment Services must be installed on the same server as the distribution points that you configure to support PXE or multicast. Whether you must install Windows Deployment Services manually or if it is already installed on the server depends on the operating system of the server. Windows Server 2008 or later: Windows Deployment Services is included in the operating system. Important PXE and multicast is not supported on computers running Windows Server 2008 or Windows Server 2008 R2 that is installed with the Server Core installation option. The Server Core installation option installs a minimal environment that avoids extra overhead and limits the roles that can be performed by the server, including Windows Deployment Services, which is required for PXE deployments and multicast. Windows Server 2003 SP2 or later: The Windows Deployment Services role can be added by using Add or Remove Programs.

For PXE deployments, Windows Deployment Services is the service that performs the PXE boot. When the distribution point is installed and enabled for PXE, Configuration Manager installs a provider into Windows Deployment Services that uses the Windows Deployment Services PXE boot functions. Note
1728

The installation of WDS might fail if the server requires a restart. Other Windows Deployment Services configurations that must be considered include the following: The Windows Deployment Services installation on the server requires that the administrator is a member of the Local Administrators group. The Windows Deployment Services server must be either a member of an Active Directory domain or a domain controller for an Active Directory domain. All Windows domain and forest configurations support Windows Deployment Services.

See Also
Planning How to Deploy Operating Systems in Configuration Manager

Supported Operating Systems and Hard Disk Configurations for Operating System Deployment
Use the information in this topic to identify the operating systems and disk configurations that support the capture, creation, and deployment of operating system images by using System Center 2012 Configuration Manager.

Supported Operating Systems

All operating systems listed as supported client operating systems under Operating System Requirements for Configuration Manager Client Installation are supported for operating system deployments with the following exceptions: Clients that use the mobile device client. Windows XP Embedded Windows Storage Server 2003 Windows Storage Server 2008 IA-64-based architecture computers

The following operating systems do not support the Apply operating system from an original installation source option in the Apply Operating System Image task sequence step. These operating systems must be captured by using a reference computer before being deployed to the destination computer: Windows Embedded for Point of Service 1.0 Windows Embedded for Point of Service 1.1 with SP3 Windows Embedded Standard 2009 Windows Embedded POSReady 2009
1729

Windows Embedded Standard 7 with SP1 Windows Embedded POSReady 7 Windows Fundamentals for Legacy PCs Windows XP Tablet PC SP3 Windows Thin PC

Supported Disk Configurations

The hard disk configuration combinations on the reference and destination computers that are supported for Configuration Manager operating system deployment are shown in the following table.
Reference computer hard disk configuration Destination computer hard disk configuration

Basic disk Simple volume on a dynamic disk

Basic disk Simple volume on a dynamic disk

Configuration Manager supports capturing an operating system image only from computers that are configured with simple volumes. There is no support for the following hard disk configurations: Spanned volumes Striped volumes (RAID 0) Mirrored volumes (RAID 1) Parity volumes (RAID 5)

The following table shows an additional hard disk configuration on the reference and destination computers that is not supported with Configuration Manager operating system deployment.
Reference computer hard disk Configuration Destination computer hard disk configuration

Basic disk

Dynamic disk

See Also
Planning How to Deploy Operating Systems in Configuration Manager

Determine the Operating System Deployment Method to Use in Configuration Manager

There are different methods that you can use to deploy an operating system in your System Center 2012 Configuration Manager environment. Use the following tables to identify
1730

some of the installation considerations to help you determine which method to use to deploy operating systems.

PXE-Initiated Deployments
Dependencies Advantages Disadvantages Reference

Distribution point that supports PXE deployments. Windows Deployment Services installation. Firewall port configuration.

This method works well when no user is present at the destination computer and for data center environments. You can associate users with the destination computer to support usercentric management.

Optional PXE deployments require user intervention. DHCP considerations when the DHCP server is installed on the same server as the PXEenabled distribution point.

Planning for PXEInitiated Operating System Deployments in Configuration Manager

Bootable Media-Initiated Deployments

Dependencies Advantages Disadvantages Reference

Appropriate image architecture must be available on a distribution point that Configuration Manager clients can access.

Works well for bare metal operating system deployment scenarios (no operating system is installed). You can associate users with the destination computer to support usercentric management. As a security best practice, you can protect the media

Requires a physical Plan How to Use presence at the Bootable Media destination How to Create computer. Bootable Media

1731

Dependencies

Advantages

Disadvantages

Reference

with a strong password.

Stand-alone Media-Initiated Deployments

Dependencies Advantages Disadvantages Reference

Media set of USB flash drive, CD, or DVD that contains the necessary installation files.

Use this method for computers that connect to Configuration Manager by using a low bandwidth connection. Computers do not require a connection to the System Center 2012 Configuration Manager site. As a security best practice, you can protect the media with a strong password.

All files required for the installation must be contained on the media. All device drivers required for the installation must be on the media. You cannot set an expiration date on the media.

Plan How to Use Stand-alone Media How to Create Stand-alone Media

Prestaged Media Deployments

Dependencies Advantages Disadvantages Reference

Computers must be able to access an appropriate image architecture on a distribution point. Boot image must have the network and mass storage drivers that computers require to complete the deployment process.

Supports the preloading of the operating system image and boot image, which is suitable for a factory or a staging center. Speeds up the onsite deployment time. Works with current task sequences to provide up-to-date

You must connect to a Configuration Manager site to create the media. The destination computer can be used only at the same Configuration Manager site where the media was created.

Plan How to Use Prestaged Media How to Create Prestaged Media

1732

Dependencies

Advantages

Disadvantages

Reference

deployments. As a best practice, you can passwordprotect the media for security purposes. You can associate users with the destination computer to support usercentric management.

Side-by-Side Deployments
Dependencies Advantages Disadvantages Reference

State migration point site role. You must create a computer association between the source and destination computer.

When you use the state migration point role, the user state can be saved to another computer and then restored to the new computer.

State migration point must have sufficient hard disk space to store the user state data.

How to Manage the User State in Configuration Manager

Configuration Manager Initiated Deployments

Dependencies Advantages Disadvantages Reference

Destination computer must be a System Center 2012 Configuration Manager client.

You can deploy an operating system image without creating additional media.

The client computer must have a connection to a Configuration Manager site. Destination

Planning for Deploying Operating System Images in Configuration Manager

1733

Dependencies

Advantages

Disadvantages

Reference

computers must be Configuration Manager clients.

See Also
Planning How to Deploy Operating Systems in Configuration Manager

Planning Site System Roles for Operating System Deployments in Configuration Manager
The same planning steps that you consider when you set up other System Center 2012 Configuration Manager site system roles also apply when you configure roles for operating system deployments. For example, if you plan to have more than one site system role on a server, consider the combined effect of all the site system roles on network performance, memory, disk storage, processor usage, and other server resources. Operating system deployments primarily affect these resources for distribution points and state migration points. Use the following sections to help plan for distribution points and state migration points.

Distribution Points
Make sure that you have enough distribution points to support the deployment of operating systems to computers and verify the placement of these distribution points in the hierarchy. This kind of planning is basically the same as you would use for the deployment of other Configuration Manager packages. However, there are some considerations that are specific to operating system deployment. One consideration is the number of computers that can be deployed at one time from a single distribution point. You must consider the processing speed and disk I/O of the distribution point, the available bandwidth on the network, and the effect that the size of the image package has on these resources. For example, on a 100 megabyte (MB) Ethernet network, the maximum number of computers that can process a 4 gigabyte (GB) image package in one hour is 11 computers if you do not consider any other server resource factors.
1 Megabit transfers 8 Megabytes of data

1734

100 Megabits/sec = 12.5 Megabytes/sec = 750 Megabytes/min = 45 Gigabytes/hour= 11 images @ 4GB per image

In reality, the number might be far less. So if you must deploy to a specific number of computers within a specific time frame, distribute the image package to an appropriate number of distribution points. For planning information about distribution points, see Planning for Content Management in Configuration Manager. Important Another consideration is that when you deploy operating system deployment task sequences to a collection of computers, Configuration Manager does not distinguish Configuration Manager site servers from other destination computers in the collection. If you deploy the task sequence to a collection that contains a site server, the site server runs the task sequence in the same way that any other computer in the collection runs the task sequence. Ensure that you remove the site system role from the site server before you deploy an operating system image to it, and then assign the site system role back to the site server after the operating system is deployed. In addition, if you distribute an image to a distribution point, the server has to receive its image package from a remote distribution point. You cannot distribute an image to a distribution point on the server and then deploy the task sequence that installs the operating system to the server.

PXE-Enabled Distribution Points

To deploy an operating system by using PXE, you must designate a distribution point that can respond to the PXE boot requests. The distribution point can then respond to the PXE boot request and determine the appropriate deployment actions to take. For more information about how to deploy operating systems by using PXE, see Planning for PXE-Initiated Operating System Deployments in Configuration Manager.

Multicast-Enabled Distribution Points

To deploy an operating system to multiple computers simultaneously, you must configure a distribution point that supports multicast. For more information about how to use multicast to deploy operating systems, see Planning a Multicast Strategy in Configuration Manager.

State Migration Point

The state migration point stores user state data that is captured on one computer and then restored on another computer. You must store the user state data on the state migration point when you use a side-by-side deployment. However, when you use the same computer, such as a deployment where you refresh the operating system on the destination computer, you can store the data on the same computer or on the state migration point. For some computer deployments, when you create the state store, Configuration Manager automatically creates an association between the state store and the destination computer. As you plan for the state migration point, consider the following factors.
1735

User State Size

The size of the user state directly affects disk storage on the state migration point and network performance during the migration. Consider the size of the user state and the number of computers to migrate. Consider also what settings to migrate from the computer. For example, if My Documents is already backed up to a server, then perhaps you do not have to migrate it as part of the image deployment. Avoiding unnecessary migrations can keep the overall size of the user state smaller and decrease the effect it would otherwise have on network performance and disk storage on the state migration point.

User State Migration Tool

To capture and restore the user state during the deployment of the operating systems, you must use a User State Migration Tool (USMT) package that points to the USMT source files. You must create this package in the Software Library/Application Management/Packages folder. Configuration Manager uses USMT 4.0, which is distributed in Windows Automated Installation Kit (Windows AIK), to capture the user state from one operating system and then restores it to another operating system. For a description of different migration scenarios for USMT 4.0, see Common Migration Scenarios.

Retention Policy
When you configure the state migration point, you can specify the length of time to keep the user state data that is stored on it. The length of time to keep the data on the state migration point depends on two considerations: The effect that the stored data has on disk storage. The potential requirement to keep the data for a time in case you must migrate the data again.

State migration occurs in two phases: Capturing the data and restoring the data. When you capture the data, the user state data is collected and saved to the state migration point. When you restore the data, the user state data is retrieved from the state migration point, written to the destination computer, and then the Release State Store task sequence step releases the stored data. When the data is released, the retention timer starts. If you select the option to delete migrated data immediately, the user state data is deleted as soon as it is released. If you select the option to keep the data for a certain period of time, the data is deleted when that period of time elapses after the state data is released. The longer you set the retention period, the more disk space you are likely to require.

Selecting Drives
When you configure the state migration point, you must specify the drive on the server to store the user state migration data. You select a drive from a fixed list of drives. However, some of these drives might represent non-writable drives, such as the CD drive, or a non-network share
1736

drive. In addition, some drive letters might not be mapped to any drives on the computer. You must specify a writable, shared drive when you configure the state migration point.

See Also
Planning How to Deploy Operating Systems in Configuration Manager

Planning for Deploying Operating System Images in Configuration Manager

There are three basic actions that you must take when you use System Center 2012 Configuration Manager to deploy an operating system image to destination computers: Build and capture an image and distribute it to distribution points. Create and configure the task sequence that will install the operating system image. Deploy the task sequence.

Create the Image and Distribute it to Distribution Points

Operating system images are .WIM format files and represent a compressed collection of reference files and folders that are required to successfully install and configure an operating system on a computer. The operating system image is built and captured from a reference computer that you configure with all the required operating system files, support files, software updates, tools, and other software applications. You can build the reference computer manually, or use a task sequence to automate some or all of the build steps. For more information about how to capture the operating system image, see Planning for Capturing Operating System Images in Configuration Manager.

Create and Configure the Appropriate Deployment Task Sequence

After you have created the reference computer and captured an operating system image from that computer, you can use a task sequence to configure how to deploy that image to your destination computers. For information about how you can use deployment task sequences, see Planning a Task Sequences Strategy in Configuration Manager.

Deploy the Task Sequence

After you create your task sequences, you can deploy the task sequence to the collection that contains the destination computers. For information about how to deploy a task sequence, see
1737

the How to Deploy a Task Sequence section of the How to Manage Task Sequences in Configuration Manager topic.

Creating Packages for Operating System Deployments

You must create several Configuration Manager packages to support the building of a reference computer and the deployment of an operating system image to a destination computer. The following packages are required to build a reference computer: Operating system installation package Configuration Manager client installation package Sysprep package (Windows XP SP3 and Server 2003 SP2 only) Driver packages Other packages

Use the following table to find more information about the packages used to support building the reference computer.
Package More information

Operating System Installation package

The Operating System Installation Package must contain all the files necessary to install the desired Windows operating system on a reference computer. You create this package as you would any other Configuration Manager package. The task sequence will reference the source files as needed. Sysprep is a Windows system preparation tool that facilitates image creation, and the preparation of an image for deployment to multiple destination computers. If the operating system version you are running is Windows Vista, Sysprep is already available on the computer and you do not need to specify a package. If the operating system version you are running is Windows XP or earlier, you must specify a package that contains the version of Sysprep and all its support files (no subfolders) that are appropriate for that operating system version. This package does not require a program. Configuration Manager uses the Sysprep files contained in the package.
1738

Sysprep package

Package

More information

For more information about using Sysprep, see the Sysprep documentation for the version of Sysprep that supports the version of the operating system running on the reference computer. Driver package If the reference computer requires device drivers that are not included with the operating system, you must create the packages that contain the necessary Windows drivers to support hardware on the reference computer. Typically, a manufacturer supplies an INF file and other supporting files for a device driver, and sometimes an installation script as well. Refer to the documentation supplied by the manufacturer of the device driver to ensure that you create a package that includes all supporting files. You can use the following sets of task sequence steps to install driver packages: Auto Apply Drivers. This step allows you to automatically match and install device drivers as part of an operating system deployment. For information about the task sequence variables associated with this step, see Auto Apply Drivers Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic. Apply Driver Package. This step allows you to make all device drivers in a specific driver package available for use by Windows setup. For information about the task sequence variables associated with this step, see Apply Driver Package Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

The following packages are needed to deploy an image to a destination computer: Operating system image package Configuration Manager client installation package
1739

USMT packages (for user state backup and restore only) Other packages

See Also
Planning How to Deploy Operating Systems in Configuration Manager

Planning for Capturing Operating System Images in Configuration Manager

To capture the operating system image that you want to deploy in your System Center 2012 Configuration Manager environment, you must use a reference computer.

Configuring the Reference Computer

You can configure the reference computer manually, or you can completely automate the configuration of the reference computer and capture an operating system image. The extent to which you configure the reference computer manually is up to you. You can completely automate the configuration of the reference computer by using a build and capture task sequence, you can manually configure certain aspects of the reference computer and then automate the rest using task sequences, or you can manually configure the reference computer without using task sequences. After you have captured an image from a reference computer, do not capture another operating system image from the reference computer because registry entries are created during the initial configuration. Create a new reference computer each time that you capture the operating system image. If you plan to use the same reference computer to create future operating system images, first uninstall the Configuration Manager client, and then reinstall the Configuration Manager client. The following table outlines advantages and disadvantage for an automated and manual configuration of the reference computer.
Reference computer Advantages Disadvantages

Automated configuration

The configuration can be completely unattended, which eliminates the requirement for an administrator or user to be present. You can reuse the task sequence to repeat the configuration of additional

The initial action to build a task sequence can take a long time to create and test. If the reference computer requirements change significantly, it can take a long time to rebuild and retest the task sequence.
1740

Reference computer

Advantages

Disadvantages

reference computers with a high level of confidence. You can modify the task sequence to accommodate differences in reference computers without having to recreate the entire task sequence. Manual configuration You do not have to create a task sequence or take the time to test and troubleshoot the task sequence. You can install directly from CDs without putting all the software packages (including Windows itself) into a Configuration Manager package. The accuracy of the reference computer configuration depends on the administrator or user who configurs the computer. You must still verify and test that the reference computer is configured correctly. You cannot reuse the configuration method. Requires a person to be actively involved throughout the process. The following table lists the basic items to consider when you configure a reference computer.
Reference computer configuration items More information

Operating system to deploy

The reference computer must be installed with the operating system that you intend to deploy to your destination computers. For more information about the operating systems that you can deploy, see Supported Operating Systems and Hard Disk Configurations for Operating System Deployment. Make sure that the operating system running on the reference computer has the most current service pack applied. Install all software applications that you want included in the operating system image that you capture from the reference computer. You can
1741

Appropriate service pack

Appropriate software updates

Reference computer configuration items

More information

also install software applications when you deploy the captured operating system image to your destination computers. Workgroup membership The reference computer must be configured as a member of a workgroup. The System Preparation (Sysprep) tool is a technology that you can use with other deployment tools to install Windows operating systems onto new hardware. Sysprep prepares a computer for disk imaging or delivery to a customer by configuring the computer to create a new computer security identifier (SID) when the computer is restarted. In addition, Sysprep cleans up user and computer-specific settings and data that must not be copied to a destination computer. Important On Windows XP computers, you must copy the appropriate Sysprep files (sysprep.exe and setupcl.exe) to the C:\Sysprep folder on the reference computer. This is especially important if you deploy the image to more than one destination computer. On newer operating systems, the files are already available and no action is required. You can manually Sysprep the reference computer by running the following command:
Sysprep /quiet /generalize /reboot

Appropriate version of Sysprep or another migration tool.

You can automate Sysprep by using the Prepare Windows for Capture task sequence step or capture media. For more information about how to create capture media, see the How to Create Capture Media section of the How to Deploy Operating Systems by Using Media in Configuration Manager topic. Important The Prepare Windows for Capture task sequence step attempts to reset the
1742

Reference computer configuration items

More information

local administrator password on the reference computer to a blank value before Sysprep runs. If the Local Security policy Password must meet complexity requirements is enabled, this task sequence step fails to reset the administrator password. In this scenario, disable this policy before you run the task sequence. For more information about Sysprep for Windows 8 and Windows Server 2012, see the System Preparation (Sysprep) Technical Reference topic. Appropriate tools and scripts required to mitigate installation scenarios You can install the application compatibility tools and scripts on the reference computer that are required to troubleshoot known installation scenarios on destination computers when you deploy the captured operating system image to your destination computers. You can configure the reference computer with the desktop customization properties that you want to include when you capture the operating system image from the reference computer. Desktop properties include wall paper, organizational branding, and a standard default user profile.

Appropriate desktop customization, such as wall paper, branding, and default user profile

Operating System Image Deployment Considerations

Before you deploy an operating system image in Configuration Manager, consider the following factors to plan the deployment: Operating system image size Cache size of the Configuration Manager client Capturing the user and computer state Windows User State Migration Tool (USMT) package Task sequence deployment

1743

Operating System Image Size

The size of an operating system image can be quite large. For example, the image size for Windows 7 is 3 gigabytes (GB) or more. The size of the image and the number of computers that you simultaneously deploy the operating system to affects the network performance and available bandwidth. Ensure that you test the network performance to better gauge the affect that the image deployment might have and the time it takes to complete the deployment. Configuration Manager activities that affect network performance include distributing the image to a distribution point, distributing the image from one site to another, and downloading the image to the Configuration Manager client. Also ensure that you plan for sufficient disk storage space on the distribution points that host the operating system images.

Client Cache Size

When Configuration Manager clients download content, they automatically use Background Intelligent Transfer Service (BITS) if it is available. When you deploy a task sequence that installs an operating system, you can set an option on the deployment so that Configuration Manager clients download the full image to a local cache before the task sequence runs. In general, when a Configuration Manager client must download a package, or in this scenario, an operating system image, but there is not enough space in the cache, the client checks the other packages in the cache to determine whether deleting any or all of the oldest packages will free enough disk space to accommodate the new package. If deleting any or all of the oldest packages does not free enough disk space, the client does not download the new package and the deployment fails. This scenario might occur if the cache has a large package that an administrative user has configured to persist in the cache. If deleting any or all of the oldest packages does free enough space in the cache, the client deletes them, and then downloads the new package into the cache. The default cache size on Configuration Manager clients might not be large enough for most operating system image deployments. If you plan to download the full image to the client cache, you must adjust the Configuration Manager client cache size on the destination computers to accommodate the size of the image that you are deploying. For more information about how to manage the client cache, see the Configure the Client Cache for Configuration Manager Clients section in the How to Manage Clients in Configuration Manager topic.

Capturing the User and Computer State Settings

If you plan to capture the user and computer state settings as part of your operating system deployment, you must decide whether to store the data remotely on a state migration point or locally on the destination computer. For more information about how to manage the user state, see How to Manage the User State in Configuration Manager.

1744

Task Sequence Deployments

The task sequence that you create can deploy the operating system image on a Configuration Manager client computer in one of the following ways: Download the image and its content first to the Configuration Manager client cache from a distribution point and then install it. Install the image and its content immediately from the distribution point. Install the image and its content as it is required from the distribution point

By default, when you create the deployment for the task sequence, the image is downloaded first to the Configuration Manager client cache and then installed. For more information about task sequences, see the How to Deploy a Task Sequence section in the How to Manage Task Sequences in Configuration Manager topic. If you select to download the image to the Configuration Manager client cache before you run the image, and the task sequence contains a step to repartition the hard drive, the repartition step fails because repartitioning the hard drive erases the contents of the Configuration Manager client cache. If the task sequence must repartition the hard drive, you must run the image installation from the distribution point by using the Run program from distribution point option when you deploy the task sequence.

Deploy the Operating System Image Manually

You can create a stand-alone CD, DVD set, or a USB flash drive to deploy the operating system manually to a destination computer. However, the size of the image might affect your choice of the type of stand-alone media that you create. For more information about how to create standalone media, see the How to Create Stand-alone Media section in the How to Create Stand-alone Media. In addition, if Configuration Manager does not currently manage the destination computer, you must add the computer to the Configuration Manager database before you initiate the operating system deployment process. You cannot use stand-alone media to deploy an operating system to an unknown computer. This requirement applies whether the computer has an existing operating system or not. For more information about how to import a new computer into Configuration Manager, see the How to Add a Computer to the Configuration Manager Database section in the How to Deploy Operating Systems in Configuration Manager topic.

See Also
Planning How to Deploy Operating Systems in Configuration Manager

1745

Planning for Boot Image Deployments in Configuration Manager

Boot images are used to install the operating system on the destination computers in your System Center 2012 Configuration Manager environment. They contain a version of Windows PE that installs the operating system, as well as any additional device drivers that are required. Windows PE is a minimal operating system with limited components and services that prepare the destination computer for Windows installation. Configuration Manager provides two boot images: One to support x86 platforms and one to support x64 platforms. As a best practice, use these images when you deploy an operating system unless you have specific device drivers that are required by the boot image.

Distributing Boot Images

Boot images are distributed to distribution points in the same way as you distribute other content. Consider the following factors when you deploy boot images: When deployed as part of a task sequence to a Configuration Manager client, the image is copied to and booted from the hard drive of the destination computer. For information about how to create task sequences, see the How to Create Task Sequences section in the How to Manage Task Sequences in Configuration Manager topic. When deployed by using bootable media, the destination computer boots from the media and loads Windows PE on the destination computer. For information about how to create bootable media, see the How to Create Bootable Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic. It is important that the boot image contain any network adapter (NIC) drivers and mass storage drivers that are required to successfully run on the destination computer. Boot images are stored as WIM files. Ensure that they are always stored in a physically secure location. CMTrace is added to all boot images that are added to the Software Library. When you are in Windows PE, you can find CMTrace in the following locations:
X:\SMS\BIN\x64 X:\SMS\BIN\i386

Updating Boot Images

You can update boot images by adding or removing device drivers to the image or by editing the properties that are associated with the boot image. The device drivers that you add or remove can include new network adapters or mass storage device drivers. Consider the following factors when you update boot images: Device drivers that you add to a boot image must be imported and enabled in the device driver catalog before they can be added to the boot image.
1746

When you update a boot image, the boot image does not change any of the associated packages that the boot image references. After you make changes to a boot image, you must update the distribution points that contain a version of the boot image so that the most current version of the boot image is available. For more information, see Update Content on Distribution Points. Important You cannot schedule an update of the distribution point. You must update the distribution point manually.

Creating Boot Images for Computers that Boot in UEFI Mode

When you create a boot image for computers that boot in UEFI mode, use a boot image that matches the architecture of the computer (x86 for x86-based computers or x64-based computers). You cannot use an x86 boot image for both architectures for computers that boot in UEFI mode.

Locating Boot Images

The boot images that you can use to deploy operating systems are located in the Boot Images node of the Software Library workspace in the Configuration Manager console. It is available in the Software Library workspace of the Configuration Manager console. For more information on boot images, see How to Manage Boot Images in Configuration Manager. In addition to the tasks that you can perform from the Boot Images node, such as adding a new boot image and distributing a boot image to a destination point, you can use the Properties page of each boot image object to perform the following tasks.
Task Tab reference

Change the name, version, or comments that are associated with the boot image. View the properties of the boot image that are defined by the boot image file. Add or remove the device drivers that are used by the boot image. Enable command prompt support, enable prestart commands and specify the files associated with the command, and change the Windows PE background. Change the image index and content setting.

General tab

Images tab

Drivers tab

Customization tab

Data Source tab

1747

Task

Tab reference

Specify how the boot image is stored on the Data Access tab distribution points where the image is deployed. Specify how the boot image is distributed to sites from distribution points. View the locations where the boot image is assigned. View which administrative users have permissions on the boot image. Distribution Setting tab

Content Locations tab

Security tab

See Also
Planning How to Deploy Operating Systems in Configuration Manager

Planning a Device Driver Strategy in Configuration Manager

Configuration Manager provides a driver catalog that you can use to manage the Windows device drivers in your System Center 2012 Configuration Manager environment. You can use the driver catalog to import device drivers into Configuration Manager, to group them in packages, and to distribute those packages to distribution points where you can access them when you deploy an operating system. Device drivers can be used when you install the full operating system on the destination computer and when you install Windows PE by using a boot image. Windows device drivers consist of a Setup Information File (INF) file and any additional files that are required to support the device. When an operating system is deployed, Configuration Manager obtains the hardware and platform information for the device from its INF file.

Importing Windows Device Drivers

You must import device drivers into the driver catalog before you can use them when you deploy an operating system. To better manage your device drivers, import only those device drivers that you plan to install as part of your operating system deployment. However, you can also store multiple versions of device drivers in the driver catalog to provide an easy way to upgrade existing device drivers when hardware device requirements change on your network. For more information about how to import device drivers, see the How to Import Windows Device Drivers section in the How to Manage the Driver Catalog in Configuration Manager topic.

1748

Device Driver Categories

When you import device drivers, you can assign the device drivers to a category. Device driver categories help group similarly used device drivers together in the driver catalog. For example, you can assign all network adapter device drivers to a specific category. Then, when you create a task sequence that includes the Auto Apply Drivers step, you can specify a specific category of device drivers. Configuration Manager then scans the hardware and selects the applicable drivers from that category to stage on the system for Windows Setup to use.

Creating Driver Packages

You can group similar device drivers in packages to help streamline operating system deployments; for example, you might decide to create a driver package for each computer manufacturer on your network. You can create a driver package while you are importing drivers into the driver catalog, or you can create them directly in the Driver Packages node. After the driver package is created, it must be distributed to distribution points from which Configuration Manager client computers can install the drivers as they are required. Driver packages also provide you the flexibility to distribute device driver content to only those distribution points that require them. When you create a driver package, the source location of the package must point to an empty network share that is not used by another driver package, and the SMS Provider must have Read and Write permissions to that location. For information about how to create a driver package from the Driver Packages node, see the How to Create Driver Packages section in the How to Manage the Driver Catalog in Configuration Manager topic. When you add device drivers to a driver package, Configuration Manager copies the device driver to the driver package source location. You can add only device drivers that have been imported and that are enabled in the driver catalog to a driver package. For information about how to add a device driver to a driver package, see the How to Add and Remove Device Drivers That Are Associated with Driver Packages and Boot Images section in the How to Manage the Driver Catalog in Configuration Manager topic. If you want to copy a subset of the device drivers from an existing driver package, create a new driver package, add the subset of device drivers to the new package, and then distribute the new package to a distribution point.

Adding Device Drivers to Boot Images

You can add Windows device drivers that have been imported into the driver catalog to boot images. Use the following guidelines when you add device drivers to a boot image: Add only mass storage and network adapter device drivers to boot images because other types of drivers are not generally required. Drivers that are not required increase the size of the boot image unnecessarily.
1749

Add only device drivers for Windows 7 to a boot image because the required version of Windows PE is based on Windows 7. Ensure that you use the correct device driver for the architecture of the boot image. Do not add an x86 device driver to an x64 boot image.

For information about how to add a device driver to boot images, see the How to Add and Remove Device Drivers That Are Associated with Driver Packages and Boot Images section in the How to Manage the Driver Catalog in Configuration Manager topic.

Installing Device Drivers by Using Task Sequences

Use task sequences to automate how the operating system is deployed. Each step in the task sequence can perform a specific action, such as installing a device driver. You can use the following two task sequence steps to install device drivers while you are deploying operating systems: Auto Apply Drivers. This step lets you automatically match and install device drivers as part of an operating system deployment. You can configure the task sequence step to install only the best matched driver for each detected hardware device, or specify that the task sequence step installs all compatible drivers for each detected hardware device, and then let Windows Setup choose the best driver. In addition, you can specify a category of device drivers to limit the drivers that are available for this step. Apply Driver Package. This step lets you make all device drivers in a specific driver package available for Windows Setup. In the specified driver packages, Windows Setup searches for the device drivers that are required. Also use this step if you require device drivers as part of your stand-alone media deployment. When you use these task sequence steps, you can also specify how the device drivers are installed on the computer where you deploy the operating system.

Driver Catalog Reports

You can use several reports in the Driver Management reports category to determine general information about the device drivers in the driver catalog. For more information about reports, see Reporting in Configuration Manager.

See Also
Planning How to Deploy Operating Systems in Configuration Manager

1750

Planning for PXE-Initiated Operating System Deployments in Configuration Manager

There are several configuration decisions to consider before you use the pre-execution environment (PXE) to initiate the deployment of the operating system in your System Center 2012 Configuration Manager environment.

PXE Deployments and Windows Deployment Services

Windows Deployment Services (WDS) must be installed on the same server as the distribution point that you use to deploy the operating system. For more information about WDS and other operating system deployment prerequisites, see Prerequisites For Deploying Operating Systems in Configuration Manager.

Configuring Distribution Points to Support PXEInitiated Deployments

To initiate an operating system deployment by using PXE, you must configure a distribution point to accept PXE requests from the destination computers where the operating system is deployed. There are two ways to configure a distribution point to support PXE requests. You can set the appropriate PXE settings when you install the distribution point by using the Create Site System Server Wizard, or you can configure the PXE setting on an existing distribution point by using the Property page for the distribution point. For distribution point considerations that are not specific to PXE, see the Plan for Distribution Points section in the Planning for Content Management in Configuration Manager topic. You can configure the following PXE options for the distribution point: You must specify that the distribution point supports PXE requests from clients. You can specify if Windows Deployment Services is enabled or disabled for the distribution point. You can specify that the distribution point accepts PXE requests from unknown computers. Unknown computers are computers that are not managed by Configuration Manager: the Configuration Manager client is not installed on the computer or the computer is not imported into the Configuration Manager database. For more information about how to deploy operating systems to unknown computers, see How to Manage Unknown Computer Deployments in Configuration Manager. You can specify that a password is required to start the PXE boot. You can specify user device affinity for the destination computer. This setting allows you to associate a user with the destination computer after the operating system is deployed. For more information about how Configuration Manager uses user device affinity, see the
1751

Deploying Applications in Configuration Manager section of the Introduction to Application Management in Configuration Manager topic. You can specify that the distribution point responds to PXE requests on all network interfaces, which is the default, or if it responds to PXE requests on only specific network interfaces. You can specify how long the distribution point delays, in seconds, before it reacts to a PXE request.

Distributing Boot Images to the Distribution Point

You must have both an x86 and an x64 PXE-enabled boot image deployed to the distribution point for the PXE deployment to succeed. The packages for these boot images must specify that they will be deployed to distribution points that support PXE requests. When this is done, Configuration Manager distributes the boot image to the RemoteInstall folder on the distribution point. In addition, when this setting is disabled, the image is removed from the RemoteInstall folder. For information about how to create a PXE enable boot image, see the How to Create a PXE enabled Boot Image section in the How to Deploy Operating Systems by Using PXE in Configuration Manager topic. Note The boot image is copied or removed locally by the distribution point when it updates the RemoteInstall folder. The boot image is not sent over the network when the folder is updated.

PXE Deployments
When you deploy operating systems by using PXE, you have the following options: Required deployment: Required deployments will use PXE without any user intervention. The user will not be able to bypass the PXE boot. However, if the user cancels the PXE boot before the distribution point responds, the operating system will not be deployed. Available deployment: Available deployments require that the user is present at the destination computer so that they can press the F12 key to continue the PXE boot process. If the user is not present to press F12, the computer will boot into the current operating system or from the next available boot device. Re-deploy a deployment: You can re-deploy a required PXE deployment by clearing the status of the last PXE deployment assigned to a Configuration Manager collection or a computer. This action resets the status of that deployment and re-deploys the most recent required deployments.

Security The PXE protocol is not secure. Ensure that the PXE server and the PXE client are located on a physically secure network, such as in a data center to prevent unauthorized access to your site.

1752

Windows Deployment Service and Dynamic Host Configuration Protocol (DHCP)

Consider the following configuration issues if you plan to co-host the distribution point on a server running DHCP. You must have a functioning DHCP server with an active scope. Windows Deployment Services uses PXE, which requires a DHCP server. DHCP and Windows Deployment Services both require port number 67. If you co-host Windows Deployment Services and DHCP, you can move DHCP or the distribution point that is configured for PXE to a separate server. Or, you can use the following procedure to configure the Windows Deployment Services server to listen on a different port. To configure the Windows Deployment Services server to listen on a different port 1. Modify the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Pro viders\WDSPXE 2. Set the registry value to: UseDHCPPorts = 0 3. For the new configuration to take effect, run the following command on the server:
WDSUTIL /Set-Server /UseDHCPPorts:No /DHCPOption60:Yes

A DNS server is required to run Windows Deployment Services. The following UDP ports must be open on the Windows Deployment Services server. Port 67 (DHCP) Port 69 (TFTP) Port 4011 (PXE) Note In addition, if DHCP authorization is required on the server, you need DHCP client port 68 to be open on the server.

See Also
Planning How to Deploy Operating Systems in Configuration Manager

Planning a Multicast Strategy in Configuration Manager

Multicast is a network optimization method that you can use in your System Center 2012 Configuration Manager environment where multiple clients are likely to download the same
1753

operating system image at the same time. When multicast is used, multiple computers simultaneously download the operating system image as it is multicast by the distribution point, rather than having the distribution point send a copy of the data to each client over a separate connection.

Multicast Deployment Process

The following flowchart shows the process that you must follow to deploy operating systems by using multicast.

Multicast and Windows Deployment Services

Windows Deployment Services (WDS) must be installed on the same server as the distribution point that you use to multicast the operating systems image. For more information about WDS and other operating system deployment prerequisites, see Prerequisites For Deploying Operating Systems in Configuration Manager.

Enable a Distribution Point to Support Multicast

To deploy operating system images by using multicast, you must provide a distribution point that supports multicast deployments. There are two ways to configure a distribution point to support
1754

multicast deployments. You can set the multicast settings when you install the distribution point by using the Create Site System Server Wizard, or you can configure the multicast settings on an existing distribution point by using the Property page for the distribution point. For more information about how to configure the distribution point and configure the operating system image to support multicast, see How to Manage Multicast in Configuration Manager. When you create a distribution point there are other configuration issues that need to be considered in addition to configuring the distribution point for multicast support. For more information about the attributes that you can configure for your distribution point, see Planning for Content Management in Configuration Manager.

Specify When the Operating System Image is Available

You can further conserve bandwidth by configuring when the operating system image is deployed from the distribution point. This consolidates the client requests into a specific time frame, which optimizes the benefits of multicast but might require clients to wait before the operating system package is available. The multicast session starts when it replies to a service location request from a client computer. The distribution point can be configured to require a specified number of requests before it begins to multicast, or it can wait a specified number of minutes after the first request before it begins to multicast. The multicast session ends when the maximum number of client requests is reached. Clients can join a multicast session already in progress. When the multicast is complete, the client will then download missing portions of the package.

Deploying Content when Running a Task Sequence

When you deploy the task sequence that multicasts the operating system, the content referenced by the task sequence must be downloaded locally from the distribution point to the destination computers. When you deploy your task sequence you can specify that the content is downloaded locally when it is needed by the task sequence or that all the content is downloaded before the task sequence is run. These deployment options are specified on the Distribution Points page when you deploy the task sequence. For more information about how to specify that the content is downloaded locally from the distribution point, see the How to Deploy a Task Sequence section in the How to Manage Task Sequences in Configuration Manager topic.

See Also
Planning How to Deploy Operating Systems in Configuration Manager

1755

Planning for Media Operating System Deployments in Configuration Manager

You can use media to capture an operating system image from a reference computer or to deploy an operating system to a destination computer in your System Center 2012 Configuration Manager environment. The media that you create can be a CD, DVD set, or a USB flash drive. Media is used mostly to deploy operating systems on destination computers that do not have a network connection or that have a low bandwidth connection to your Configuration Manager site. However, deployment media is also used to start an operating system deployment outside of an existing Windows operating system. This second use of deployment media is important for times when there is no operating system on the destination computer, the operating system is in a nonoperable state, or the administrative user wants to repartition the hard disk on the destination computer. Deployment media includes bootable media, stand-alone media, and prestaged media. The content of the deployment media varies, depending on what type of media that you use. For example, stand-alone media contains the task sequence that deploys the operating system while other types of media retrieve task sequences from the management point.

Capture Media for Operating System Images

Capture media allows you to capture an operating system image from a reference computer. Capture media contains the boot image that starts the reference computer and the task sequence that captures the operating system image. For information about how to create capture media, see the How to Create Capture Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic.

Bootable Media Operating System Deployments

Bootable media contains only the boot image, optional prestart commands and their required files, and Configuration Manager binaries. When the destination computer starts, it connects to the network and retrieves the task sequence, the operating system image, and any other required content from the network. Because the task sequence is not on the media, you can change the task sequence or content without having to recreate the media. Important The packages on bootable media are not encrypted. The administrative user must take the appropriate security measures, such as adding a password to the media, to ensure that the package contents are secured from unauthorized users. For information about how to create bootable media, see the How to Create Bootable Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic.
1756

Prestaged Media Operating System Deployments

Prestaged media allows you to prestage bootable media and an operating system image to a hard disk prior to the provisioning process. The prestaged media is a Windows Imaging Format (WIM) file that can be installed on a bare-metal computer by the manufacturer or at an enterprise staging center that is not connected to the Configuration Manager environment. Prestaged media contains the boot image used to start the destination computer and the operating system image that is applied to the destination computer. The task sequence that deploys the operating system is not included in the media. Prestaged media is applied to the hard drive of a new computer before the computer is sent to the end user. When the computer starts for the first time after the prestaged media has been applied, the computer starts Windows PE and connects to a management point to locate the task sequence that completes the operating system deployment process. Important The packages on prestaged media are not encrypted. The administrative user must take the appropriate security measures, such as adding a password to the media, to ensure that the package contents are secured from unauthorized users. Starting in Configuration Manager SP1, you can also specify applications, packages, and driver packages to include as part of the prestaged media. When you deploy a task sequence that uses prestaged media, the wizard checks the local task sequence cache for valid content first, and if the content cannot be found or has been revised, the wizard downloads the content from the distribution point. For information about how to create prestaged media, see the How to Create Prestaged Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic.

Stand-Alone Media Operating System Deployments

Stand-alone media contains everything that is required to deploy the operating system. This includes the task sequence and any other required content. Because everything that is required to deploy the operating system is stored on the stand-alone media, the disk space required for stand-alone media is significantly larger than the disk space required for other types of media. The following actions are not supported for stand-alone media: Automatic application of device drivers from the driver catalog. Installing software updates. Installing software before deploying an operating system. Installing dependencies for applications that are specified as part of the task sequence. Associating users with the destination computer to support user device affinity.

For information about how to create stand-alone media, see the How to Create Stand-alone Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic.
1757

Using the Install Package Step in Stand-Alone Media

The central administration site does not have the necessary client configuration policies that are required to enable the software distribution agent during the execution of the task sequence. When you create stand-alone media for a task sequence at the central administration site, and the task sequence includes an Install Package step, the following error might appear in the CreateTsMedia.log file:
WMI method SMS_TaskSequencePackage.GetClientConfigPolicies failed (0x80041001)

For stand-alone media that includes an Install Package step, you must create the stand-alone media at a primary site that has the software distribution agent enabled or add a Run Command Line step after the Setup Windows and ConfigMgr step and before the first Install Package step. The Run Command Line step runs a WMIC command to enable the software distribution agent before the first Install package step runs. You can use the following in your Run Command Line task sequence step: Command Line: WMIC /namespace:\\root\ccm\policy\machine\requestedconfig path ccm_SoftwareDistributionClientConfig CREATE ComponentName="Enable SWDist", Enabled="true", LockSettings="TRUE", PolicySource="local", PolicyVersion="1.0", SiteSettingsKey="1" /NOINTERACTIVE For more information about creating stand-alone media, see How to Create Stand-alone Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic.

Media Considerations When Using Site Systems Configured for HTTPS

When your management point and distribution points are configured to use HTTPS communication, you must create boot media and prestaged media at a primary site, not the central administration site. Also, consider the following to help you determine whether to configure the media as dynamic or site-based: To configure the media as dynamic media, all primary sites must have the root CA of the site from which you created the media. You can import the root CA to all primary sites in your hierarchy. When primary sites in your Configuration Manager hierarchy use different root CAs, you must use site-based media at each site.

See Also
Planning How to Deploy Operating Systems in Configuration Manager

1758

Planning a Task Sequences Strategy in Configuration Manager

You can create task sequences that perform a variety of tasks within your System Center 2012 Configuration Manager environment. These tasks range from capturing an operating system on a reference computer to deploying the operating system to one or more destination computers. The actions of the task sequence are defined in the individual steps of the sequence. When the task sequence is run, the actions of each step are performed at the command-line level without requiring user intervention. You can deploy a task sequence to a collection that contains computers; however, you cannot deploy a task sequence to a user collection.

Task Sequence Steps and Actions

Steps are the basic components of a task sequence. They can contain commands that configure and capture the operating system of a reference computer, or they can contain commands that install the operating system, drivers, the Configuration Manager client, and software on the destination computer. The commands of a task sequence step are defined by the actions of the step. There are two types of actions. An action that you define by using a command-line string is referred to as a custom action. An action that is predefined by Configuration Manager is referred to as a built-in action. A task sequence can perform any combination of custom and built-in actions. Task sequence steps can also include conditions that control how the step behaves, such as stopping the task sequence or continuing the task sequence if an error occurs. Conditions are added to the step by including a task sequence variable to the step. For example, you could use the SMSTSLastActionRetCode variable to test the condition of the previous step. Variables can be added to a single step or a group of steps. Task sequence steps are processed sequentially, which includes the action of the step and any conditions that are assigned to the step. When Configuration Manager starts to process a task sequence step, the next step is not started until the previous action has completed. A task sequence is considered complete when all its steps have been completed or when a failed step causes Configuration Manager to stop running the task sequence before all its steps are completed. For example, if the step of a task sequence cannot locate a referenced image or package on a distribution point, the task sequence contains a broken reference and Configuration Manager stops running the task sequence at that point unless the failed step has a condition to continue when an error occurs. Important By default, a task sequence fails after one step or action fails. If you want the task sequence to continue after a task sequence step fails, edit the task sequence, click the Options tab, and then select Continue on error.
1759

For more information about the steps that can be added to a task sequence, see Task Sequence Steps in Configuration Manager.

Task Sequence Groups

Groups are multiple steps within a task sequence. A task sequence group consists of a name, an optional description, and any optional conditions that are evaluated as a unit before that task sequence continues with the next step. Groups can be nested within each other, and a group can contain a mixture of steps and subgroups. Groups are useful for combining multiple steps that share a common condition. Important By default, a task sequence group fails when any step or embedded group within the group fails. If you want the task sequence to continue when a step or embedded group fails, edit the task sequence, click the Options tab, and then select Continue on error. The following table shows how the Continue on error option works when you group steps. In this example, there are two groups of task sequences that contain three task sequence steps each.
Task sequence group or step Continue on error setting

Task Sequence Group 1 Task Sequence Step 1 Task Sequence Step 2 Task Sequence Step 3 Task Sequence Group 2 Task Sequence Step 4 Task Sequence Step 5 Task Sequence Step 6

Continue on error selected. Continue on error selected. Not set. Not set. Not set. Not set. Not set. Not set.

If task sequence step 1 fails, the task sequence continues with task sequence step 2. If task sequence step 2 fails, the task sequence does not run task sequence step 3 but continues to run task sequence steps 4 and 5, which are in a different task sequence group. If task sequence step 4 fails, no more steps are run, and the task sequence fails because the Continue on error setting was not configured for task sequence group 2.

You must assign a name to task sequence groups, although the group name does not have to be unique. You can also provide an optional description for the task sequence group.

1760

Task Sequence Variables

Task sequence variables are a set of name and value pairs that supply configuration and operating system deployment settings for computer, operating system, and user state configuration tasks on a Configuration Manager client computer. Task sequence variables provide a mechanism to configure and customize the steps in a task sequence. When you run a task sequence, many of the task sequence settings are stored as environment variables. You can access or change the values of built-in task sequence variables, and you can create new task sequence variables to customize the way a task sequence runs on a destination computer. You can use task sequence variables in the task sequence environment to perform the following actions: Configure settings for a task sequence action Supply command-line arguments for a task sequence step Evaluate a condition that determines whether a task sequence step or group is run Provide values for custom scripts used in a task sequence

For example, you might have a task sequence that includes a Join Domain or Workgroup task sequence step. The task sequence might be deployed to different collections, where the membership of the collection is determined by domain membership. In that case, you can specify a per-collection task sequence variable for each collections domain name and then use that task sequence variable to supply the appropriate domain name in the task sequence.

Creating Task Sequence Variables

You can add new task sequence variables to customize and control the steps in a task sequence. For example, you can create a task sequence variable to override a setting for a built-in task sequence step. You can also create a custom task sequence variable to use with conditions, command lines, or custom steps in the task sequence. When you create a task sequence variable, the task sequence variable and the associated value is preserved within the task sequence environment, even when the sequence restarts the destination computer. The variable and its value can be used within the task sequence across different operating system environments. For example, it can be used in a full Windows operating system and in the Windows PE environment. The following table describes the methods to create a task sequence variable and additional usage information.
Create method Usage

Setting fields in task sequence steps by using the Task Sequence Editor

Specifies default values for the task sequence step. The variable and value are accessible only when the step runs in the task sequence. They are not part of the overall sequence environment, and they are not accessible by
1761

Create method

Usage

other task sequence steps in the task sequence. For a list of the built-in variables and their associated actions, see Task Sequence Action Variables in Configuration Manager. Adding a set task sequence variable step in a task sequence Specifies the task sequence variable and value in the task sequence environment when the task sequence step is run as part of a task sequence. All subsequent task sequence steps can access the environment variable and its value. Specifies task sequence variables and values for a collection of computers. All task sequences targeted to the collection can access the task sequence variables and their values. Specifies task sequence variables and values for a particular computer. All task sequences targeted to the computer can access the task sequence variables and their values. Specifies task sequence variables and values for the task sequence that is run from the media that can access the task sequence variable and its value.

Defining a per-collection variable

Defining a per-computer variable

Adding a task sequence variable on the Customization page of the Task Sequence Media Wizard

To override the default value for a built-in task sequence variable, you must define a task sequence variable with the same name as the built-in task sequence variable. For a list of built-in task sequence variables with the associated actions and usage, see Task Sequence Built-in Variables in Configuration Manager. You can delete a task sequence variable from the task sequence environment by using the same methods as creating a task sequence variable. In this case, to delete a variable from the task sequence environment, you set the task sequence variable value to an empty string. You can combine methods to set an environment task sequence variable to different values for the same sequence. In an advanced scenario, you might set the default values for steps in a sequence using the Task Sequence Editor and then set a custom variable value using the different creation methods. The following list describes the rules that determine which value is used when a task sequence variable is created by using more than one method. 1. The Set Task Sequence Variable step overrides all other creation methods.
1762

2. Per-computer variables take precedence over per-collection variables. If you specify the same task sequence variable name for a per-computer variable and a per-collection variable, the per-computer variable value is used when the destination computer runs the deployed task sequence. 3. Task sequences can be run from media. Use the media variables in place of per-collection or per-computer variables. If the task sequence is running from media, per-computer and percollection variables do not apply and are not used. Instead, task sequence variables defined on the Customization page of the Task Sequence Media wizard are used to set values specific to a task sequence that runs from media 4. If a task sequence variable value is not set in the overall sequence environment, built-in actions use the default value for the step, as set in the Task Sequence Editor. In addition to overriding values for built-in task sequence step settings, you can also create a new environment variable for use in a task sequence step, script, command line, or condition. When you specify a name for a new task sequence variable, follow these guidelines: The task sequence variable name that you specify can contain letters, numbers, the underscore character (_), and a hyphen (-). Task sequence variable names have a minimum length of 1 character and a maximum length of 256 characters. User defined variables must begin with a letter (A-Z or a-z). User-defined variable names cannot begin with the underscore character. Only read-only task sequence variables are preceded by the underscore character Note Read-only task sequence variables can be read by task sequence steps in a task sequence but they cannot be set. For example, you can use a read-only task sequence variable as part of the command line for a Run Command Line task sequence action variable, but you cannot set a read-only variable by using the Set Task Sequence Variable action variable. Task sequence variable names are not case sensitive. For example, OSDVAR and osdvar represent the same task sequence variable. Task sequence variable names cannot begin or end with a space or contain embedded spaces. Spaces that are left at the beginning or the end of a task sequence variable name are ignored.

The following table displays examples of valid and non-valid user-specified task sequence variables.
Examples of valid user-specified variable nNames Examples of non valid user-specified variable names

MyVariable

1Variable User-specified task sequence variables cannot begin with a number.

1763

Examples of valid user-specified variable nNames

Examples of non valid user-specified variable names

My_Variable

MyV@riable User-specified task sequence variables cannot contain the @ symbol.

My_Variable_2

_MyVariable User-specified task sequence variables cannot begin with an underscore.

General limitations for task sequence variables: Task sequence variable values cannot exceed 4,000 characters. You cannot create or override a read-only task sequence variable. Read-only variables are designated by names that start with an underscore character (_). You can access the value of read-only task sequence variables in your task sequence; however, you cannot change their associated values. There is no limit to how many task sequence variables can be created; however, the total size of the task sequence environment cannot exceed 10 MB.

Accessing Task Sequence Environment Variables

After you specify the task sequence variable and its value by using one of the methods from the previous section, you can use the environment variable value in your task sequences. You can access default values for built-in task sequence variables, specify a new value for a built-in variable, or use a custom task sequence variable in a command line or script. The following table outlines task sequence operations that can be performed by accessing the task sequence environment variables.
Task sequence operation Usage

Configure action settings

You can specify that a task sequence step setting is provided by a variable value when the sequence runs. To supply a task sequence step setting by using a task sequence environment variable, use the Task Sequence Editor to edit the step and specify the variable name as the field value. The variable name must be enclosed in percent signs (%) to indicate that it is an environment variable.

Supply command-line arguments

You can specify part or all of a custom command line by using an environment variable
1764

Task sequence operation

Usage

value. To supply a command-line setting by using an environment variable, use the variable name as part of the Command Line field of the Run Command Line task sequence step. The variable name must be enclosed in percent signs (%). For example, the following command line uses a built-in environment variable to write the computer name to C:\File.txt.
Cmd /C %_SMSTSMachineName% > C:\File.txt

Evaluate a step condition

You can use built-in or custom task sequence environment variables as part of a task sequence step or group condition. The environment variable value will be evaluated before the task sequence step or group runs. To add a condition that evaluates a variable value, do the following: 1. Select the step or group that you want to add the condition to. 2. On the Options tab for the step or group, select Task Sequence Variable from the Add Condition drop down. 3. In the Task Sequence Variable dialog box, specify the name of the variable, the condition that is tested, and the value of the variable.

Provide information for a custom script

Task Sequence variables can be read and written by using the Microsoft.SMS.TSEnvironment COM object while the task sequence is running. The following example illustrates a Visual Basic script file that queries the _SMSTSLogPath task sequence variable to get the current log location. The script also sets a custom variable.
dim osd: set env = CreateObject("Microsoft.SMS.TSEnvironment")

1765

Task sequence operation

Usage
dim logPath

' You can query the environment to get an existing variable. logPath = env("_SMSTSLogPath")

' You can also set a variable in the OSD environment. env("MyCustomVariable") = "varname"

For more information about how to use task sequence variables in scripts, refer to the SDK documentation

Computer and Collection Variables

You can configure task sequences to run on multiple computers or collections simultaneously. You can specify unique per-computer or per-collection information, such as specify a unique operating system product key or join all the members of a collection to a specified domain. You can assign task sequence variables to a single computer or a collection. When the task sequence starts to run on the target computer or collection, the values specified are applied to the target computer or collection. You can specify task sequence variables for a single computer or a collection. When the task sequence starts to run on the target computer or collection, the variables specified are added to the environment and the values are available to all task sequence steps in the task sequence. Warning If you use the same variable name for both a per-collection and per-computer variable, the computer variable value takes precedence over the collection variable. Task sequence variables that you assign to collections take precedence over built-in task sequence variables. For more information about how to create task sequence variables for computers and collections, see How to Create Task Sequence Variables for Computers and Collections

Task Sequence Media Variables

You can specify task sequence variables for task sequences that are run from media. When using media to deploy the operating system you add the task sequence variables and specify their values when you create the media; the variables and their values are stored on the media.
1766

Note Task sequences are stored on stand-alone media. However, all other types of media, such as prestaged media, retrieve the task sequence from a management point. You can specify task sequence variables on the Customization page of the Task Sequence Media Wizard. For information about how to create media, see How to Deploy Operating Systems by Using Media in Configuration Manager.

Creating Task Sequences

You create task sequences by using the Create Task Sequence Wizard. The wizard can create built-in task sequences that perform specific tasks or custom task sequences that can perform many different tasks. For example, you can create task sequences that build and capture an operating system image of a reference computer, install an existing operating system image on a destination computer, or create a custom task sequence that performs a customized task. You can use custom task sequences to perform specialized operating system deployments or to perform other custom tasks. For more information about how to create task sequences, see the How to Create Task Sequences section of the How to Manage Task Sequences in Configuration Manager topic.

Editing a Task Sequence

You edit the task sequence by using the Task Sequence Editor. The editor can make the following changes to the task sequence: You can add or remove steps from the task sequence. You can change the order of the steps of the task sequence. You can add or remove groups of steps. You can specify whether the task sequence continues when an error occurs. You can add conditions to the steps and groups of a task sequence. Important If the task sequence has any unassociated references to a package or a program as a result of the edit, you must correct the reference, delete the unreferenced program from the task sequence, or temporarily disable the failed task sequence step until the broken reference is corrected or removed. For more information about how to edit task sequences, see the How to Edit a Task Sequence section of the How to Manage Task Sequences in Configuration Manager topic.

Deploying a Task Sequence

You can deploy a task sequence to destination computers that are in any Configuration Manager collection. This includes the All Unknown Computers collection that is used to deploy operating
1767

systems to unknown computers. However, you cannot deploy a task sequence to user collections. Important Do not deploy task sequences that install operating systems to inappropriate collections, such as the All Systems collection. Be sure that the collection that you deploy the task sequence to contains only those computers where you want the operating system to be installed. Each destination computer that receives the task sequence runs the task sequence according to the settings specified in the deployment. The task sequences itself does not contain associated files or programs. Any files that are referenced by a task sequence must already be present on the destination computer or reside on a distribution point that clients can access. In addition, the task sequence installs the packages that are referenced by programs, even if the program or package is already installed on the destination computer. Note In comparison to packages and programs, if the task sequence installs an application, the application installs only if the requirement rules for the application are met and the application is not already installed, based on the detection method that is specified for the application. The Configuration Manager client runs a task sequence deployment when it downloads client policy. To initiate this action rather than wait until the next polling cycle, see Initiate Policy Retrieval for a Configuration Manager Client. Starting in Configuration Manager SP1, when you deploy task sequences to Windows Embedded devices that are write filter enabled, you can specify whether to disable the write filter on the device during the deployment and then restart the device after the deployment. If the write filter is not disabled, the task sequence is deployed to a temporary overlay and it will not be available when the device restarts. Note When you deploy a task sequence to a Windows Embedded device, ensure that the device is a member of a collection that has a configured maintenance window. This allows you to manage when the write filter is disabled and enabled, and when the device restarts. If clients download task sequences outside of a maintenance window, the task sequence is downloaded twice. In this scenario clients will download the task sequence, disable the write filters, restart the computer, and then download the task sequence again because the task sequence was downloaded to the temporary overlay which is cleared when the device restarts. For more information about how to deploy task sequences, see the How to Deploy a Task Sequence section of the How to Manage Task Sequences in Configuration Manager topic.

1768

Exporting and Importing Task Sequences

Configuration Manager lets you export and import task sequences. When you export a task sequence, you can include the objects that are referenced by the task sequence. These include an operating system image, a boot image, a client agent package, a driver package, and applications that have dependencies. Note The export and import process for task sequences is very similar to the export and import process for applications in Configuration Manager. For more information about how to export and import task sequences, see the How to Export and Import Task Sequences section of the How to Manage Task Sequences in Configuration Manager topic.

Running Task Sequences

By default task sequences always run by using the Local System account. The task sequence command-line step provides the ability to run the task sequence as a different account. When the task sequence is run, the Configuration Manager client first checks for any referenced packages before it starts the steps of the task sequence. If a referenced package is not validated or is not available on a distribution point, the task sequence returns an error for the associated task sequence step. If a distributed task sequence is configured to download and run, all dependent packages and applications are downloaded to the Configuration Manager client cache. The required packages and applications are obtained from distribution points, and if the Configuration Manager client cache size is too small or the package or application cannot be found, the task sequence fails and a status message is generated. You can also specify that the client downloads the content only when it is required when you select Download content locally when needed by running task sequence, or you can use the Run program from distribution point option to specify that the client installs the files directly from the distribution point without downloading them into the cache first. The Run program from distribution point option is available only if the referenced packages have the setting Copy the content in this package to a package share on distribution points enabled on the Data Access tab of the Package properties. If a dependent package or application cannot be located by the client running the task sequence, the client immediately sends an error when the deployment is configured as Available. However, if the deployment is configured as Required, the Configuration Manager client waits and retries to download the content until the deadline, in case the content is not yet replicated to a distribution point that the client can access. When a task sequence completes successfully or fails, Configuration Manager records this in the Configuration Manager client history. You cannot cancel or stop a task sequence after it is initiated on a computer. Important
1769

If a task sequence step requires the client computer to restart, the client must be able to boot to a formatted disk partition. Otherwise, the task sequence fails regardless of any error handling that is specified by the task sequence. When a dependent object of a task sequence, such as a software distribution package, is updated to a newer version, any task sequence that references the package is automatically updated and it references the newest version, regardless of how many updates have been deployed. Note Before a Configuration Manager client runs a task sequence, the client checks all task sequences for possible dependencies and the availability of those dependencies on a distribution point. If the client finds a deleted object that the task sequence depends on, the client generates an error and does not run the task sequence.

Run a Program Before the Task Sequence is Run

You can select a program that runs before the task sequence is run. To specify a program to run first, open the Properties dialog box for the task sequence and select the Advanced tab to set the following options: Important To run a program before the task sequence is run, all content for the task sequence and program must be available on a package share for the package. You configure the package share on the Data Access tab in the properties for the package. Run another program first: Specify that you want another program to run before the task sequence is run. Important This setting applies only to task sequences that run in the full operating system. Configuration Manager ignores this setting if the task sequence is started by using PXE or boot media. Package: Specify the package that contains the program. Program: Specify the program to run. Always run this program first: Specify that you want Configuration Manager to run this program every time it runs the task sequence on the same client. By default, after a program is run successfully, the program is not run again if the task sequence is rerun on the same client.

If the selected program fails to run on a client, the task sequence is not run.

1770

Running Task Sequences in a Maintenance Window

You can specify when the task sequence can run by defining a maintenance window for the collection that contains your destination computers. Maintenance windows are configured with a start date, a start and finish time, and a recurrence pattern. In addition, when you set the schedule for the maintenance window you can specify that the maintenance window applies only to task sequences. For more information about maintenance windows, see How to Use Maintenance Windows in Configuration Manager. Important When you configure a maintenance window to run a task sequence, once the task sequences starts it continues to run even if the maintenance window closes. The task sequence will either complete successfully or fail.

Task Sequences and the Network Access Account

Although task sequences run only in the context of the Local System account, you might need to configure the Network Access Account in the following circumstances: You must configure the Network Access Account correctly or the task sequence will fail if it tries to access Configuration Manager packages on distribution points to complete its task. For more information about the Network Access account, see the Configure the Network Access Account section of the Configuring Content Management in Configuration Manager topic. Note The Network Access Account is never used as the security context for running programs, installing applications, installing updates, or running task sequences; however, the Network Access account is used to access the associated resources on the network. When you use a boot image to initiate an operating system deployment, Configuration Manager uses the Windows PE environment, which is not a full operating system. The Windows PE environment uses an automatically generated, random name that is not a member of any domain. If you do not configure the Network Access Account correctly, the computer might not have the necessary permissions to access the required Configuration Manager packages to complete the task sequence.

Creating Media for Task Sequences

You can write task sequences and their related files and dependencies to several types of media. This includes writing to removable media such as a DVD or CD set or a USB flash drive for capture, stand-alone, and bootable media, or writing to a Windows Imaging Format (WIM) file for prestaged media. You can create the following types of media:
1771

Capture media. Capture media captures an operating system image that is configured and created outside the Configuration Manager infrastructure. Capture media can contain custom programs that can run before a task sequence runs. The custom program can interact with the desktop, prompt the user for input values, or create variables to be used by the task sequence. For more information about capture media, see the Capturing an Operating System Image by Using Media section of the Planning for Media Operating System Deployments in Configuration Manager topic.

Stand-alone media. Stand-alone media contains the task sequence and all associated objects that are necessary for the task sequence to run. Stand-alone media task sequences can run when Configuration Manager has limited or no connectivity to the network. Standalone media can be run in the following ways: If the destination computer is not booted, the Windows PE image that is associated with the task sequence is used from the stand-alone media and the task sequence begins. The stand-alone media can be manually started if a user is logged on to the network and initiates the installation. Important The steps of a stand-alone media task sequence must be able to run without any retrieving any data from the network; otherwise, the task sequence step that tries to retrieve the data fails. For example, a task sequence step that requires a distribution point to obtain a package fails; however if the necessary package is contained on the stand-alone media, the task sequence step succeeds. For more information about stand-alone media, see the Operating System Deployments by Using Stand-Alone Media section of the Planning for Media Operating System Deployments in Configuration Manager topic.

Bootable media. Bootable media contains the required files to start a destination computer so that it can connect to the Configuration Manager infrastructure to determine which task sequences to run based on its membership to a collection. The task sequence and dependent objects are not contained on the media; instead, they are obtained over the network from the Configuration Manager client. This method is useful for new computers or bare-metal deployments, or when no Configuration Manager client or operating system is on the destination computer. For more information about bootable media, see the Operating System Deployments by Using Bootable Media section of the Planning for Media Operating System Deployments in Configuration Manager topic.

Prestaged media. Prestaged media deploys an operating system image to a destination computer that is not provisioned. The prestaged media is stored as a Windows Imaging Format (WIM) file that can be installed on a bare-metal computer by the manufacturer or at an enterprise staging center that is not connected to the Configuration Manager environment. For more information about prestaged media, see the Operating System Deployments by Using Prestaged Media section of the Planning for Media Operating System Deployments in Configuration Manager topic.
1772

When you create media, specify a password for the media to control access to the files that are contained on the media. If you specify a password, a user must be present to enter the password at the target computer when the task sequence is run. When you run a task sequence by using media, the specified computer chip architecture contained on the media will not be recognized and the task sequence attempts to run even if the architecture specified does not match what is actually installed on the target computer. If the chip architecture contained on the media does not match the chip architecture installed on the target computer, the installation fails. For more information about how to deploy operating systems by using media, see Planning for Media Operating System Deployments in Configuration Manager

See Also
Planning How to Deploy Operating Systems in Configuration Manager

Planning for Operating System Deployments in a NAP-Enabled Environment

When you deploy an operating system and the System Center 2012 Configuration Manager client into an environment that uses Network Access Protection (NAP), you must take additional configuration steps. Failing to configure an operating system deployment correctly for Network Access Protection can result in the newly deployed computers having restricted network access with failed remediation. Clients that run Windows Vista and Windows Server 2008 natively support Network Access Protection, whereas computers running Windows XP do not natively support Network Access Protection and require the installation of an additional Network Access Protection client. For more information about the Network Access Protection Client for Windows XP, see the Network Access Protection website. Network Access Protection supports a number of enforcement mechanisms, such as IPsec, 802.1X, VPN, and DHCP. Each enforcement mechanism requires its respective Network Access Protection enforcement client to be enabled and the Windows Network Access Protection Service started and configured for automatic startup. For more information about the prerequisites to use Network Access Protection with software updates in Configuration Manager, see Prerequisites for Software Updates in Configuration Manager. Use the steps in the following sections to ensure that the enforcement mechanism and the Windows Network Access Protection Service is enabled and will interact correctly with the Configuration Manager client when you deploy an operating system into a NAP-enabled environment.

1773

The Reference Computer Is Configured for Network Access Protection

The following scenario is appropriate if all your operating system deployments are in a NAPenabled environment, using the same NAP-enforcement mechanism: 1. Configure the reference computer with the operating system, service packs, security updates, applications, settings, tools and desktop customization. 2. If the operating system is Windows XP, install the Network Access Protection Client for Windows XP. 3. Enable the appropriate Network Access Protection enforcement clients. 4. Configure the Windows Network Access Protection service to start automatically, and start the service. 5. Capture the operating system image by using capture media. 6. Create a task sequence that references the captured image. 7. Deploy the task sequence to the destination computers. With this configuration, the Network Access Protection enforcement client and Windows Network Access Protection Service start automatically in the newly deployed computer because they are part of the image. Also, they will already be running when the Configuration Manager client installs, ensuring that the Configuration Manager client can bind to the Windows Network Access Protection Service.

The Reference Computer Is Not Configured for Network Access Protection

The following scenario would be appropriate if only some of your computers are installed into a NAP-enabled environment or if you must add the configuration for Network Access Protection to an existing captured image: 1. Configure the reference computer with the operating system, service packs, security updates, applications, settings, tools and desktop customization. 2. Capture the operating system image by using capture media. 3. Create a deployment task sequence that references the captured image. 4. If the operating system is Windows XP, add a task sequence step that will run in the newly deployed operating system to install the Network Access Protection Client for Windows XP. 5. Add a custom task sequence step that runs in the newly deployed operating system to enable the appropriate Network Access Protection enforcement clients. Note Use the command-line utility, netsh nap client set enforcement <enforcement ID> enable. For more information, see the Windows Network Access Protection documentation. For ongoing configuration, ensure that Group Policy configures the enforcement clients.
1774

6. Add a task sequence step that runs in the newly deployed operating system to configure the Windows Network Access Protection Service to start automatically, and start the service. Note For ongoing configuration, ensure that Group Policy configures this service. 7. Add a task sequence step to restart the computer. Note This restart is required to ensure that the enforcement clients and the Windows Network Access Protection Service are already running when the Configuration Manager client starts, and ensures that the Configuration Manager client can correctly bind to the Windows Network Access Protection Service. 8. Deploy the task sequence to the destination computers.

See Also
Planning How to Deploy Operating Systems in Configuration Manager

Planning for Operating System Deployment Interoperability

When different Microsoft System Center 2012 Configuration Manager sites in a single hierarchy use different service pack versions, some Configuration Manager functionality is not available. Typically, functionality from the newer service pack version of Configuration Manager is not accessible at sites or by clients that run a lower service pack version. For more information, see Interoperability between Different Versions of Configuration Manager. Consider the following when you upgrade the top-level site in your hierarchy and other sites in your hierarchy run Configuration Manager with no service pack: Client installation package The source for the default client installation package is automatically upgraded to the Configuration Manager SP1 version and all distribution points in the hierarchy are updated with the new client installation package, even on distribution points at sites in the hierarchy that have not yet been upgraded to SP1. Clients that run SP1 cannot be assigned to sites that have not yet been upgraded to SP1. Assignment is blocked at the management point. When you upgrade the top-level site to Configuration Manager SP1, the default boot images (x86 and x64) are automatically updated to Windows ADK-based boot images, which use Windows PE 4. The files that are associated with the default boot images are updated with the Configuration Manager SP1 version of the files.

Boot images

1775

To prevent task sequences from failing, make sure that the version of the boot image corresponds to the version of the Configuration Manager client installation package that you configure in the task sequence. For example, a Windows AIK-based boot image that uses Windows PE 3 must correspond to the Configuration Manager with no service pack client installation package version. A Windows ADK-based boot image must correspond to the Configuration Manager SP1 client installation package version. Avoid the use of dynamic media when your site hierarchy contains sites with different versions of Configuration Manager. Instead, use site-based media to contact a specific management point until all sites are upgraded to the same version of Configuration Manager. You can import and use Windows AIK-based boot images only in a Configuration Manager site that does not have Service Pack 1 installed. You can import and use Windows ADK-based boot images only in a Configuration Manager site that has Service Pack 1 installed.

While you are actively upgrading sites in your hierarchy from Configuration Manager with no service pack to Configuration Manager SP1, use the following sections to help you with operating system deployments.

Configuration Manager SP1 Sites in a Mixed Hierarchy

When you upgrade a site to Configuration Manager SP1, task sequences that reference the default client installation package will automatically start to deploy the Configuration Manager SP1 client version. Task sequences that reference a custom client installation package will continue to deploy the version of the client that is contained in that custom package (likely the Configuration Manager with no service pack client version), and must be updated to avoid task sequence deployment failures. When you have a task sequence that is configured to use a custom client installation package, you must update the task sequence step to use the Configuration Manager SP1 version of the client installation package or update the custom package to use the Configuration Manager SP1 client installation source. Important Do not deploy a task sequence that references the Configuration Manager SP1 client installation package to clients in a Configuration Manager with no service pack site. When clients assigned to a Configuration Manager with no service pack site are upgraded to the Configuration Manager SP1 client version, Configuration Manager blocks the assignment to the Configuration Manager with no service pack site. Therefore, the client is longer assigned to any site and will be unmanaged until you manually assign the client to a Configuration Manager SP1 site or reinstall the Configuration Manager with no service pack version of the client on the computer. At Configuration Manager SP1 sites, deploy a task sequence that references a Windows ADKbased boot image, which you can only create or modify at a Configuration Manager SP1 site. Verify that the Configuration Manager SP1 boot images contain the desired customizations, and
1776

then update all distribution points in your Configuration Manager SP1 sites with the new boot images.

Configuration Manager with No Service Pack in a Mixed Hierarchy

When you have upgraded your central administration site to Configuration Manager SP1, you must take the following steps to ensure that operating system deployment task sequences that you deploy to clients assigned to a Configuration Manager with no service pack site (not yet upgraded to Configuration Manager SP1) do not leave those clients in an unmanaged state. Create a task sequence that you will use to deploy to clients only in a Configuration Manager with no service pack site. Likely, you will make a copy of a task sequence that you use to deploy to clients in a Configuration Manager SP1 site and then modify the task sequence so you can deploy it to clients in a Configuration Manager with no service pack site. Then, configure the task sequence to reference a custom client installation package that uses the Configuration Manager with no service pack client installation source. If you do not already have a custom client installation package that references the Configuration Manager with no service pack client installation source then you must manually create one. Configuration Manager SP1 adds a deployment option to make task sequence deployments available to only media and PXE. This option is not recognized by Configuration Manager clients with no service pack. Therefore, those clients will still run any deployments that are configured to use this option as long as they are included in the collection that is targeted by the deployment. Avoid using this deployment option until you have upgraded all clients in your hierarchy to Configuration Manager SP1. Important Failure to understand the implications of this interoperability consideration could result in data loss. Deploy a task sequence that references a Windows AIK-based boot image at Configuration Manager with no service pack sites. You can only create or modify a Windows AIK-based boot image at a Configuration Manager with no service pack site. Verify that the Configuration Manager with no service pack boot images contain the desired customizations, and if required, update all distribution points in your Configuration Manager with no service pack sites with the manually updated boot images.

Configuring Configuration Manager for Operating System Deployments

To deploy operating systems in System Center 2012 Configuration Manager, you might be required to perform various Configuration Manager configuration tasks based on the deployment method that you choose.

1777

Operating System Deployment Configuration Topics

Use the following topics to help you configure your Configuration Manager site: How to Manage Operating System Images and Installers in Configuration Manager How to Manage Boot Images in Configuration Manager How to Manage the Driver Catalog in Configuration Manager How to Manage Task Sequences in Configuration Manager How to Manage the User State in Configuration Manager How to Manage Unknown Computer Deployments in Configuration Manager How to Associate Users with a Destination Computer How to Manage Multicast in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Operating System Deployment in Configuration Manager

How to Manage Operating System Images and Installers in Configuration Manager

Use the procedure in this topic to add an operating system image or an operating system install package to a System Center 2012 Configuration Manager site. The operating system images and install packages can then be distributed to distribution points where they can be used to deploy operating systems to destination computers.

How to Add an Operating System Image or Operating System Installer

Use the following procedures to add an operating system image or an operating system installer to a site. To add an operating system image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Operating System Images. 3. On the Home tab, in the Create group, click Add Operating System Image to start the Add Operating System Image Wizard. 4. On the Data Source page, specify the network path to the operating system image. For
1778

example, specify \\server\path\OS.WIM for the operating system image WIM file. 5. On the General page, specify the following information, and then click Next. This information is useful for identification purposes when you add multiple operating system images to the same site. Name: Specify the name of the image. By default, the name of the image is taken from the WIM file. Version: Specify the version of the image. Comment: Specify a brief description of the image.

6. Complete the wizard. You can now distribute the operating system image to the distribution points that are accessed by your deployment task sequences. To add an operating system installer 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Operating System Installers. 3. On the Home tab, in the Create group, click Add Operating System Installer to start the Add Operating System Wizard. 4. On the Data Source page, specify the network path to the installation source files of the operating system installer. For example, specify the UNC \\server\path to where the installation source files are located. 5. On the General page, specify the following information, and then click Next. This information is useful for identification purposes when you have multiple operating system installers. Name: Specify the name of the operating system installer. Version: Specify the version of the operating system installer. Comment: Specify a brief description of the operating system installer.

6. Complete the wizard. You can now distribute the operating system installer to the distribution points that are accessed by your deployment task sequences.

Apply Software Updates to an Operating System Image

Periodically, new software updates are released that are applicable to the operating system in your operating system image. You can apply applicable software updates to an image on a specified schedule. On the schedule that you specify, Configuration Manager applies the software updates that you select to the operating system image, and then optionally distributes the updated image to distribution points.

1779

Information about the operating system image is stored in the site database, including the software updates that were applied at the time of the import. Software updates that have been applied to the image since it was initially added are also stored in the site database. When you start the wizard to apply software updates to the operating system image, the wizard retrieves a list of applicable software updates that have not yet been applied to the image for you to select. For Configuration Manager SP1 only: In Configuration Manager with no service pack, when Configuration Manager failed to apply a software update, it would stop the process and not apply any additional software updates. Starting in Configuration Manager SP1, you can select the Continue on error setting for Configuration Manager to continue to apply software updates even when there is an error applying one or more of the software updates that you selected. Note In Configuration Manager with no service pack, the software updates are copied from the source location for each software update. Starting in Configuration Manager SP1, the software updates are copied from the content library on the site server. Use the following procedure to apply software updates to an operating system image. To apply software updates to an operating system image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Operating System Images. 3. Select the operating system image to which to apply software updates. 4. On the Home tab, in the Operating System Image group, click Schedule Updates to start the wizard. 5. On the Choose Updates page, select the software updates to apply to the operating system image, and then click Next. 6. On the Set Schedule page, specify the following settings, and then click Next. a. Schedule: Specify the schedule for when the software updates are applied to the operating system image. b. Continue on error: For Configuration Manager SP1 only: Select this option to continue to apply software updates to the image even when there is an error. c. Distribute the image to distribution points: Select this option to update the operating system image on distribution points after the software updates are applied.

7. On the Summary page, verify the information, and then click Next. 8. On the Completion page, verify that the software updates were successfully applied to the operating system image.

1780

Additional Actions to Manage Operating System Images or Operating System Installers

After operating system images and operating system installers are added to a site, you can perform additional actions by selecting an object in the Operating System Images or Operating System Installers list. These actions include the following:
Action Description

Distribute Content

Starts the Distribute Content Wizard to distribute the selected object to specific distribution points. Starts the Update Distribution Points Wizard to update the content on the distribution points where the selected object is distributed. The package version is incremented and the distribution points are updated with only the files that have changed in the package. Starts the Create Prestaged Content File Wizard. For information about how to create a prestaged content file, see Prestage Content on a Distribution Point. Opens the Manage Access Accounts dialog box where you can add an access account to the selected object, edit the access rights for an account, or remove an access account from the selected object. For more information about Package Access Accounts, see Technical Reference for Accounts Used in Configuration Manager

Update Distribution Points

Create Prestaged Content File

Manage Access Accounts

Move

Moves the selected object to another folder.

See Also
Configuring Configuration Manager for Operating System Deployments

1781

How to Manage Boot Images in Configuration Manager

Use the procedures in this topic to manage the boot images in your System Center 2012 Configuration Manager environment. These images are used to boot the destination computer when you deploy an operating system. Use the following sections to manage boot images: How to Add Boot Images How to Specify where Boot Images are Distributed How to Modify a Boot Image Configure Multiple Languages for Boot Image Deployment Additional Actions to Manage Boot Images Customizing Boot Images by Using the Windows Automated Installation Kit (Windows AIK)

How to Add Boot Images

Boot images in Configuration Manager with no service pack use Windows PE based on Windows 7 and are created by using Windows Automated Installation Kit (Windows AIK). Starting in Configuration Manager SP1, boot images use Windows PE based on Windows 8 and are created by using the Windows Assessment and Deployment Kit (Windows ADK). An error occurs when you try to add a boot image that was not created by using the appropriate tools. For example, in Configuration Manager SP1 you will encounter an error if you try to add an image that was created by using Windows AIK. Also, if you deploy a task sequence that uses boot images created by using Windows ADK to a site that continues to run Configuration Manager with no service pack, the task sequence will fail. For more information about boot images in a Configuration Manager hierarchy with sites that run both Configuration Manager SP1 and Configuration Manager with no service pack, see Planning for Operating System Deployment Interoperability To add a boot image, you must know the path to where the boot image file (.WIM file) is located. If the WIM file contains multiple boot images, you can select the boot image that you want to add from the WIM file. Use the following procedure to add a boot image. To add a boot image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Boot Images. 3. On the Home tab, in the Create group, click Add Boot Image to start the Add Boot Image Wizard. 4. On the Data Source page, specify the following options, and then click Next.
1782

In the Path box, specify the path to the boot image WIM file. Click Browse to locate a specific boot image file. The specified path must be a valid network path in the UNC format. For example: \\servername\<sharename>\bootimage.wim.

Select the required boot image from the Boot Image drop-down list. If the WIM file contains multiple boot images, each image is listed. In the Name box, specify a unique name for the boot image. In the Version box, specify a version number for the boot image. In the Comment box, specify a brief description of how the boot image is used.

5. On the General page, specify the following options, and then click Next.

6. Complete the wizard. The boot image is now listed in the Boot Image node. However, before you can use the boot image to deploy an operating system. you must distribute the boot image to distribution points, distribution point groups, or to collections that are associated with distribution point groups.

How to Specify where Boot Images are Distributed

To distribute the boot image you must specify where the Configuration Manager client will access the boot image. You can specify single distribution points, distribution point groups, or collections that are associated with distribution point groups. For more information about distributing content in Configuration Manager, see Distribute Content on Distribution Points. Use the following procedure to specify where the boot image is distributed. To specify where the boot image is distributed 1. In the Boot Images node, select the boot image objects that you want to deploy. 2. On the Home tab, in the Deployment group, click Distribute Content to start the Distribute Content Wizard. 3. On the General page, in the Content box, select the boot image that you want to distribute, and then click Next. 4. On the Content Destination page, click Add, and then select Collections, Distribution Point, or Distribution Point Group to display a list of the available collections that are associated with distribution point groups, distribution points, and distribution point groups. 5. Select the collections, distribution points, and distribution point groups where the boot image will be distributed, and then click OK. 6. Click Next. 7. Complete the wizard.

1783

How to Modify a Boot Image

You can modify the settings of the boot images that are listed under the Boot Image node. This includes the boot images that you create and the default boot images that are provided by Configuration Manager. These settings are configured by using the Properties page of the boot image object. Many of the boot image settings are self-explanatory, such as the Name, Version, and Comment settings on the General tab of the Properties page. Use the following procedure to change the properties of a boot image. To modify the properties of a boot image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Boot Images. 3. Select the boot image that you want to modify. 4. On the Home tab, in the Properties group, click Properties to open the Properties dialog box for the boot image. 5. Set any of the following settings to change the behavior of the boot image: On the Images tab, if you have changed the properties of the boot image by using an external tool, click Reload. On the Drivers tab, add the Windows device drivers that are required to boot Windows PE. Consider the following when you add device drivers: As a best practice, add only NIC and Mass Storage Drivers to the boot image unless there are requirements for other drivers to be part of Windows PE. Because Windows PE already comes with many drivers built in, add only NIC and Mass Storage Drivers that are not supplied by Windows PE. Make sure that the drivers that you add to the boot image are Windows 7 or Windows Server 2008 R2 drivers, and that they match the architecture of the boot image. Note You must import device drivers into the drivers catalog before you add them to a boot image. For information about how to import device drivers, see the How to Import Windows Device Drivers section in the How to Manage the Driver Catalog in Configuration Manager topic. On the Customization tab, select any of the following settings: Select the Enable Prestart Commands check box to specify a command to run before the task sequence is run. When prestart commands are enabled, you can then specify the command line that is run, whether support files are required to run the command, and the source location of those support files. Tip Add cmd /c to the start of the command line to avoid the need to specify
1784

the exact location on the media for the prestart command files. Set the Windows PE Background settings to specify whether you want to use the default Windows PE background or a custom background. Select the Enable command support (testing only) check box to open a command prompt by using the F8 key while the boot image is deployed. This is useful for troubleshooting while you are testing your deployment. Using this setting in a production deployment is not advised. For Configuration Manager SP1 only:

Configure the Windows PE scratch space, which is temporary storage (RAM drive) used by Windows PE. For example, when an application is run within Windows PE and needs to write temporary files, Windows PE redirects the files to the scratch space in memory to simulate the presence of a hard disk. By default, Windows PE allocates 32 megabytes (MB) of writeable memory.
On the Data Source tab, update any of the following settings: Set the Image path and Image index boxes to change the source file of the boot image. Select the Update distribution points on a schedule check box to create a schedule for when the boot image package is updated. Select the Persist content in client cache check box if you do not want the content of this package to age out of the client cache to make room for other content. Select the Enable binary differential replication check box to specify that only changed files are distributed when the boot image package is updated on the distribution point. This setting minimizes the network traffic between sites, especially when the boot image package is large and the changes are relatively small. Select the Deploy this boot image from the PXE service point check box if the boot image is used in a PXE deployment. Note For more information about PXE deployments, see Planning for PXEInitiated Operating System Deployments in Configuration Manager. On the Data Access tab, select any of the following settings: Set the Package share settings if you want clients to install the content in this package from the network. Set the Package update settings to specify how you want Configuration Manager to disconnect users from the distribution point. Configuration Manager might be unable to update the boot image when users are connected to the distribution point. In the Distribution priority list, specify the priority level that you want Configuration Manager to use when multiple packages are distributed to the
1785

On the Distribution Settings tab, select any of the following settings:

same distribution point. Select the Distribute the content for this package to preferred distribution points check box if you want to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point distributes the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. Note For more information about preferred distribution points and on-demand content, see the Planning for Preferred Distribution Points and Fallback section of the Planning for Content Management in Configuration Manager topic. Set the Prestaged distribution point settings to specify how you want the boot image to be distributed to distribution points that are enabled for prestaged content. Note For more information about prestaged content, see the Prestage Content section of the Operations and Maintenance for Content Management in Configuration Manager topic. On the Content Locations tab, select the distribution point or distribution point group and perform any of the following actions: Click Redistribute to distribute the boot image to the selected distribution point or distribution point group again. Click Validate to check the integrity of the boot image package on the selected distribution point or distribution point group.

For Configuration Manager SP1 only: On the Optional Components tab, specify the components that are added to Windows PE for use with Configuration Manager. For more information about available optional components, see the Building a Windows PE Image with Optional Components topic in the Windows 8 documentation library.

On the Security tab, select an administrative user and change the operations that they can perform.

6. After you have configured the properties, click OK.

Configure Multiple Languages for Boot Image Deployment

For Configuration Manager SP1 only:

1786

In Configuration Manager with no service pack, while in Windows PE, text displayed by the task sequence is always in the language of Windows PE. To support multiple languages, you must create and deploy multiple boot images. Starting in Configuration Manager SP1, boot images are language neutral. This allows you to use one boot image that will display the task sequence text in multiple languages, while in Windows PE, if you include the appropriate language support from the Windows PE Optional Components and set the appropriate task sequence variable to indicate which language can be displayed. The language of the operating system that you deploy is independent from the language that is displayed when in Windows PE, regardless of the Configuration Manager version. The language that is displayed to the user is determined as follows: When a user runs the task sequence from an existing operating system, Configuration Manager automatically uses the language configured for the user. When the task sequence automatically runs as the result of a mandatory deployment deadline, Configuration Manager uses the language of the operating system. For operating system deployments that use PXE or media, you can set the language ID value in the SMSTSLanguageFolder variable as part of a prestart command. When the computer boots to Windows PE, messages are displayed in the language that you specified in the variable. If there is an error accessing the language resource file in the specified folder or you do not set the variable, messages are displayed in the Windows PE language. Note When the media is protected with a password, the text that prompts the user for the password is always displayed in the Windows PE language. Use the following procedure to set the Windows PE language for PXE or media-initiated operating system deployments. To set the Windows PE language for a PXE or media-initiated operating system deployment 1. Verify that the appropriate task sequence resource file (tsres.dll) is in the corresponding language folder on site server before you update the boot image. For example, the English resource file is in the following location: <ConfigMgrInstallationFolder>\OSD\bin\x64\00000409\tsres.dll. 2. As part of your prestart command, set the SMSTSLanguageFolder environment variable to the appropriate language ID. The language ID must be specified by using decimal and not hexadecimal. For example, to set the language ID to English, you would specify a decimal value of 1033 instead of the hexadecimal value of 00000409 used for the folder name. 3.

Additional Actions to Manage Boot Images

In addition to adding boot images and specifying where they can be distributed, you can perform the actions on the boot images listed in the Boot Image list. These actions include the following:
1787

Action

Description

Delete

Removes the image from the Boot Image node and also removes the image from the associated distribution points. Starts the Update Distribution Points Wizard. This action updates the boot image on the distribution points where it has been distributed. The package version is incremented and the distribution points are updated with only the files that have changed in the package. Starts the Create Prestaged Content File Wizard. For information about how to create a prestaged content file, see the Prestage Content on a Distribution Point section of the Operations and Maintenance for Content Management in Configuration Manager topic.

Update Distribution Points

Create Prestaged Content File

Manage Access Accounts

Opens the Manage Access Accounts dialog box where you can add an access account to a boot image, edit the access rights for an account, or remove an access account from a boot image. For more information about the Package Access Account, see Technical Reference for Accounts Used in Configuration Manager.

Move

Moves the boot image to another folder.

Customizing Boot Images by Using the Windows Automated Installation Kit (Windows AIK)
This section applies to Configuration Manager with no service pack only. Use the following procedure to create a new source boot image for 32-bit and 64-bit computers that can be imported to Configuration Manager: Important If the boot image that you import is not a valid boot image, the SMS Provider rejects it. To add a custom boot image for 32-bit or 64-bit computers to Configuration Manager
1788

1. Copy a boot image from the folder where the Windows Automated Installation Kit (Windows AIK) is installed to a temporary folder. 2. Mount the new copied boot image to a temporary directory. For example: dism.exe /mount-wim /wimFile:c:\winpe.wim /index:1 /mountdir:%systemroot%\temp\bootimages. 3. Install the two optional components that are required to deploy operating systems by using Configuration Manager:
Components for 32-bit computers Components for 64-bit computers

dism.exe /image:%systemroot%\temp\boot images /add-package /packagepath:"C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_F Ps\WinPE-Scripting.cab" dism.exe /image:%systemroot%\temp\boot images /add-package /packagepath:"C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_F Ps\WinPE-WMI.cab"

dism.exe /image:%systemroot%\temp\b ootimages /add-package /packagepath:"C:\Program Files\Windows AIK\Tools\PETools\ amd64\WinPE_FPs\WinPEScripting.cab" dism.exe /image:%systemroot%\temp\b ootimages /add-package /packagepath:"C:\Program Files\Windows AIK\Tools\PETools\ amd64\WinPE_FPs\WinPEWMI.cab"

4. Install any optional components to include with the boot image. 5. Copy the additional required files to the mount directory. 6. Dismount the boot image by using the following command: Dism /Unmount-Wim /MountDir: %systemroot%\temp\bootimages /Commit

See Also
Configuring Configuration Manager for Operating System Deployments

How to Manage the Driver Catalog in Configuration Manager

Use the procedures and information in this topic to manage the device drivers that are required to deploy operating systems in your System Center 2012 Configuration Manager environment. The procedures include how to import device drivers into the driver catalog, how to add and remove
1789

device drivers for driver packages and boot images, how to create driver packages, and how to install drivers on computers during the installation of the operating system. Use the following sections for more information about how to manage the driver catalog in Configuration Manager: Managing Device Drivers Managing Driver Packages How to Install Device Drivers on Computers by Using Task Sequences

For information about planning how to use the driver catalog when you deploy operating systems, see Planning a Device Driver Strategy in Configuration Manager.

Managing Device Drivers

Use these procedures and additional information to manage device drivers to perform the following: Import device drivers into the driver catalog. Add or remove device drivers to and from driver packages and boot images. Additional actions that manage device drivers.

How to Import Windows Device Drivers into the Driver Catalog

As part of the import process for the device driver, Configuration Manager reads the provider, class, version, signature, supported hardware, and supported platform information that is associated with the device. By default, the driver is named after the first hardware device that it supports; however, you can rename the device driver later. The supported platforms list is based on the information in the INF file of the driver. Because the accuracy of this information can vary, manually verify that the device driver is supported after it is imported into the driver catalog. In addition, when you import device drivers into the catalog, you can add the device drivers to driver packages or to boot image packages. Important You cannot import device drivers directly into a subfolder of the Drivers node. To import a device driver into a subfolder, first import the device driver into the Drivers node, and then move the driver to the subfolder. Use the following procedure to import Windows device drivers. To import Windows device drivers into the driver catalog 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Drivers. 3. On the Home tab, in the Create group, click Import Driver to start the Import New Driver Wizard.
1790

4. On the Locate Driver page, specify the following options, and then click Next: Import all drivers in the following network path (UNC) : To import all the device drivers that are contained in a specific folder, specify the network path to the device driver folder. For example: \\servername\folder. Import a specific driver: To import a specific driver from a folder, specify the network path (UNC) to the Windows device driver .INF or mass storage Txtsetup.oem file of the driver. Specify the option for duplicate drivers: Select how you want Configuration Manager to manage driver categories when a duplicate device drive is imported. Important When you import drivers, the site server must have Read permission to the folder, or the import fails. 5. On the Driver Details page, specify the following options, and then click Next: In the list of drivers, select the drivers that you want to import into the driver catalog. Enable these drivers and allow computers to install them: Select this setting to let computers install the device drivers. By default, this check box is selected. Important If a device driver is causing a problem or you want to suspend the installation of a device driver, you can disable the device driver by clearing the Enable these drivers and allow computers to install them check box. You can also disable drivers after they have been imported. To assign the device drivers to an administrative category for filtering purposes, such as "Desktops" or "Notebooks" categories, click Categories and select an existing category or create a new category. You can also use the category assignment to configure which device drivers that are applied to the deployment by the Auto Apply Drivers task sequence step.

6. On the Add Driver to Packages page, specify the following settings, and then click Next: Important This setting can help you when you use a task sequence to automate the deployment of the operating system. To install driver packages as part of a task sequence, use the Auto Apply Drivers and Apply Driver Package task sequence steps. Select the driver packages that are used to distribute the device drivers. Optionally, click New Package to create a new driver package. When you create a new driver package, you must provide a network share that is not in use by other driver packages. Clear the Update distribution points when finished check box if you do not want to update distribution points when the device drivers are added to the driver package. By default, this check box is selected because your device drivers cannot be used
1791

until they are distributed to distribution points. 7. On the Add Driver to Boot Images page, specify the following options, and then click Next: Note Add only mass storage and network device drivers to the boot images for operating system deployment scenarios. Specify the boot images that can install the imported device drivers. To update distribution points when the device drivers are added to the boot image, select the Update distribution points when finished check box. You cannot use device drivers until they are distributed to distribution points.

8. Complete the wizard.

How to Add and Remove Device Drivers That Are Associated with Driver Packages and Boot Images
Use the following procedures to modify driver packages and boot images. To add or remove device drivers, locate the drivers in the Drivers node, and then edit the packages or boot images that the selected drivers are associated with. Use the following procedure to add or remove device drivers associated with a driver package. To add or remove device drivers associated with driver packages 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Drivers. 3. In the Drivers node, select the device drivers that you want to add to the driver package. 4. On the Home tab, in the Driver group, click Edit, and then click Driver Packages. 5. To add a device driver, select the check box of the driver packages to which you want to add the device drivers. To remove a device driver, clear the check box of the driver packages from which you want to remove the device driver. If you are adding device drivers that are associated with driver packages, you can optionally create a new package, by clicking New Package, which opens the New Driver Package dialog box. 6. If you do not want to update the distribution points where the driver package is stored, clear the Update distribution points when finished check box. By default, the distribution points are updated when the driver package is updated. 7. Click OK. Use the following procedure to add or remove device drivers associated with a boot image. To add or remove device drivers associated with a boot image 1. In the Configuration Manager console, click Software Library.
1792

2. In the Software Library workspace, expand Operating Systems, and then click Drivers. 3. In the Drivers node, select the device drivers that you want to add to the driver package. 4. On the Home tab, in the Driver group, click Edit, and then click Boot images. 5. To add a device driver, select the check box of the boot image to which you want to add the device drivers. To remove a device driver, clear the check box of the boot image from which you want to remove the device driver. 6. If you do not want to update the distribution points where the boot image is stored, clear the Update distribution points when finished check box. By default, the distribution points are updated when the boot image is updated. 7. Click OK.

Additional Actions to Manage Device Drivers

You can perform additional actions to manage device drivers when you select one or more device drivers from the Drivers node. These actions include the following:
Action Description

Categorize

Clears, manages, or sets an administrative category for the selected device drivers. Removes the device driver from the Drivers node and also removes the driver from the associated distribution points. Prohibits the device driver from being installed. You can temporarily disable device drivers so that Configuration Manager client computers and task sequences cannot install them when you are deploying operating systems. Lets Configuration Manager client computers and task sequences install the device driver when the operating system is deployed. Moves the device driver to another folder in the Drivers node. Opens the Properties dialog box where you can review and change the properties of the device driver. For example, you can change the name and description of the device driver, enable the device driver, and specify which platforms the device driver can be run on.

Delete

Disable

Enable

Move

Properties

1793

Managing Driver Packages

Use the following procedure and additional information to create and manage driver packages.

How to Create Driver Packages

Use the following procedure to create a new driver package. You must add device drivers to a driver package and distribute them to distribution points before Configuration Manager clients can install the drivers. Important To create a driver package, you must have an empty network folder that is not used by another driver package. In most cases, you must create a new folder before you perform this procedure. Note When you use task sequences to install drivers, limit the number of drivers that are included in your driver packages. For installing drivers on computers running Windows XP, create driver packages that contain fewer than 150 device drivers. For computers running Windows Vista and later, create driver packages that contain less than 500 device drivers.

Use the following procedure to create a driver package. To create a driver package 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Driver Packages. 3. On the Home tab, in the Create group, click Create Driver Package. 4. In the Name box, specify a descriptive name for the driver package. 5. In the Comment box, enter an optional description for the driver package. Ensure that the description provides information about the contents or the purpose of the driver package. 6. In the Path box, specify an empty source folder for the driver package. Enter the path to the source folder in Universal Naming Convention (UNC) format. Each driver package must use a unique folder. Important The site server account must have Read and Write permissions to the specified source folder. The new driver package does not contain any drivers. The next step is to add drivers to the package. If the Driver Packages node contains several packages, you can add folders to the node to
1794

separate the packages into logical groups. To view the associated general, data source, distribution point, data access, and security information for the driver package, click Properties.

Additional Actions to Manage Driver Packages

You can perform additional actions to manage driver packages when you select one or more driver packages from the Driver Packages node. These actions include the following:
Action Description

Create Prestage Content file

Creates files that can be used to manually import content and its associated metadata. Use prestaged content when you have low network bandwidth between the site server and the distribution points where the driver package is stored. Removes the driver package from the Driver Packages node. Distributes the driver package to distribution points, distribution point groups, and distribution point groups that are associated with collections. Adds, modifies, or removes access accounts for the driver package. For more information about Package Access Accounts, see Technical Reference for Accounts Used in Configuration Manager.

Delete

Distribute Content

Manage Access Accounts

Move

Moves the driver package to another folder in the Driver Packages node. Updates the device driver package on all the distribution points where the package is stored. This action copies only the content that has changed after the last time it was distributed. Opens the Properties dialog box where you can review and change the content and properties of the device driver. For example, you can change the name and description of the device driver, enable the device driver, and specify on which platforms the device driver
1795

Update Distribution Points

Properties

Action

Description

can be run.

How to Install Device Drivers on Computers by Using Task Sequences

You can add steps to task sequences that install device drivers on the destination computer during the operating system deployment. You can specify the device drivers to install, or you can let Configuration Manager search the driver categories to determine the drivers to install. For more information about task sequences, see Planning a Task Sequences Strategy in Configuration Manager. Use the following procedure to install device drivers as part of the operating system deployment. You can use the one of the following Driver task sequence steps: Auto Apply Drivers Apply Driver Package To install device driver by using task sequences 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequences node, select the task sequence that you want to modify to install the device driver, and then click Edit. 4. Move to the location where you want to add the Driver steps, click Add, and then select Drivers. 5. Add the Auto Apply Drivers step if you want the task sequence to install all the device drivers or the specific categories that are specified. Specify the options for the step on the Properties tab and any conditions for the step on the Options tab. Add the Apply Driver Package step if you want the task sequence to install only those device drivers from the specified package. Specify the options for the step on the Properties tab and any conditions for the step on the Options tab. Important You can also select Disable this step on the Options tab to disable the step if you must troubleshoot the task sequence. 6. Click OK to save the task sequence.

See Also
Configuring Configuration Manager for Operating System Deployments
1796

How to Manage Task Sequences in Configuration Manager

Use task sequences to automatically perform tasks in your System Center 2012 Configuration Manager environment. These tasks can deploy an operating system image to a destination computer, build and capture an operating system image from a set of operating system installation files, and capture and restore user state information. Use the following sections to manage task sequences: Where Task Sequences are Located in the Configuration Manager Console How to Create Task Sequences How to Edit a Task Sequence How to Distribute the Content that is Referenced by a Task Sequence How to Deploy a Task Sequence How to Export and Import Task Sequences How to Create Task Sequence Variables for Computers and Collections Additional Actions to Manage Task Sequences

For information about how to plan your task sequence strategy, see Planning a Task Sequences Strategy in Configuration Manager. Important When you create or edit a deployment task sequence that ends in WinPE, make sure that the last step in the task sequence restarts the destination computer to the full operating system of the destination computer so that the task sequence exits correctly. If the destination computer is not restarted in this scenario, the client cannot be managed by Configuration Manager.

Where Task Sequences are Located in the Configuration Manager Console

Task sequences are located in the Software Library workspace, from the Operating Systems node. Under the Operating Systems node are several nodes that contain the objects that you use to deploy operating systems. One of these is the Task Sequence node that contains all the task sequences that you can use to deploy operating systems. You can create a flat list of task sequence or you can create subfolders to manage or group task sequences. The Task Sequence node, including any subfolders that you create, is replicated throughout the Configuration Manager hierarchy.

1797

How to Create Task Sequences

Create task sequences by using the Create Task Sequence Wizard. This wizard can create the following types of task sequences:
Task sequence type More information

Task sequences that install an existing image package

When you create this type of task sequence, the Create Task Sequence Wizard adds steps to the task sequence and then groups those steps into groups. This type of task sequence is referred to as a build and capture task sequence. The build and capture task sequence is run on a reference computer where the task sequence creates an operating system image that is based on a set of operating system source files. The operating system image can then be deployed by a deployment task sequence that includes the Apply Operating System Image step.

Task sequences that build and capture an operating system image

Custom task sequences that perform actions that are specific to your environment

When you create this type of task sequence, the Create Task Sequence Wizard does not add any steps to the task sequence. You must add steps to the task sequence after it is created.

Use the following procedures to create the different types of task sequences. To create a task sequence that installs an existing image package 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence to start the Create Task Sequence Wizard. 4. On the Create a New Task Sequence page, click Install an existing Image package, and then click Next. 5. On the Task Sequence Information page, specify the following settings, and then click Next. Task sequence name: Specify a name that identifies the task sequence.
1798

Description: Specify a description of the task that is performed by the task sequence. Boot image: Specify the boot image that installs the operating system on the destination computer. The boot image contains a contain a version of Windows PE that is used to install the operating system, as well as any additional device drivers that are required. Important The architecture of the boot image must be compatible with the hardware architecture of the destination computer.

6. On the Install Windows page, specify the following settings, and then click Next. Image package: Specify the package that contains the operating system image to install. Image: If the operating system image package has multiple images, specify the index of the operating system image to install. Partition and format the target computer installing the operating system : Specify whether you want the task sequence to partition and format the destination computer before the operating system is installed. Product key: Specify the product key for the Windows operating system to install. You can specify encoded volume license keys and standard product keys. If you use a non-encoded product key, each group of 5 characters must be separated by a dash (-). For example: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX Server licensing mode: Specify that the server license is Per seat, Per server, or that no license is specified. If the server license is Per server, also specify the maximum number of server connections. Specify how to handle the administrator account that is used when the operating system image is deployed. Disable local administrator account: Specify whether the local administrator account is disabled when the operating system image is deployed. Always use the same administrator password: Specify whether the same password is used for the local administrator account on all computers where the operating system image is deployed.

7. On the Configure Network page, specify the following settings, and then click Next. Join a workgroup: Specify whether to add the destination computer to a workgroup. Join a domain: Specify whether to add the destination computer to a domain. In Domain, specify the name of the domain. Important You can browse to locate domains in the local forest, but you must specify the domain name for a remote forest. You can also specify an organizational unit (OU). This is an optional setting that specifies the LDAP X.500-distinguished name of the OU in which to create the computer account if it does not already exist.
1799

Account: Specify the user name and password for the account that has permissions to join the specified domain. For example: domain\user or %variable%. Important You must enter the appropriate domain credentials if you plan to migrate either the domain settings or the workgroup settings.

8. On the Install Configuration Manager page, specify the Configuration Manager client package to install on the destination computer, and then click Next. 9. On the State Migration page, specify the following information, and then click Next. Capture user settings: Specify whether the task sequence captures the user state. For more information about how to capture and restore the user state, see How to Manage the User State in Configuration Manager. Tip Two deployment scenarios where you might want to capture user state: Side-by-side deployments where you want to migrate the user state from one computer to another computer. Update deployments where you want to capture and restore the user state on the same computer. Capture network settings: Specify whether the task sequence captures network settings from the destination computer. You can capture the membership of the domain or workgroup in addition to the network adapter settings. Capture Microsoft Windows settings: Specify whether the task sequence captures Windows settings from the destination computer before the operating system image is installed. You can capture the computer name, registered user and organization name, and the time zone settings.

10. On the Include Updates page, specify whether to install required software updates, all software updates, or no software updates, and then click Next. If you specify to install software updates, Configuration Manager installs only those software updates that are targeted to the collections that the destination computer is a member of. 11. On the Install Applications page, specify the applications to install on the destination computer, and then click Next. If you specify multiple applications, you can also specify that the task sequence continues if the installation of a specific application fails. 12. Complete the wizard. To create a task sequence that builds and captures an operating system image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence to start the Create Task Sequence Wizard. 4. On the Create a New Task Sequence page, select Build and capture a reference operating system image.
1800

5. On the Task Sequence Information page, specify the following settings, and then click Next. Task sequence name: Specify a name that identifies the task sequence. Description: Specify a description of the task that is performed by the task sequence, such as a description of the operating system that is created by the task sequence. Boot image: Specify the boot image that installs the operating system image. Important The architecture of the boot image must be compatible with the hardware architecture of the destination computer. 6. On the Install Windows page, specify the following settings, and then click Next. Package: Specify the Operating System Installers package that is referenced by the operating system image. This package contains the files that are required to install the operating system. Edition: Specify the Windows edition for this package. If the Operating System Installers package contains multiple editions, you must select the appropriate edition for the Windows product code that is specified by the associated Product Key. Product key: Specify the product key for the Windows operating system to install. You can specify encoded volume license keys and standard product keys. If you use a non-encoded product key, each group of 5 characters must be separated by a dash (-). For example: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX Server licensing mode: Specify that the server license is Per seat, Per server, or that no license is specified. If the server license is Per server, also specify the maximum number of server connections. Specify how to handle the administrator account that is used when the operating system is deployed. Disable local administrator account: Specify whether the local administrator account is disabled when the operating system is deployed. Always use the same administrator password: Specify whether the same password is used for the local administrator account on all computers where the operating system is deployed.

7. On the Configure Network page, specify the following settings, and then click Next. Join a workgroup: Specify whether to add the destination computer to a workgroup when the operating system is deployed. Join a domain: Specify whether to add the destination computer to a domain when the operating system is deployed. In Domain, specify the name of the domain. Important You can browse to locate domains in the local forest, but you must specify the domain name for a remote forest. You can also specify an organizational unit (OU). This is an optional setting that specifies the LDAP X.500-distinguished name of the OU in which to create the
1801

computer account if it does not already exist. Account: Specify the user name and password for the account that has permissions to join the specified domain. For example: domain\user or %variable%. Important You must enter the appropriate domain credentials if you plan to migrate either the domain settings or the workgroup settings. 8. On the Install Configuration Manager page, specify the Configuration Manager client package that contains the source files to install the Configuration Manager client, add any additional properties needed to install the client, and then click Next. For more information about properties that can be used to install a client, see About Client Installation Properties in Configuration Manager. 9. On the Include Updates page, specify whether to install required software updates, all software updates, or no software updates, and then click Next. If you specify to install software updates, Configuration Manager installs only those software updates that are targeted to the collections that the destination computer is a member of. 10. On the Install Applications page, specify the applications to install on the destination computer, and then click Next. If you specify multiple applications, you can also specify that the task sequence continues if the installation of a specific application fails. 11. On the System Preparation page, specify the following settings, and then click Next. Package: Specify the Configuration Manager package that contains the appropriate version of Sysprep to use to capture the reference computer settings. If the operating system version that you are running is Windows Vista or later, Sysprep is automatically installed on the computer and you do not have to specify a package. If the operating system version that you are running is Windows XP SP3 or Windows Server 2003 SP2, you must specify a package that contains the version of Sysprep and its support files that is appropriate for that operating system version. This package does not require a program. Configuration Manager uses the Sysprep files contained in the package. 12. On the Images Properties page, specify the following settings for the operating system image, and then click Next. Created by: Specify the name of the user who created the operating system image. Version: Specify a user-defined version number that is associated with the operating system image. Description: Specify a user-defined description of the operating system computer image. Path: Specify a shared network folder where the output .WIM file is stored. This file contains the operating system image that is based on the settings that you specify by using this wizard. If you specify a folder that contains an existing .WIM file, the existing file is overwritten. Use the following account to access the output folder: Specify the Windows
1802

13. On the Capture Image page, specify the following settings, and then click Next.

account that has permissions to the network share where the image is stored. You must copy the image to the location that is specified. 14. Complete the wizard. To create a custom task sequence 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence to start the Create Task Sequence Wizard. 4. On the Create a New Task Sequence page, select Create a new custom task sequence. 5. On the Task Sequence Information page, specify a name for the task sequence, a description of the task sequence, and an optional boot image for the task sequence to use, and then complete the wizard. After you complete the Create Task Sequence Wizard, Configuration Manager adds the custom task sequence to the Task Sequences node. You can now edit this task sequence to add task sequence steps to it.

How to Edit a Task Sequence

You can modify a task sequence by adding or removing task sequence steps, adding or removing task sequence groups, or by changing the order of the steps. Use the following procedure to modify an existing task sequence. Important When you edit a task sequence that was created by using the Create Task Sequence Wizard, the name of the step can be the action of the step or the type of the step. For example, you might see a step that has the name Partition disk 0, which is the action for a step of type Format and Partition Disk. All task sequence steps are documented by their type, not necessarily by the name of the step that is displayed in the Editor. To edit a task sequence 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequence list, select the task sequence that you want to edit. 4. On the Home tab, in the Task Sequence group, click Edit, and then perform any of the following operations: To add a task sequence step, click Add, select the type of the step, and then click the task sequence step that you want to add. For example, to add the Run Command Line step click Add, select General, and then click Run Command Line.
1803

For a list of all task sequence steps and their type, see the table that follows this procedure. To add a group to the task sequence, click Add, and then click New Group. After you add a group you can then add steps to the group. To change the order of the steps and groups in the task sequence, select the step or group that you want to re-order, and then use the Move Item Up or Move Item Down icons. You can move only one step or group at a time. To remove a step or group, select the step or group and click Remove.

5. Click OK to save the changes. The following table lists the task sequence steps that you can add to a task sequence. For more information about a specific task sequence step, click the task sequence step in this table.
Task sequence step Type of step Supported operating system Description

Apply Data Image

Images

Windows PE only

Copies the data image to the specified destination partition.

Apply Driver Package

Drivers

Windows PE only

Downloads all the drivers in the driver package and installs them on the Windows operating system. Specifies the network or workgroup configuration information for the destination computer. Installs an operating system on the destination computer. Configures the Windows settings for the destination computer. Matches and installs drivers as part of the operating system
1804

Apply Network Settings

Settings

Windows PE or standard operating system

Apply Operating System Image

Images

Windows PE only

Apply Windows Settings

Settings

Windows PE only

Auto Apply Drivers

Drivers

Windows PE only

deployment. Capture Network Settings Settings Standard operating system only Captures Microsoft network settings from the computer that runs the task sequence. Captures one or more images from a reference computer and store them in a WIM file on the specified network share. Uses the User State Migration Tool (USMT) to capture user state and settings from the computer that runs the task sequence. Captures the Windows settings from the computer that runs the task sequence. Creates a connection to a shared network folder. Converts a physical disk from a basic disk type to a dynamic disk type. Disables the BitLocker encryption on the current operating system drive, or on a specific drive. Enables BitLocker encryption on at least
1805

Capture Operating System Image

Images

Windows PE only

Capture User State

User State

Windows PE or standard operating system (Windows PE only for offline deployments)

Capture Windows Settings

Settings

Windows PE or standard operating system

Connect To Network Folder

General

Windows PE or standard operating system Windows PE or standard operating system

Convert Disk to Dynamic

Disk

Disable BitLocker

Disk

Standard operating system only

Enable BitLocker

Disk

Standard operating system only

two partitions on the hard drive Format and Partition Disk Disk Windows PE only Formats and partitions a specified disk on a destination computer. Installs one or more applications on the destination computer. Installs the Configuration Manager package that contains the Sysprep deployment tools. install the one or more Configuration Manager software packages on the destination computer. Installs software updates on the destination computer. Adds the destination computer to a workgroup or domain. Uses the Configuration Manager client that is installed on the reference computer and prepares this client for capture as part of the imaging process. Specifies the Sysprep options to use to capture an operating system image on the reference computer. Notifies the state
1806

Install Application

General

Standard operating system only

Install Deployment Tools

Images

Standard operating system only

Install Package

General

Standard operating system only

Install Software Updates

General

Standard operating system only

Join Domain or Workgroup

General

Standard operating system only

Prepare ConfigMgr Client for Capture

Images

Standard operating system only

Prepare Windows for Capture

Images

Standard operating system only

Release State Store

User State

Standard operating

system only

migration point that the capture or restore action is complete. Request access to a state migration point during the capture or restoration of user state. Restarts the computer that runs the task sequence. Initiates the User State Migration Tool (USMT) to restore user state and settings to the destination computer. Runs the specified command line.

Request State Store

User State

Standard operating system or Windows PE (for offline deployments)

Restart Computer

General

Windows PE or standard operating system Standard operating system only

Restore User State

User State

Run Command Line

General

Windows PE or standard operating system Windows PE or standard operating system Windows PE only

Set Task Sequence Variable

General

Sets the value of a variable to use with the task sequence. Performs the transition from Windows PE to the new operating system.

Setup Windows and ConfigMgr

Images

How to Distribute the Content that is Referenced by a Task Sequence

Before clients run a task sequence that references content, you must distribute that content to distribution points. At any time, you can select the task sequence and distribute its content to build a new list of reference packages for distribution. The content that is distributed is the content that is currently referenced by the task sequence and does not automatically include any changes made to the task sequence. Use the following procedure to distribute the content that is referenced by a task sequence.

1807

To distribute referenced content to distribution points 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequence list, select the task sequence that you want to distribute. 4. On the Home tab, in the Deployment group, click Distribute Content to start the Distribute Content Wizard. 5. On the General page, verify that the correct task sequence is selected for distribution, and then click Next. 6. On the Content page, verify the content to distribute, such as the boot image referenced by the task sequence, and then click Next. 7. On the Content Destination page, specify the collections, distribution point, or destination point group where you want to distribute the task sequence contents, and then click Next. Important If the task sequence that you selected references content that is already distributed to a specific distribution point, that distribution point is not listed by the wizard. 8. Complete the wizard.

How to Deploy a Task Sequence

Use the following procedure to deploy a task sequence to the computers in a collection. Note The status messages for the task sequence deployment are displayed in the Message window on a primary site, but they are not displayed on a central administration site. To deploy a task sequence 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequence list, select the task sequence that you want to deploy. 4. On the Home tab, in the Deployment group, click Deploy. Note If Deploy is not available, the task sequence has a reference that is not valid. Correct the reference and then try to deploy the task sequence again. 5. On the General page, specify the following information, and then click Next. Task sequence: Specify the task sequence that you want to deploy. By default, this
1808

box displays the task sequence that you selected. Collection: Specify the collection that contains the computers that will run the task sequence. Important Do not deploy task sequences that install operating systems to inappropriate collections, such as the All Systems collection. Be sure that the collection that you select contains only those computers that you want to run the task sequence. Comments (optional): Specify additional information that describes this deployment of the task sequence.

6. On the Deployment Settings page, specify the following information, and then click Next. Purpose: From the drop-down list, choose one of the following options: Available: If the task sequence is deployed to a user, the user sees the published task sequence in the Application Catalog and can request it on demand. If the task sequence is deployed to a device, the user will see it in the Software Center and can install it on demand. Required: The task sequence is deployed automatically, according to the configured schedule. However, a user can track the task sequence deployment status (if it is not hidden) and install the task sequence before the deadline by using the Software Center.

For Configuration Manager SP1 only: Deploy automatically according to schedule whether or not a user is logged on : This option is not available when you deploy a task sequence. Note In System Center 2012 Configuration Manager SP1, this option is named Pre-deploy software to the users primary device.

Send wake-up packets: If the deployment purpose is set to Required and this option is selected, a wake-up packet will be sent to computers before the deployment is installed to wake the computer from sleep at the installation deadline time. Before you can use this option, computers and networks must be configured for Wake On LAN. For Configuration Manager SP1 only: Allow clients on a metered Internet connection to download content after the installation deadline, which might incur additional costs: When you have a task sequence that installs an application but does not deploy an operating system, you can specify whether to allow clients to download content after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection.

1809

Note While using a metered Internet connection might work for task sequences that do not deploy an operating system, it is not supported. Require administrator approval if users request this application : This option is not available when you deploy a task sequence. Specify when to make this task sequence available. The available options are different depending on which version of Configuration Manager you are running. Make available to boot media and PXE: For Microsoft System Center 2012 Configuration Manager with no service pack only:

Specify whether the task sequence can be run when you deploy an operating system by using boot media or PXE boot. When you select this option, the Download all content locally before starting task sequence on the Distribution points page is not available.
For Configuration Manager SP1 only:

Make available to the following: Specify whether the task sequence is available to Configuration Manager clients, media, or PXE.
Important Use the Only media and PXE (hidden) setting for automated task sequence deployments. Select Allow unattended operating system deployment and set the SMSTSPreferredAdvertID variable as part of the media to have the computer automatically boot to the deployment with no user interaction. For more information about task sequence variables, see Task Sequence Built-in Variables in Configuration Manager 7. On the Scheduling page, specify the following information, and then click Next. Schedule when this deployment will become available: Specify the date and time when the task sequence is available to run on the destination computer. When you select the UTC check box, this setting ensures that the task sequence is available for multiple destination computers at the same time rather than at different times, according to the local time on the destination computers. If the start time is earlier than the required time, the client downloads the task sequence at the start time that you specify. Schedule when this deployment will expire: Specify the date and time when the task sequence expires on the destination computer. When you select the UTC check box, this setting ensures that the task sequence expires on multiple destination computers at the same time rather than at different times, according to the local time on the destination computers. Assignment schedule: Specify when the required task sequence is run on the destination computer. You can add multiple schedules.
1810

You can specify the date and time when the schedule starts, whether the task sequence runs weekly, monthly, or on a custom interval, and if the task sequence runs after an event such as logging on or logging off the computer. Note If you schedule a start time for a required task sequence that is earlier than the date and time when the task sequence is available, the Configuration Manager client downloads the task sequence at the scheduled start time, even though the task sequence is available at an earlier time. Rerun behavior: Specify when the task sequence is rerun. You can specify one of the following options. Never rerun deployed program: The task sequence does not rerun on the client if the task sequence has been previously run on the client. The task sequence does not rerun even if it originally failed or if the task sequence files have been changed. Always rerun program: The task sequence is always rerun on the client when the deployment is scheduled, even if the task sequence has successfully run previously. This setting is particularly useful when you use recurring deployments in which the task sequence is routinely updated. Important Although this option is set by default, it has no affect until you assign a required deployment. Available deployments can always be rerun by a user. Rerun if failed previous attempt: The task sequence is rerun when the deployment is scheduled only if the task sequence failed to run previously. This setting is particularly useful for required deployments so that they will automatically retry to run according to the assignment schedule if the last attempt to run was unsuccessful. Rerun if succeeded on previous attempt: The task sequence is rerun only if it has previously run successfully on the client. This setting is useful when you use recurring deployments in which the task sequence is routinely updated, and each update requires that the previous update is installed successfully. Note Because a user can rerun an available task sequence deployment, make sure that before you deploy an available task sequence in a product environment, you carefully evaluate and test what happens if a user reruns the task sequence multiple times. 8. On the User Experience page, specify the following information, and then click Next. Allow user to run the program independently of assignments: Specify whether the user is allowed to run a required task sequence independently from the deployment assignments. Show Task Sequence progress: Specify whether the Configuration Manager client
1811

displays the progress of the task sequence. Software installation: Specify whether the user is allowed to install software outside a configured maintenance windows after the scheduled time. System restart (if required to complete the installation) : Specify whether the user is allowed to restart the computer after a software installation outside a configured maintenance window after the assignment time. Allow task sequence to run for client on the Internet : Specify whether the task sequence is allowed to run on an Internet-based client that Configuration Manager detects to be on the Internet. Operations that install software, such as an operating system, are not supported with this setting. Use this option only for generic scriptbased task sequences that perform operations in the standard operating system. Embedded Devices: For Configuration Manager SP1 only. When you deploy task sequences to Windows Embedded devices that are write filter enabled, you can specify to install the task sequence on the temporary overlay and commit changes later, or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. Note When you deploy an application to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. 9. On the Alerts page, specify the alert settings that you want for this task sequence deployment, and then click Next. 10. On the Distribution Points page, specify the following information, and then click Next. Deployment options: Specify one of the following options: Note When you use multicast to deploy an operating system the content must be downloaded to the destination computers either as it is needed or before the task sequence is run. Specify that clients download content from the distribution point to the destination computer as it is needed by the task sequence. Specify that clients download all the content from the distribution point to the destination computer before the task sequence is run. This option is not shown if you specified that the task sequence is available to PXE and boot media deployments (see the Deployment Settings page). Specify that clients run the content from the distribution point. This option is available only when all packages associated with the task sequence is enabled to use a package share on the distribution point. To enable content to use a package share, see the Data Access tab in the Properties for each package.

When no local distribution point is available, use a remote distribution point : Specify whether clients can use distribution points that are on slow and unreliable networks to download the content that is required by the task sequence.
1812

11. Complete the wizard.

How to Export and Import Task Sequences

You can export and import task sequences with or without their related objects, such as such an operating system image, a boot image, a client agent package, a driver package, and applications that have dependencies. Consider the following when you export and import task sequences. Passwords that are stored in the task sequence are not exported. If you export and import a task sequence that contains passwords, you must edit the imported task sequence and specify any passwords again. Ensure that you specify passwords for Join Domain or Workgroup, map network drive, and Run Command Line actions. As a best practice, when you have multiple primary sites, import task sequences at the central administration site.

Use the following procedures to export and import a task sequence. To export task sequences 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequence list, select the task sequences that you want to export. If you select more than one task sequence, they are stored in one export file. 4. On the Home tab, in the Task Sequence group, click Export to start the Export Task Sequence Wizard. 5. On the General page, specify the following settings, and then click Next. In the File box, specify the location and name of the export file. If you enter the file name directly, be sure to include the .zip extension to the file name. If you browse for the export file, the wizard automatically adds this file name extension. Clear the Export all task sequence dependencies check box if you do not want to export task sequence dependencies. By default, the wizard scans for all the related objects and exports them with the task sequence. This includes any dependencies for applications. Clear the Export all content for the selected task sequences and dependencies check box if you do not want to copy the content from the package source to the export location. If this check box is selected, the Import Task Sequence Wizard uses the import path as the new package source location. In the Administrator comments box, add a description of the task sequences to export.

6. Complete the wizard. The wizard creates the following output files: If you do not export content: a .zip file.
1813

If you export content: a .zip file and a folder named export_files, where export is the name of the .zip file that contains the exported content.

If you include content when you export a task sequence, make sure that you copy the .zip file and the export_files folder, or your import will fail. To import task sequences 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Import Task Sequence to start the Import Task Sequence Wizard. 4. On the General page, specify the exported .zip file, and then click Next. 5. On the File Content page, select the action that you require for each object that you import. This page shows all the objects that Configuration Manager will import. If the object has never been imported, select Create New. If the object has been previously imported, select one of the following actions: Ignore Duplicate (default): This action does not import the object. Instead, the wizard links the existing object to the task sequence. Overwrite: This action overwrites the existing object with the imported object. For applications, you can add a revision to update the existing application or create a new application.

6. Complete the wizard. After you import the task sequence, edit the task sequence to specify any passwords that were in the original task sequence. For security reasons, passwords are not exported.

How to Create Task Sequence Variables for Computers and Collections

You can define custom task sequence variables for computers and collections. Variables that are defined for a computer are referred to as per-computer task sequence variables. Variables defined for a collection are referred to as per-collection task sequence variables. If there is a conflict, per-computer variables take precedence over per-collection variables. This means that task sequence variables that are assigned to a specific computer automatically have a higher priority than variables that are assigned to the collection that contains the computer. For example, if collection ABC has a variable assigned to it and computer XYZ, which is a member of collection ABC, has a variable with the same name assigned to it, the variable that is assigned to computer XYZ has higher priority than that of the variable that is assigned to collection ABC. You can hide per-computer and per-collection variables so that they are not visible in logs or in the Configuration Manager console. If you no longer want these variables to be hidden, you must delete them and redefine them without selecting the option to hide them.
1814

You can manage per-computer variables at a primary site or at a central administration site. Configuration Manager does not support more than 1,000 assigned variables for a computer. Warning When you use per-collection variables for task sequences, consider the following: Because changes to collections are always replicated throughout the hierarchy, any changes that you make to collection variables will apply to not just members of the current site but to all members of the collection throughout the hierarchy. When you delete a collection, this action also deletes the task sequence variables that are configured for the collection.

Use the following procedures to create task sequence variables for a computer or collection. To create task sequence variables for a computer 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand the collection that contains the computer that you want to add the variable to. 3. Select the computer and click Properties. 4. In the Properties dialog box, click the Variables tab. 5. For each variable that you want to create, click the New icon in the <New> Variable dialog box and specify the name and the value of the task sequence variable. Clear the Do not display this value in the Configuration Manager console check box if you want to hide the variables so that they are not visible in logs or in the Configuration Manager console. 6. After you have added all the variables to the computer, click OK. To create task sequence variables for a collection 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, select the collection that you want to add the variable to and click Properties. 3. In the Properties dialog box, click the Collection Variables tab. 4. For each variable that you want to create, click the New icon In the <New> Variable dialog box and specify the name and the value of the task sequence variable. Clear the Do not display this value in the Configuration Manager console check box if you want to hide the variables so that they are not visible in logs or in the Configuration Manager console. 5. Optionally, specify the priority for Configuration Manager to use when the task sequence variables are evaluated. 6. After you have added all the variables to the collection, click OK.

1815

Additional Actions to Manage Task Sequences

You can manage task sequences by using additional actions when you select the task sequence by using the following procedure. To select a task sequence to manage 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequence list, select the task sequence that you want to manage, and then select one of the available options. Use the following table for more information about some of the additional actions to manage task sequences.
Action Description

Copy

Makes a copy of the selected task sequence. You might find this action useful when you want to create a new task sequence that is based on an existing task sequence. When you make a copy of a task sequence in a folder, the copy is listed in that folder until you refresh the task sequence node. After the refresh, the copy appears in the root folder.

Disable

Disables the task sequence so that it cannot run on computers. Disabled task sequences can be deployed to computers, but computers do not run the task sequence until it is enabled. Enables the task sequence so that it can be run. You do not need to redeploy a deployed task sequence after it is enabled. Moves the selected task sequence to another folder. Opens the Properties dialog box for the selected task sequence. Use this dialog box to change the behavior of the task sequence object. However, you cannot change the steps of the task sequence by using this dialog box.

Enable

Move

Properties

1816

See Also
Configuring Configuration Manager for Operating System Deployments

How to Manage the User State in Configuration Manager

You can use System Center 2012 Configuration Manager task sequences to capture and restore the user state data in operating system deployment scenarios where you want to retain the user state of the current operating system. For example: Side-by-side deployments where you want to capture the user state from one computer to restore it on another computer. Update deployments where you want to capture and restore the user state on the same computer. User State Capture and Restore Workflows Storing User State Data How to Configure the State Migration Point Role How to Create a Computer Association for Side-by-Side Deployment How to Create a USMT Package How to Capture and Restore User State Data How to Restore the User State Data when the Operating System Deployment Fails

Use the following sections to manage the user state in Configuration Manager:

User State Capture and Restore Workflows

The following illustrations show the actions that are associated with the capture and restoration of user state for a computer.

Storing User State Data

When you capture user state, you can store the user state data on the destination computer (suitable for update deployments) or on a user state migration point (required for side-by-side deployment). To store the user state on a user state migration point, you must use a Configuration Manager site system server that hosts the state migration point site system role. To store the user state on the destination computer, you must configure your task sequence to store the data locally using links. Note
1817

The links that are used to store the user state locally are referred to as hard-links. Hardlinks is a USMT 4.0 feature that scans the computer for user files and settings and then creates a directory of hard-links to those files. The hard-links are then used to restore the user data after the new operating system is deployed. Important You cannot use a state migration point and use hard-links to store the user state data at the same time. To store the user state data on a state migration point, you must perform the following steps: 1. Configure a state migration point to store the user state data. 2. Create a computer association between the source computer and the destination computer. You must create this association before you capture the user state on the source computer. 3. Add steps to your task sequence that captures the user state data and then stores it on the state migration point. 4. Add steps to your task sequence that retrieves the user state data from the state migration point and then restores the data on the destination computer. To store the user state data on the destination computer for update deployments, you must perform the following steps: Add steps to your task sequence that capture and store the user state data to a local folder using links. Add steps to your task sequence that restores the user state using those links. Note The user state data that the hard-links reference remains on the computer after the task sequence removes the old operating system. This is the data that is used to restore the user state when the new operating system is deployed.

How to Configure the State Migration Point Role

You can use the following methods to configure a state migration point to store the user state data: Use the Create Site System Server Wizard to create a new site system server for the state migration point. Use the Add Site System Roles Wizard to add a state migration point to an existing server. When you use these wizards, you are prompted to provide the following information for the state migration point: The folders to store the user state data. The maximum number of clients that can store data on the state migration point. The minimum free space for the state migration point to store user state data. The deletion policy for the role. You can specify that the user state data is deleted immediately after it is restored on a computer, or after a specific number of days after the user data is restored on a computer.
1818

Whether you want the state migration point to respond only to requests to restore user state data. When you enable this option, you cannot use the state migration point to store user state data.

For more information about how to install site system roles, see the Install Site System Roles section of the Install and Configure Site System Roles for Configuration Manager topic.

How to Create a Computer Association for Sideby-Side Deployment

Create a computer association to define a relationship between a source computer and a destination computer for side-by-side deployments. The source computer is an existing computer that Configuration Manager manages. When you deploy the new operating system to the destination computer, the source computer contains the user state that is migrated to the destination computer. To create a computer association 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click User State Migration. 3. On the Home tab, in the Create group, click Create Computer Association. 4. On the Computer Association tab of the Computer Association Properties dialog box, specify the source computer that has the user state to capture, and the destination computer on which to restore the user state data. 5. On the User Accounts tab, specify the user accounts to migrate to the destination computer. Specify one of the following settings: Capture and restore all user accounts: This setting captures and restores all user accounts. Use this setting to create multiple associations to the same source computer. Capture all user accounts and restore specified accounts: This setting captures all user accounts on the source computer and only restores the accounts that you specify on the destination computer. In addition, you can use this setting when you want to create multiple associations to the same source computer. Capture and restore specified user accounts: This setting captures and restores only the accounts that you specify. You cannot create multiple associations to the same source computer when you select this setting.

How to Create a USMT Package

To store the user state data locally or on a state migration point, you must create a package that contains the USMT source files that you want to use. This package is specified when you add the Capture User State step to your task sequence. Use the following procedure to create a USMT package by using the Create Package and Program Wizard. For more information on the Create Package and Program Wizard, see the How
1819

to Create a Package and Program by using the Create Package and Program Wizard section of the How to Create Packages and Programs in Configuration Manager topic. To create a USMT package 1. On the Package page of the Create Package and Program Wizard, select This package contains source files and browse to the USMT folder in the WAIK folder. Only one USMT package is required for x64 and x86 computers, so browse to the root USMT folder. Typically the path to the USMT folder is C:\Program Files\WAIK\tools\USMT. 2. On the Program Type page of the wizard, select Do not create a program. 3. Complete the wizard.

How to Capture and Restore User State Data

To capture and restore the user state, you must first create a task sequence, and then edit the task sequence to add the following task sequence steps: Request State Store: This step is needed only if you store the user state on the state migration point. Capture User State: This step captures the user state data and stores it on the state migration point or locally using links. Restore User State: This step restores the user state data on the destination computer. It can retrieve the data from a user state migration point or from the destination computer. Release State Store: This step is needed only if you store the user state on the state migration point. This step removes this data from the state migration point. You must use the User State Migration Tool (USMT) to complete the capture and restore steps. When you migrate user state from Windows XP to Windows XP, you must use USMT 3.0.1. For all other supported user state migration scenarios, you must use USMT 4.0. Use the following procedures to add the task sequence steps needed to capture the user state and restore the user state. For more information about how to create a task sequence and how to edit a task sequence, see the following sections in the How to Manage Task Sequences in Configuration Manager topic: How to Create Task Sequences How to Edit a Task Sequence To add task sequence steps to capture the user state 1. In the Task Sequence list, select a task sequence, and then click Edit. 2. If you are using a state migration point to store the user state, add the Request State Store step to the task sequence. In the Task Sequence Editor dialog box, click Add, point to User State, and then click Request State Store. Specify the following properties and options for the Request State Store step, and then click Apply.
1820

On the Properties tab, specify the following options: Enter a name and description for the step. Click Capture state from the computer. In the Number of retries box, specify the number of times the task sequence attempts to capture the user state data if an error occurs. In the Retry delay (in seconds) box, specify how many seconds that the task sequence waits before it retries to capture the data. Select the If computer account fails to connect to state store, use the Network Access account check box to specify whether to use the Configuration Manager Network Access Account capture the user state data. For more information about the Network Access Account, see the Configure the Network Access Account section of the Configuring Content Management in Configuration Manager topic. On the Options tab, specify the following options: Select the Continue on error check box if you want the task sequence to continue to the next step if this step fails. Specify any conditions that must be met before the task sequence can continue if an error occurs.

3. Add the Capture User State step to the task sequence. In the Task Sequence Editor dialog box, click Add, point to User State, and then click Capture User State. Specify the following properties and options for the Capture User State step, and then click OK. Important When you add this step to your task sequence, also set the OSDStateStorePath task sequence variable to specify where the user state data is stored. If you store the user state locally, do not specify a root folder as that can cause the task sequence to fail. When you store the user data locally always use a folder or subfolder. For information about this variable, see Capture User State Task Sequence Action Variables. On the Properties tab, specify the following options: Enter a name and description for the step. Specify the package that contains the USMT source file used to capture the user state data. Specify the user profiles to capture: Click Capture all user profiles with standard options to capture all user profiles. Click Customize user profile capture to specify individual user profiles to capture.

Select Enable verbose logging to specify how much information to write to log files if an error occurs. Select Skip files that use the Encrypting File System (EFS) .
1821

Select Copy by using file system access to specify the following settings: Continue if some files cannot be captured: This setting allows the task sequence step to continue the migration process even if some files cannot be captured. If you disable this option and a file cannot be captured, the task sequence step fails. This option is enabled by default. Capture locally by using links instead of by copying files: This setting allows you to use the hard link migration feature that is available in USMT 4.0. This setting is ignored if you use versions of USMT that are earlier than USMT 4.0. Capture in off-line mode (Windows PE only): This setting allows you to capture use state from Windows PE without booting to the existing operating system. This setting is ignored if you use versions of USMT that are earlier than USMT 4.0.

Select Capture by using Volume Copy Shadow Services (VSS). This setting is ignored if you use versions of USMT that are earlier than USMT 4.0. Select the Continue on error check box if you want the task sequence to continue to the next step if this step fails. Specify any conditions that must be met before the task sequence can continue if an error occurs.

On the Options tab, specify the following options:

Deploy this task sequence to capture the user state on a destination computer. For information about how to deploy task sequences, see the How to Deploy a Task Sequence section in the How to Manage Task Sequences in Configuration Manager. To add task sequence steps to restore the user state 1. In the Task Sequence list, select a task sequence, and then click Edit. 2. Add the Restore User State step to the task sequence. In the Task Sequence Editor dialog box, click Add, point to User State, and then click Restore User State. This step establishes a connection to the state migration point. Specify the following properties and options for the Restore User State step, and then click OK. On the Properties tab, specify the following properties: Enter a name and description for the step. Specify the package that contains the USMT to restore the user state data. Specify the user profiles to restore: Click Restore all captured user profiles with standard options to restore all user profiles. Click Customize user profile capture to restore individual user profiles.

Select Restore local computer user profiles to provide a new password for the restored profiles. You cannot migrate passwords for local profiles. Note When you have local user accounts, and you use the Capture User State step and select Capture all user profiles with standard options, you must
1822

select the Restore local computer user profiles setting in the Restore User State step or the task sequence will fail. Select Continue if some files cannot be restored if you want the Restore User State step to continue if a file cannot be restored. If you store the user state by using local links and the restore is not successful, the administrative user can manually delete the hard-links that were created to store the data or the task sequence can run the USMTUtils tool. If you use USMTUtils to delete the hard-link, add a Restart Computer step after you run USMTUtils. Select Enable verbose logging to specify how much information to write to log files if an error occurs. Select the Continue on error check box if you want the task sequence to continue to the next step if this step fails. Specify any conditions that must be met before the task sequence can continue if an error occurs.

On the Options tab, specify the following options:

3. If you are using a state migration point to store the user state, add the Release State Store step to the task sequence. In the Task Sequence Editor dialog box, click Add, point to User State, and then click Release State Store. Specify the following properties and options for the Release State Store step, and then click OK. Important The task sequence action that runs before the Release State Store step must be successful before the Release State Store step is started. On the Properties tab, enter a name and description for the step. On the Options tab, specify the following options. Select the Continue on error check box if you want the task sequence to continue to the next step if this step fails. Specify any conditions that must be met before the task sequence can continue when an error occurs.

Deploy this task sequence to restore the user state on a destination computer. For information about deploying task sequences, see the How to Deploy a Task Sequence section in the How to Manage Task Sequences in Configuration Manager topic.

How to Restore the User State Data when the Operating System Deployment Fails
If the operating system deployment fails, use the USMT 4.0 LoadState feature to retrieve the user states data was captured during the deployment process. This includes data that is stored on a state migration point or data that is saved locally on the destination computer. For more information on this USMT feature, see LoadState Syntax.

1823

See Also
Configuring Configuration Manager for Operating System Deployments

How to Manage Unknown Computer Deployments in Configuration Manager

Use the information in this topic to deploy operating systems to unknown computers in your System Center 2012 Configuration Manager environment. An unknown computer is a computer that is not managed by Configuration Manager. This means that there is no record of these computers in the Configuration Manager database. Unknown computers include the following: A computer where the Configuration Manager client is not installed A computer that is not imported into Configuration Manager A computer that is not been discovered by Configuration Manager

You can deploy operating systems to unknown computers by using PXE deployments, bootable media, or prestaged media.

Unknown Computer Deployment Workflow

Here is the basic workflow that you need to follow to deploy an operating system to an unknown computer: Select an unknown computer object to use in the deployment. You can deploy the operating system to one of the unknown computer objects in the All Unknown Computers collection or you can add the objects in the All Unknown Computer collection to another collection. Configuration Manager provides two unknown computer objects in the All Unknown Computers collection. One object is for x86 computers and the other object is for x64 computers. Note The x86 Unknown Computer object is for computers that are only x86 capable. The x64 Unknown Computer object is for computers that are x86 and x64 capable, In other words, these objects describe the architecture of the destination computer. They do not describe the operating system that you want to deploy on the destination computer. Configure a PXE enabled distribution point or media to support unknown computer deployments. Before you enable unknown computer support for an operating system deployment, ensure that the site system meets all the prerequisites for unknown computer support. Important If you use a PXE deployment to provision an unknown computer, the unknown computer attempts to run required task sequences. Any required task sequences that
1824

include operations such as Apply Operating System Image or Format and Partition Disk automatically PXE boot the computer and attempt to run. In this scenario all data is destroyed on the unknown computer. Deploy the task sequence that deploys the operating system to the collection that contains the unknown computer object that you want to use.

Unknown Computer Installation Process

When a computer is first booted from PXE or from media, Configuration Manager checks to see if a record for that computer exists in the Configuration Manager database. If there is a record, Configuration Manager then checks to see if there are any task sequences deployed to the record. If there is not a record, Configuration Manager checks to see if there are any task sequences deployed to an unknown computer object. In either case, Configuration Manager then performs one of the following actions: If there is an available task sequence, Configuration Manager prompts the user to run the task sequence. If there is a required task sequence, Configuration Manager automatically runs the task sequence. If a task sequence is not deployed for the record, Configuration Manager generates an error that there is no deployed task sequence for the destination computer.

In addition, when an unknown computer is booted, Configuration Manager recognizes the computer as an unprovisioned computer rather than an unknown computer. This means that the computer can now receive the task sequences that were deployed to the unknown computer object. The deployed task sequence then installs an operating system image that must include the Configuration Manager client. After the Configuration Manager client is installed, a record for the computer is created and the computer is listed in the appropriate Configuration Manager collection. If the computer fails to install the operating system image or the Configuration Manager client, an Unknown record for the computer is created and the computer appears in the All Systems collection. Note During the installation of the operating system image, the task sequence can retrieve collection variables but not computer variables from this computer.

Enabling Unknown Computer Support

Use the following table to enable unknown computer support for PXE deployments, bootable media, and prestaged media.
Deployment type Configuration More information

PXE deployment

Select the Enable unknown computer support check box

See the Creating Distribution Points that Accept PXE

1825

Deployment type

Configuration

More information

on the PXE tab for a distribution point that is enabled for PXE.

Request section in the How to Deploy Operating Systems by Using PXE in Configuration Manager topic. For information about how to create bootable media, see the How to Create Bootable Media section of the How to Deploy Operating Systems by Using Media in Configuration Manager topic. For information about how to create prestaged media, see the How to Create Prestaged Media section of the How to Deploy Operating Systems by Using Media in Configuration Manager topic.

Bootable media

Select the Enable unknown computer support check box on the Security page of the Create Task Sequence Media Wizard.

Prestaged media

Select the Enable unknown computer support check box on the Security page of the Create Task Sequence Media Wizard.

See Also
Operations and Maintenance for Deploying Operating Systems in Configuration Manager

How to Associate Users with a Destination Computer

When you use System Center 2012 Configuration Manager to deploy operating system you can associate users with the destination computer where the operating system is deployed. This configuration includes specifying the following: That a single user is the primary user of the destination computer. That multiple users are the primary users of the destination computer.

User device affinity supports user-centric management for when you deploy applications. When you associate a user with the destination computer on which to install an operating system, an administrative user can later deploy applications to that user and the applications automatically install on the destination computer. However, although you can configure support for user device affinity when you deploy operating systems, you cannot use user device affinity to deploy operating systems.
1826

For more information about user device affinity, see the following documentation: User Device Affinity in the Deploying Applications in Configuration Manager section in the Introduction to Application Management in Configuration Manager topic How to Manage User Device Affinity in Configuration Manager

How to Specify a User When You Deploy Operating Systems

The following table lists the actions that you can take to integrate user device affinity into your operating system deployments. You can integrate user device affinity into PXE deployments, bootable media deployments, and prestaged media deployments.
Action More information

Create a task sequence that includes the SMSTSAssignUsersMode variable

Add the SMSTSAssignUsersMode variable to the beginning of your task sequence by using the Set Task Sequence Variable task sequence step. This variable specifies how the task sequence handles the user information. Set the variable to one of the following values: Auto: The task sequence automatically creates a relationship between the user and destination computer and deploys the operating system. Pending: The task sequence creates a relationship between the user and the destination computer, but waits for approval from the administrative user before the operating system is deployed. Disabled: The task sequence does not associate a user with the destination computer and continues to deploy the operating system.

This variable can also be set on a computer or collection. Create a prestart command that gathers the user information The prestart command can be a Visual Basic (VB) script that has an input box, or it can be an HTML application (HTA) that validates the user data that is entered. The prestart command must set the SMSTSUdaUsers variable that is used when the task sequence is run. This variable can be
1827

Action

More information

set on a computer, a collection, or a task sequence variable. Use the following format when you add multiple users: domain\user1, domain\user2, domain\user3. Configure how distribution points and media associate the user with the destination computer When you configure a distribution point to accept PXE boot requests and when you create bootable or prestaged media by using the Create Task Sequence Media Wizard, you can specify how the distribution point or media supports associating users with the destination computer where the operating system is deployed. Configuring user device affinity support does not have a built-in method to validate the user identity. This can be important when a technician is entering the information on behalf of the user when the technician provisions the computer. In addition to setting how the user information is handled by the task sequence, configuring these options on the distribution point and media provides the ability to restrict the deployments that are started from a PXE boot or from a specific piece of media. For information about how to configure the distribution point, see How to Deploy Operating Systems by Using PXE in Configuration Manager. For information about how to create media, see the How to Create Bootable Media and How to Create Prestaged Media sections in the How to Deploy Operating Systems by Using Media in Configuration Manager topic.

See Also
Configuring Configuration Manager for Operating System Deployments

1828

How to Manage Multicast in Configuration Manager

Use the procedures in this topic to support multicast in your System Center 2012 Configuration Manager environment. These procedures configure the distribution point to support multicast and configure the operating system image for multicast.

Configuring a Distribution Point to support Multicast

Before you deploy the operating system, you must configure a distribution point to support multicast. Use the following procedure to modify an existing distribution point to support multicast. For more information about how to create a new distribution point, see the Install and Configure the Distribution Point section in the Configuring Content Management in Configuration Manager topic. To enable multicast for a distribution point 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Overview, and then select the Distribution Points node. 3. Select the distribution point that you want to use to multicast the operating system image. 4. On the Home tab, in the Properties group, click Properties. 5. Select the Multicast tab, and configure the following options: Enable Multicast: You must select this option for the distribution point to support multicast. Multicast service point connection account: Specify an account to connect to the database if you cannot use the computer account of the distribution point. Multicast address settings: Specify the IP addresses to send data to the destination computers. By default, the IP address is obtained from a DHCP server that is enabled to distribute multicast addresses. Depending on the network environment, you can specify a range of IP addresses between 239.0.0.0 and 239.255.255.255. Important These IP addresses must be accessible by the destination computers that request the operating system image. This means that routers and firewalls in between the destination computer and the site server must be configured to allow multicast traffic. UDP Port Range: Specify the range of UDP ports to send data to the destination computers.

1829

Important These ports must be accessible by the destination computers that request the operating system image. This means that routers and firewalls in between the destination computer and the site server must be configured to allow multicast traffic. Enabled scheduled multicast: Specify how Configuration Manager controls when to start deploying operating systems to destination computers. Click Enabled scheduled multicast, and then select the following options. In the Session start delay box, specify how many minutes that Configuration Manager waits before it responds to the first deployment request. In the Minimum session size box, specify how many requests must be received before Configuration Manager starts to deploy the operating system. Transfer rate: Select the transfer rate to download data to the destination computers. Maximum clients: Specify the maximum number of destination computers that can download the operating system from this distribution point.

6. Click OK.

Configuring the Operating System Image for Multicast Deployments

Before you distribute the operating system image to a multicast-enabled distribution point, you must configure the operating system image package to support multicast. Use the following procedure to set the multicast options for an existing operating system image package. For information about how to capture an operating system image package from a reference computer, see the How to Build a Reference Computer section in the How to Deploy Operating Systems in Configuration Manager topic. To modify an operating system image package to use multicast 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Operating System Images. 3. Select the operating system image that you want to distribute to the multicast-enabled distribution point. 4. On the Home tab, in the Properties group, click Properties. 5. Select the Distribution Settings tab, and configure the following options: Allow this package to be transferred via multicast (WinPE only) : You must select this option for Configuration Manager to simultaneously deploy operating system images. Encrypt multicast packages: Specify whether the image is encrypted before it is sent to the distribution point. Use this option if the package contains sensitive
1830

information. If the image is not encrypted, the contents of the package will be visible in clear text on the network and might be read by an unauthorized user. Transfer this package only via multicast: Specify whether you want the distribution point to deploy the image only during a multicast session. If you select Transfer this package only via multicast, you must also specify Download content locally when needed by running task sequence as the deployment option for the operating system image. You can specify the deployment options for the image when you deploy the operating system image, or you can specify them later by editing the properties of the deployment. The deployment options are on the Distribution Points tab of the Properties page of the deployment object. 6. Click OK.

See Also
Operations and Maintenance for Deploying Operating Systems in Configuration Manager

Operations and Maintenance for Deploying Operating Systems in Configuration Manager

This section contains step-by-step procedures that are used to deploy operating systems in your System Center 2012 Configuration Manager environment.

Operating System Deployment Topics

How to Deploy Operating Systems in Configuration Manager How to Deploy Operating Systems by Using Media in Configuration Manager How to Deploy Operating Systems by Using PXE in Configuration Manager How to Deploy Operating Systems to Offline Computers in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Operating System Deployment in Configuration Manager

1831

How to Deploy Operating Systems in Configuration Manager

Use the procedures and information in this topic to help you deploy operating systems in your System Center 2012 Configuration Manager environment. To deploy an operating system, you must build a reference computer and add computers to the Configuration Manager database. You can then deploy the operating system, and optionally, perform a side-by-side deployment. Use the following sections for more information: How to Build a Reference Computer How to Add a Computer to the Configuration Manager Database How to Deploy Operating System Images to a Computer How to Perform a Side-by-Side Operating System Deployment

How to Build a Reference Computer

You can configure the reference computer manually, or you can build the reference computer and capture the operating system image by using a build and capture task sequence. Note If you build the reference computer manually, you can capture the operating system image by using capture media. For more information about capture media, see the How to Create Capture Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic. To build the reference computer manually 1. Identify the computer to use as the reference computer. 2. Configure the reference computer with the appropriate operating system and any other software that is required to create the operating system image that you want to deploy. Warning At a minimum, install the appropriate operating system and service pack, support drivers, any required software updates, and the appropriate version of Sysprep. 3. Configure the reference computer to be a member of a workgroup. 4. Reset the local Administrator password on the reference computer so that the password value is blank. 5. For computers that run Windows XP, copy the appropriate Sysprep files (sysprep.exe and setupcl.exe) to the C:\Sysprep folder on the reference computer. This step is not required for computers that run an operating system version that is at least Windows Vista SP2. 6. Run Sysprep by using the command: sysprep /quiet /generalize /reboot

1832

To build a reference computer by using a build and capture task sequence 1. Identify the computer to use as the reference computer. 2. In the Configuration Manager console, click Software Library. 3. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 4. On the Home tab, in the Create group, click Create Task Sequence to start the Create Task Sequence Wizard. 5. On the Create a New Task Sequence page, select Build and capture a reference operating system image and complete the wizard. For more information about the settings on each page of this wizard, see the How to Create Task Sequences section of the How to Manage Task Sequences in Configuration Manager topic. 6. To add additional steps to the task sequence, select the task sequence that you created and click Edit. For information about how to edit a task sequence, see the How to Edit a Task Sequence section of the How to Manage Task Sequences in Configuration Manager topic. 7. If the reference computer is a Configuration Manager client, deploy the build and capture task sequence to the collection that contains the reference computer. For information about how to deploy the operating system image, see How to Deploy Operating System Images to a Computer. Note If the task sequence has a disk partitioning task sequence step, do not select the Download Program option when you deploy the task sequence. 8. If the reference computer is not a Configuration Manager client, run the Create Task Sequence Media Wizard to create bootable media that can install the image on the reference computer. For information about how to create bootable media, see the How to Create Bootable Media section of the How to Deploy Operating Systems by Using Media in Configuration Manager. 9. Alternatively, you can create bootable media such as CD , DVD, or USB Flash drive to manually run the task sequence on the reference computer.

How to Add a Computer to the Configuration Manager Database

To deploy an operating system to a new computer that is not currently managed by Configuration Manager without using stand-alone media, the new computer must be added to the Configuration Manager database before you deploy the operating system. Although Configuration Manager can automatically discover computers on your network that have a Windows operating system installed, if the computer has no operating system installed, you must import the new computer information by using the Import Computer Information Wizard. This wizard supports importing information about a single computer, or importing information about one or more computers from an external .csv file.
1833

Consider the following factors when you add computers to the Configuration Manager database: If the computer that you import is already in the Configuration Manager database, the computer information that you import overwrites the existing computer information. When you add computers by using a file or when you add a single computer, do not specify data in raw byte format. If the computer information is entered by using raw byte format, the computer import will fail. If you add computers by using a computer information file, you must create the file before you run the Import Computer Information Wizard. Create the file by using the comma separated values (CSV) format. Use the following format when you enter the computer information, with each property value in a separate column.
NEWCOMP1,55555555-5555-5555-5555-555555555555,05:06:07:08:09:0A

If you import a computer and then provision the operating system of the computer manually, Configuration Manager considers the computer to be a new client and not the imported computer. If you import a computer to override an existing client and then re-image the operating system for the client by using Configuration Manager, Configuration Manager considers the computer to be a new client. If you import a computer and then provision it by using a PXE-initiated deployment, Configuration Manager matches the computer to the imported computer.

Use the following procedures to import multiple computers by using a computer information file or to import a single computer. To import computer information from a file 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Overview, and then click Devices. 3. On the Home tab, in the Create group, click Import Computer information to start the Import Computer Information Wizard. 4. On the Select Source page, select Import computers using a file, and then click Next. 5. On the Choose Mapping page, specify the following options, and then click Next. In the Import file box, specify the .csv file that contains the computer information. If the file contains column headings, select the This file has column headings check box. When this check box is selected, the first line of the file is ignored. To change a property that is associated with a column of the file, select the column number and then use Assign as to reassign the property that is associated with the column. Note You can use each Configuration Manager property only once. The Name field must be assigned to one column, and you must also specify a Computer Name, SMBIOS GUID, or MAC Address column. Although both values might be used, each property must be assigned to only one column. You can optionally specify the source computer that is assigned to one
1834

column. You can import only one MAC address per computer. The Ignore and Variable options can be assigned to multiple columns. Ignore is the default option. If you assign a column as a Variable, you must also enter the variable to be used. 6. On the Data Preview page, review the computer information provided by the file. If the file does not contain valid data for the properties that you specified, you must exit the wizard and correct the information in the file or select a file that has valid data. Important If the computer information file contains duplicate MAC addresses, the wizard will succeed, but Configuration Manager adds only the last computer with the duplicate MAC address to the Configuration Manager database. 7. On the Choose Target Collection page, specify the collections to add the computers to. By default, the computers are assigned to the All Systems collection. To add the computers to a specific collection, click Browse. The imported computers are statically added to the specified collection. If you do not want to add the computers to any additional collections, select Do not add computers to a collection. 8. Complete the wizard. To import computer information for a single computer 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Overview, and then click Devices. 3. On the Home tab, in the Create group, click Import Computer information to start the Import Computer information Wizard. 4. On the Select Source page, select Import single computer, and then click Next. 5. On the Single Computer page, specify the following settings, and then click Next. Computer Name: Specify the name of the computer. Specify either the MAC address (12 hex characters) or the SMBIOS GUID (32 hex characters) of the computer, or both the MAC address and SMBIOS GUID of the computer. Specify the SMBIOS GUID of the computer in UUID format. Warning If the SMBIOS GUID is specified, do not enter the GUID in raw byte format. Source computer: Optionally, specify a reference computer to obtain the user state and the settings to migrate to the new computer. If you specify a reference computer, you must specify the user accounts to migrate to the new computer when you create an association between the computer to add and the reference computer. Note For more information about how to create the association, see the To Create a Computer Association procedure in the How to Perform a Side-by-Side
1835

Operating System Deployment section of this topic. 6. On the Data Preview page, review the data that is mapped to a Configuration Manager property, and then click Next. 7. On the Choose Target Collection page, specify whether you want to add the computer to the All Systems collection or to a specific collection, and then click Next. 8. Complete the wizard.

How to Deploy Operating System Images to a Computer

You use task sequences to deploy operating system images to destination computers. This means that you must create a task sequence that references the boot image used to boot the destination computer, the operating system image that you want to install on the destination computer, and any other additional content, such as other applications, that you want installed. Then you must deploy the task sequence to the collection that contains the destination computer. For information about creating and deploying task sequences, see the How to Manage Task Sequences in Configuration Manager topic.

How to Perform a Side-by-Side Operating System Deployment

You can use Configuration Manager to perform a side-by-side computer deployment. Side-byside computer deployments are useful for computer upgrade scenarios when you want to move the user state and files from an existing computer to a destination computer that has an updated operating system. To perform a side-by-side deployment 1. Import the new destination computer into the Configuration Manager database. See, How to Add a Computer to the Configuration Manager Database 2. Create a computer association between the existing computer and the destination computer. See the How to Create a Computer Association for Side-by-Side Deployment section in the How to Manage the User State in Configuration Manager topic. 3. Capture the user state from the existing computer. See the How to Capture and Restore User State Data When You Use a State Migration Point section in the How to Manage the User State in Configuration Manager topic. 4. Create a task sequence to deploy the operating system to the destination computer. How to Manage Task Sequences in Configuration Manager 5. Restore the user state on the destination computer. See the How to Capture and Restore User State Data When You Use a State Migration Point section in the How to Manage the User State in Configuration Manager topic.

1836

See Also
Operations and Maintenance for Deploying Operating Systems in Configuration Manager

How to Deploy Operating Systems by Using Media in Configuration Manager

Use the procedures in this topic to create capture, bootable, prestaged, and stand-alone media in your System Center 2012 Configuration Manager environment. Important If you use a Configuration Manager console that is not on the site server and your operating system is earlier than Windows 7, your computer must have the Configuration Manager client and Windows AIK installed. If these are not installed, the Create Task Sequence Media Wizard fails. Use the following sections to help you capture an operating system image or deploy an operating system by using the different types of media: How to Create Capture Media How to Create Bootable Media How to Create Prestaged Media How to Create Stand-alone Media

For planning information, see Planning for Media Operating System Deployments in Configuration Manager.

How to Create Capture Media

Use capture media to capture an operating system image from a reference computer. Capture media contains the boot image that starts the reference computer and the task sequence that captures the operating system image. For more information about capture media, see the Capture Media for Operating System Images section in the Planning for Media Operating System Deployments in Configuration Manager topic. You create capture media by using the Create Task Sequence Media Wizard. Before you run the wizard, be sure that all the following conditions are met: The boot image used to start the reference computer must be distributed to a distribution point. In addition, the architecture of the boot image that is distributed must be appropriate for the architecture of the reference computer. For example, an x64 reference computer can boot and run an x86 or x64 boot image. However, an x86 reference computer can boot and run only an x86 boot image. To run the Create Task Sequence Media Wizard, you must have read access rights to the content library on the distribution point where the boot image is located. The wizard retrieves the boot image from the distribution point when it creates the media.
1837

When you create capture media for a USB flash drive, the flash drive must be connected to the computer where the wizard is run, and the USB flash drive must be detectable by Windows as a removal device. The wizard writes directly to the flash drive when it creates the media. Important If the administrative user needs to start the USB flash drive media from within an existing Windows Vista and later operating system, they need to manually run the TSMBAutorun.exe program. The TSMBAutorun.exe program is located in the following folder: \sms\bin\<architecture folder>\TSMBAutorun.exe

Before you run the Create Task Sequence Media Wizard to create media for a CD or DVD set, you must create a folder for the output files created by the wizard. Media that is created for a CD or DVD set is written as .iso files directly to the folder. If multiple media is needed the wizard adds a sequence number to the name of each output file that is created.

Use the following procedure to create capture media. To create capture media 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence Media to start the Create Task Sequence Media Wizard. 4. On the Select Media Type page, select Capture media, and then click Next. 5. On the Media Type page, specify the following options, and then click Next. Select whether the media is a flash drive or a CD/DVD set. If you select USB flash drive, you must also specify the drive where you want the content stored. If you select CD/DVD set, specify the capacity of the media and the name and path of the output files. The wizard writes the output files to this location. For example: \\servername\folder\outputfile.iso If the capacity of the media is too small to store the entire content, you must store the content on multiple CDs or DVDs. When multiple media is required, Configuration Manager automatically adds a sequence number to the name of each output file that it creates. Note If you select an existing .iso image, the Task Sequence Media Wizard deletes that image from the drive or share as soon as you proceed to the next page of the wizard. The existing image is deleted even if you then cancel the wizard. 6. On the Boot image page, specify the following information, and then click Next.
1838

Important The architecture of the boot image that you specify must be appropriate for the architecture of the reference computer. For example, an x64 reference computer can boot and run an x86 or x64 boot image. However, an x86 reference computer can boot and run only an x86 boot image. In the Boot image box, specify the boot image to start the reference computer. In the Distribution point box, specify the distribution point where the boot image resides. The wizard retrieves the boot image from the distribution point and writes it to the media. Note You must have Read access rights to the content library on the distribution point. 7. Complete the wizard.

How to Create Bootable Media

Bootable media contains only the boot image, optional prestart commands and their required files, and Configuration Manager binaries. For more information about bootable media, see the Bootable Media Operating System Deployments section in the Planning for Media Operating System Deployments in Configuration Manager topic. You create bootable media by using the Create Task Sequence Media Wizard. Before you run the wizard, be sure that all the following conditions are met: The boot image used to start the destination computer must be distributed to a distribution point. In addition, the architecture of the boot image that is distributed must be appropriate for the architecture of the destination computer. For example, an x64 destination computer can boot and run an x86 or x64 boot image. However, an x86 destination computer can boot and run only an x86 boot image. To run the Create Task Sequence Media Wizard, you must have read access rights to the content library on the distribution point where the boot image is located. The wizard retrieves the boot image from the distribution point when it creates the media. When you create bootable media for a USB flash drive, the flash drive must be connected to the computer where the wizard is run, and the USB flash drive must be detectable by Windows as a removal device. The wizard writes directly to the flash drive when it creates the media. Important If the administrative user needs to start the USB flash drive media from within an existing Windows Vista and later operating system, they need to manually run the TSMBAutorun.exe program. The TSMBAutorun.exe program is located in the following folder: \sms\bin\<architecture folder>\TSMBAutorun.exe
1839

Before you run the Create Task Sequence Media Wizard to create media for a CD or DVD set, you must create a folder for the output files created by the wizard. Media that is created for a CD or DVD set is written as .iso files directly to the folder. If multiple media is needed the wizard adds a sequence number to the name of each output file that is created.

Use the following procedure to create bootable media. To create bootable media 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence Media to start the Create Task Sequence Media Wizard. 4. On the Select Media Type page, specify the following options, and then click Next. Select Bootable media. Optionally, if you want to only allow the operating system to be deployed without requiring user input, select Allow unattended operating system deployment. Important When you select this option, the user is not prompted for network configuration information or for optional task sequences. However, the user is still prompted for a password if the media is configured for password protection. 5. On the Media Management page, specify one of the following options, and then click Next. Select Dynamic media if you want to allow a management point to redirect the media to another management point, based on the client location in the site boundaries. Select Site-based media if you want the media to contact only the specified management point. Select whether the media is a flash drive or a CD/DVD set. If you select USB flash drive, you must also specify the drive where you want the content stored. If you select CD/DVD set, specify the capacity of the media and the name and path of the output files. The wizard writes the output files to this location. For example: \\servername\folder\outputfile.iso If the capacity of the media is too small to store the entire content, you must store the content on multiple CDs or DVDs. When multiple media is required, Configuration Manager adds a sequence number to the name of each output file that it creates. Note If you select an existing .iso image, the Task Sequence Media Wizard
1840

6. On the Media Type page, specify the following options, and then click Next.

deletes that image from the drive or share as soon as you proceed to the next page of the wizard. The existing image is deleted even if you then cancel the wizard. 7. On the Security page, specify the following options, and then click Next. Select the Enable unknown computer support check box to allow the media to deploy an operating system to a computer that is not managed by Configuration Manager. There is no record of these computers in the Configuration Manager database. Unknown computers include the following: A computer where the Configuration Manager client is not installed A computer that is not imported into Configuration Manager A computer that is not discovered by Configuration Manager

Select the Protect the media with a password check box and enter a strong password to help protect the media from unauthorized access. When you specify a password, the user must provide that password to use the bootable media. Important As a security best practice, always assign a password to help protect the bootable media.

For HTTP communications, select Create self-signed media certificate, and then specify the start and expiration date for the certificate. For HTTPS communications, select Import PKI certificate, and then specify the certificate to import and its password. For more information about this client certificate that is used for boot images, see PKI Certificate Requirements for Configuration Manager.

User Device Affinity: To support user-centric management in Configuration Manager, specify how you want the media to associate users with the destination computer. For more information about how operating system deployment supports user device affinity, see How to Associate Users with a Destination Computer. Specify Allow user device affinity with auto-approval if you want the media to automatically associate users with the destination computer. This functionality is based on the actions of the task sequence that deploys the operating system. In this scenario, the task sequence creates a relationship between the specified users and destination computer when it deploys the operating system to the destination computer. Specify Allow user device affinity pending administrator approval if you want the media to associate users with the destination computer after approval is granted. This functionality is based on the scope of the task sequence that deploys the operating system. In this scenario, the task sequence creates a relationship between the specified users and the destination computer, but waits for approval from an administrative user before the operating system is deployed. Specify Do not allow user device affinity if you do not want the media to associate users with the destination computer. In this scenario, the task
1841

sequence does not associate users with the destination computer when it deploys the operating system. 8. On the Boot image page, specify the following options, and then click Next. Important The architecture of the boot image that is distributed must be appropriate for the architecture of the destination computer. For example, an x64 destination computer can boot and run an x86 or x64 boot image. However, an x86 destination computer can boot and run only an x86 boot image. In the Boot image box, specify the boot image to start the destination computer. In the Distribution point box, specify the distribution point where the boot image resides. The wizard retrieves the boot image from the distribution point and writes it to the media. Note You must have Read access rights to the content library on the distribution point. If you create site-based bootable media (you selected Site-based media on the Media Management page of the wizard), in the Management point box, specify a management point from a primary site. If you create dynamic bootable media (you selected Dynamic media on the Media Management page of the wizard), in the Associated management points box, specify the primary site management points to use, and a priority order for the initial communications. Specify the variables that the task sequence uses to deploy the operating system. Specify any prestart commands that you want to run before the task sequence runs. Prestart commands are a script or an executable that can interact with the user in Windows PE before the task sequence runs to install the operating system. For more information about prestart commands for media, see the Prestart Commands for Task Sequence Media in Configuration Manager topic. Optionally, select the Files for the prestart command check box to include any required files for the prestart command. 10. Complete the wizard.

9. On the Customization page, specify the following options, and then click Next.

How to Create Prestaged Media

Prestaged media contains the boot image and operating system image that you can use to provision a computer. However prestaged media does not contain the task sequence that is used in the deployment process. For more information about prestaged media, see the Prestaged Media Operating System Deployments section in the Planning for Media Operating System Deployments in Configuration Manager topic.

1842

You create prestaged media by using the Create Task Sequence Media Wizard. Before you run the wizard, be sure that all the following conditions are met: The boot image used to start the destination computer must be distributed to a distribution point. In addition, the architecture of the boot image that is distributed must be appropriate for the architecture of the destination computer. For example, an x64 destination computer can boot and run an x86 or x64 boot image. However, an x86 destination computer can boot and run only an x86 boot image. To run the Create Task Sequence Media Wizard, you must have read access rights to the content library on the distribution point where the boot image and operating system image are located. The wizard retrieves the boot images from the distribution points when it creates the media. Ensure that the boot image contains the network and mass storage drivers that are required to provision the destination computer. The package that contains the operating system image that is deployed to the destination computer must be distributed to a distribution point. In the task sequence used by the media, do not set a condition for the Apply Operating System action. The hard drive of the destination computer must be formatted before the prestaged media is staged onto the hard drive of the computer. If the hard drive is not formatted when the media is applied, the task sequence that deploys the operating system will fail when it attempts to start the destination computer. Note The Create Task Sequence Media Wizard sets the following task sequence variable condition on the media: _SMSTSMedia = OEMMedia. You can use this condition throughout your task sequence. Use the following procedure to create prestaged media. To create prestaged media 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence Media to start the Create Task Sequence Media Wizard. 4. On the Select Media Type page, specify the following information, and then click Next. Select Prestaged media. Optionally, if you want to allow the operating system to be deployed without requiring user input, select Allow unattended operating system deployment. When you select this option the user is not prompted for network configuration information or for optional task sequences. However, the user is still prompted for a password if the media is configured for password protection.

5. On the Media Management page, specify the following information, and then click Next.
1843

Select Dynamic media if you want to allow a management point to redirect the media to another management point, based on the client location in the site boundaries. Select Site-based media if you want the media to contact only the specified management point. Created by: Specify who created the media. Version: Specify the version number of the media. Comment: Specify a unique description of what the media is used for. Media file: Specify the name and path of the output files. The wizard writes the output files to this location. For example: \\servername\folder\outputfile.wim Select the Enable unknown computer support check box to allow the media to deploy an operating system to a computer that is not managed by Configuration Manager. There is no record of these computers in the Configuration Manager database. Unknown computers include the following: A computer where the Configuration Manager client is not installed A computer that is not imported into Configuration Manager A computer that is not discovered by Configuration Manager

6. On the Media Properties page, specify the following information, and then click Next.

7. On the Security page, specify the following information, and then click Next.

Select the Protect the media with a password check box and enter a strong password to help protect the media from unauthorized access. When you specify a password, the user must provide that password to use the prestaged media. Important As a security best practice, always assign a password to help protect the prestaged media.

For HTTP communications, select Create self-signed media certificate, and then specify the start and expiration date for the certificate. For HTTPS communications, select Import PKI certificate, and then specify the certificate to import and its password. For more information about this client certificate that is used for boot images, see PKI Certificate Requirements for Configuration Manager.

User Device Affinity: To support user-centric management in Configuration Manager, specify how you want the media to associate users with the destination computer. For more information about how operating system deployment supports user device affinity, see How to Associate Users with a Destination Computer. Specify Allow user device affinity with auto-approval if you want the media to automatically associate users with the destination computer. This functionality is based on the actions of the task sequence that deploys the operating system. In this scenario, the task sequence creates a relationship between the specified users and destination computer when it deploys the operating system to the
1844

destination computer. Specify Allow user device affinity pending administrator approval if you want the media to associate users with the destination computer after approval is granted. This functionality is based on the scope of the task sequence that deploys the operating system. In this scenario, the task sequence creates a relationship between the specified users and the destination computer, but waits for approval from an administrative user before the operating system is deployed. Specify Do not allow user device affinity if you do not want the media to associate users with the destination computer. In this scenario, the task sequence does not associate users with the destination computer when it deploys the operating system.

8. On the Boot image page, specify the following information, and then click Next. Important The architecture of the boot image that is distributed must be appropriate for the architecture of the destination computer. For example, an x64 destination computer can boot and run an x86 or x64 boot image. However, an x86 destination computer can boot and run only an x86 boot image. In the Boot image box, specify the boot image to start the destination computer. In the Distribution point box, specify the distribution point where the boot image resides. The wizard retrieves the boot image from the distribution point and writes it to the media. Note You must have Read access rights to the content library on the distribution point. If you create site-based bootable media (you selected Site-based media on the Media Management page of the wizard), in the Management point box, specify a management point from a primary site. If you create dynamic bootable media (you selected Dynamic media on the Media Management page of the wizard), in the Associated management points box, specify the primary site management points to use and a priority order for the initial communications. In the Image package box, specify the package that contains the operating system image. If the package contains multiple operating system images, in the Image index box, specify the image to deploy. In the Distribution point box, specify the distribution point where the operating system image package resides. The wizard retrieves the operating system image from the distribution point and writes it to the media. Note You must have Read access rights to the content library on the distribution
1845

9. On the Images page, specify the following information, and then click Next.

point. 10. On the Customization page, specify the following information, and then click Next. Specify the variables that the task sequence uses to deploy the operating system. Specify any prestart commands that you want to run before the task sequence runs. Prestart commands are a script or an executable that can interact with the user in Windows PE before the task sequence runs to install the operating system. For more information about prestart commands for media, see the Prestart Commands for Task Sequence Media in Configuration Manager topic.

11. Complete the wizard.

How to Create Stand-alone Media

Stand-alone media contains all the necessary information to deploy the operating system without requiring a connection to a Configuration Manager site. For more information about stand-alone media, see the Stand-alone Media Operating System Deployments section in the Planning for Media Operating System Deployments in Configuration Manager topic. You create stand-alone media by using the Create Task Sequence Media Wizard. Before you run the wizard, be sure that all the following conditions are met: You must have a task sequence that is associated with a boot image. Content that is required by the task sequence must be distributed to a distribution point and you must have Read access rights to the content library of that distribution point. The wizard gathers the information from the distribution point when it creates the stand-alone media. When you create stand-alone media for a USB flash drive, the flash drive must be connected to the computer where the wizard is run, and the USB flash drive must be detectable by Windows as a removal device. The wizard writes directly to the flash drive when it creates the media. Important If the administrative user needs to start the USB flash drive media from within an existing Windows Vista and later operating system, they need to manually run the TSMBAutorun.exe program. The TSMBAutorun.exe program is located in the following folder: \sms\bin\<architecture folder>\TSMBAutorun.exe Before you run the Create Task Sequence Media Wizard to create media for a CD or DVD set, you must create a folder for the output files created by the wizard. Media that is created for a CD or DVD set is written as .iso files directly to the folder. If multiple media is needed the wizard adds a sequence number to the name of each output file that is created. Automatic application of device drivers from the driver catalog. Installing software updates. Installing software before an operating system deployment. Associating users with the destination computer to support user device affinity.
1846

Configuration Manager does not support the following actions for stand-alone media:

Installing dependencies for applications that are specified as part of the task sequence.

Use the following procedure to create stand-alone media for a USB flash drive or a CD/DVD set. To create stand-alone media 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence Media to start the Create Task Sequence Media Wizard. 4. On the Select Media Type page, specify the following options, and then click Next. Select Stand-alone media. Optionally, if you want to allow the operating system to be deployed without requiring user input, select Allow unattended operating system deployment. When you select this option the user is not prompted for network configuration information or for optional task sequences. However, the user is still prompted for a password if the media is configured for password protection.

5. On the Media Type page, specify the following options, and then click Next. Important Stand-alone media uses a FAT32 file system. You cannot create stand-alone media on a USB flash drive whose content contains a file over 4 GB in size. Select whether the media is a flash drive or a CD/DVD set. If you select USB flash drive, you must also specify the drive where you want to store the content. If you select CD/DVD set, specify the capacity of the media and the name and path of the output files. The wizard writes the output files to this location. For example: \\servername\folder\outputfile.iso If the capacity of the media is too small to store the entire content, you must store the content on multiple CDs or DVDs. When multiple media is required, Configuration Manager adds a sequence number to the name of each output file that it creates. In addition, if you deploy an application along with the operating system and the application cannot fit on a single media, Configuration Manager stores the application across multiple media. When the stand-alone media is run, Configuration Manager prompts the user for the next media where the application is stored. Note If you select an existing .iso image, the Task Sequence Media Wizard deletes that image from the drive or share as soon as you proceed to the next page of the wizard. The existing image is deleted, even if you then cancel the wizard. 6. On the Security page, enter a strong password to help protect the media, and then click Next. If you specify a password, the password is required to use the media.
1847

Important On stand-alone media, only the task sequence steps and their variables are encrypted. The remaining content of the media is not encrypted, so do not include any sensitive information in task sequence scripts. Store and implement all sensitive information by using task sequence variables. 7. On the Stand-Alone CD/DVD page, specify the task sequence that deploys the operating system, and then click Next. The wizard lets you select only those task sequences that are associated with a boot image. 8. On the Distribution Points page, specify the distribution points that contain packages that are required by the task sequence, and then click Next. Note You must have Read access rights to the content library on the distribution points. 9. On the Customization page, specify the following information, and then click Next. Specify the variables that the task sequence uses to deploy the operating system. Specify any prestart commands that you want to run before the task sequence. Prestart commands are a script or an executable that can interact with the user in Windows PE before the task sequence runs to install the operating system. For more information about prestart commands for media, see the Prestart Commands for Task Sequence Media in Configuration Manager topic. Optionally, select the Files for the prestart command check box to include any required files for the prestart command. 10. Complete the wizard.

See Also
Operations and Maintenance for Deploying Operating Systems in Configuration Manager

How to Deploy Operating Systems by Using PXE in Configuration Manager

Use the procedures in this topic to support PXE-initiated deployments in your System Center 2012 Configuration Manager environment. These procedures include how to configure a distribution point to accept PXE boot requests from clients, how to create the boot images that must be distributed to a PXE-enabled distribution point, and how to create an exclusion list to ensure that specified computers do not run a Configuration Manager PXE deployment. Use the following sections for more information: Configuring Distribution Points to Accept PXE Requests
1848

How to Create a PXE-enabled Boot Image How to Create an Exclusion List for PXE Deployments

Configuring Distribution Points to Accept PXE Requests

To deploy operating systems to Configuration Manager clients that make PXE boot requests, you must use one or more distribution points that are configured to respond to the PXE boot requests. The distribution point then responds to the PXE boot request and determines the appropriate deployment actions to take. You can add the distribution point site role to a new site system server or add the site role to an existing site system server. This site can be a primary or secondary site server. Important Before you install the distribution point, ensure that Windows Deployment Service is installed on the site system server. For information about how to install Windows Deployment Services for when you deploy operating system by using PXE, see Planning for PXE-Initiated Operating System Deployments in Configuration Manager. To create a distribution point that accepts PXE boot requests, see the Install and Configure the Distribution Point section in the Configuring Content Management in Configuration Manager topic. Use the following procedure to modify an existing distribution point so that it can accept PXE requests. To modify an existing distribution point to accept PXE requests 1. If there is a risk that critical computers might accidentally PXE boot, create an exclusion list and specify the MAC addresses of these computers. For more information, see How to Create an Exclusion List for PXE Deployments in this topic. 2. In the Configuration Manager console, click Administration. 3. In the Administration workspace, expand Overview and click Distribution points. 4. Select the distribution point to configure, and then, on the Home tab in the Properties group, click Properties. 5. On the property page for the distribution point, click the PXE tab. 6. To enable this distribution point to respond to the PXE boot requests, select the Enable PXE support for clients check box. 7. To confirm that you want Configuration Manager to use the ports that are required for PXE deployments, in the Review Required Ports for PXE dialog box, click Yes. 8. To enable Windows Deployment Services so that it responds to PXE service requests, select the Allow this distribution point to respond to incoming PXE requests check box. Use this check box to enable and disable the service without removing the PXE functionality from the distribution point. 9. To deploy operating systems to computer that are not managed by Configuration
1849

Manager, select the Enable unknown computer support check box. 10. To provide additional security for your PXE deployments, select the Require a password when computers use PXE check box, and then specify a strong password. 11. In the User Device Affinity list, specify how you want the distribution point to associate users with the destination computer for PXE deployments. Select Do not use user device affinity to not associated users with the destination computer. Select Allow user device affinity with manual approval to wait for approval from an administrative user before users are associated with the destination computer. Select Allow user device affinity with automatic approval to automatically associate users with the destination computer without waiting for approval.

For more information about user device affinity, see How to Associate Users with a Destination Computer 12. Specify that the distribution point responds to PXE requests from all network interfaces or from specific network interfaces. If the distribution point responds to specific network interface, you must provide the MAC address for each network interface. 13. Specify, in seconds, how long the delay is for the distribution point before it responds to computer requests when multiple PXE-enabled distribution points are used. By default, the Configuration Manager PXE service point responds first to network PXE requests. 14. Click OK to update the properties of the distribution point.

How to Create a PXE-enabled Boot Image

Before you use PXE to deploy an operating system, you must create the boot images to support a PXE deployment. You must have both an x86 PXE-enabled boot image and an x64 PXEenabled boot image that are distributed to one or more PXE-enabled distribution points. Use the following procedure to create boot images for PXE deployments. To create a PXE-enabled boot image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Boot Images. 3. On the Home tab, in the Create group, click Add Boot Image to start the Add Boot Image Wizard. 4. On the Data Source page, specify the following options, and then click Next. In the Path box, specify the boot image WIM file. Click Browse to locate a specific boot image file. The specified path must be a valid network path in the UNC format. For example: \\servername\<sharename>\bootimage.wim. Select the boot image that you want from the Boot Image drop-down list. If the WIM file contains multiple boot images, each image is listed.
1850

5. On the General page, specify the following options, and then click Next. In the Name box, specify a unique name for the boot image. In the Version box, specify a version number for the boot image. In the Comment box, specify a brief description of how the boot image is used.

6. Complete the wizard. 7. Select the boot image that you just created. 8. On the Home tab, in the Properties group, click Properties, and then select the Data Source tab. 9. Select the Deploy this boot image from the PXE service point check box. 10. Click OK. You can now distribute these boot images to any distribution point that accepts PXE requests.

How to Create an Exclusion List for PXE Deployments

When you use PXE to deploy operating systems, you can create an exclusion list to limit which computers are included in the deployment. The exclusion list contains MAC addresses of the computers that you want the distribution point to ignore if these computers send a PXE boot request. These computers do not receive the deployment task sequences that Configuration Manager uses for PXE deployment. Use the following steps to create the PXE exclusion list. To create the exclusion list 1. Create a text file on the distribution point that is enabled for PXE. As an example, name this text file pxeExceptions.txt. 2. Use a standard text editor, such as Notepad, and add the MAC addresses of the computers to be ignored by the PXE-enabled distribution point. Separate the MAC address values by colons, and enter each address on a separate line. For example:
01:23:45:67:89:ab

3. Save the text file on the PXE-enabled distribution point site system server. The text file can be saved to any location on the server. 4. Edit the registry of the PXE-enabled distribution point to create a MACIgnoreListFile registry key that contains the string value of the full path to the location of the text file on the PXE-enabled distribution point site system server. Use the following registry path: HKLM\Software\Microsoft\SMS\DP Warning If you use the Registry Editor incorrectly, you might cause serious problems that might require you to reinstall the operating system. Microsoft cannot guarantee that you can solve problems that result from using the Registry Editor incorrectly.
1851

Use the Registry Editor at your own risk. There is no need to restart the server after you make this registry change.

See Also
Operations and Maintenance for Deploying Operating Systems in Configuration Manager

How to Deploy Operating Systems to Offline Computers in Configuration Manager

Use the procedure in this topic to deploy operating systems to computers that are offline in your System Center 2012 Configuration Manager environment. For example, you can deploy an operating system to a computer that is not connected to the network or to a computer that is connected by a low bandwidth connection. In this scenario, the destination computer does not have an existing Configuration Manager client installed on the destination computer. Use stand-alone media to deploy operating systems to offline computers because everything that is required to deploy the operating system is on the media. You create stand-alone media by using the Create Task Sequence Media Wizard. For information about how to create stand-alone media, see the How to Create Stand-alone Media section of the How to Deploy Operating Systems by Using Media in Configuration Manager topic. Use the following procedure to deploy an operating system to an offline computer. To deploy an operating system to an offline computer 1. Insert the stand-alone media into the offline computer. 2. Initiate the installation of the operating system from the stand-alone media. If there is no existing operating system on the destination computer, insert or attach the stand-alone media to the computer and restart the computer by using the installation media. Important The media that you use to deploy the operating system must be bootable.

See Also
Operations and Maintenance for Deploying Operating Systems in Configuration Manager

1852

Security and Privacy for Deploying Operating Systems in Configuration Manager

Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security and privacy information for operating system deployment in System Center 2012 Configuration Manager.

Security Best Practices for Operating System Deployment

Use the following security best practices for when you deploy operating systems with Configuration Manager:
Security best practice More information

Implement access controls to protect bootable media

When you create bootable media, always assign a password to help secure the media. However, even with a password, only files that contain sensitive information are encrypted and all files can be overwritten. Control physical access to the media to prevent an attacker from using cryptographic attacks to obtain the client authentication certificate. Note In Configuration Manager SP1, to help prevent a client from installing content or client policy that has been tampered with, the content is hashed and must be used with the original policy. If the content hash fails or the check that the content matches the policy, the client will not use the bootable media. Only the content is hashed; the policy is not but it is encrypted and secured when you specify a password, which makes it more difficult for an attacker to
1853

Security best practice

More information

successfully modify the policy. Use a secured location when you create media for operating system images If unauthorized users have access to the location, they can tamper with the files that you create and also use all the available disk space so that the media creation fails. When you require a password to import the client authentication certificate that you use for bootable media, this helps to protect the certificate from an attacker. Use SMB signing or IPsec between the network location and the site server to prevent an attacker from tampering with the certificate file. If the client certificate is compromised, block the certificate from Configuration Manager and revoke it if it is a PKI certificate To deploy an operating system by using bootable media and PXE boot, you must have a client authentication certificate with a private key. If that certificate is compromised, block the certificate in the Certificates node in the Administration workspace, Security node. For more information about the difference between blocking a certificate and revoking it, see Comparing Blocking Clients and Revoking Client Certificates. When the SMS Provider is on a computer or computers other than the site server, secure the communication channel to protect boot images When boot images are modified and the SMS Provider is running on a server that is not the site server, the boot images are vulnerable to attack. Protect the network channel between these computers by using SMB signing or IPsec. When a client sends a PXE boot request, you have no way to ensure that the request is serviced by a valid PXE-enabled distribution point. This scenario has the following security risks: A rogue distribution point that responds to PXE requests could provide a tampered image to clients. An attacker could launch a man-in-themiddle attack against the TFTP protocol that is used by PXE and send malicious
1854

Protect certificate files (.pfx) with a strong password and if you store them on the network, secure the network channel when you import them into Configuration Manager

Enable distribution points for PXE client communication only on secure network segments

Security best practice

More information

code with the operating system files, or she could create a rogue client to make TFTP requests directly to the distribution point. An attacker could use a malicious client to launch a denial of service attack against the distribution point.

Use defense in depth to protect the network segments where clients will access distribution points for PXE requests. Warning Because of these security risks, do not enable a distribution point for PXE communication when it is in an untrusted network, such as a perimeter network. Configure PXE-enabled distribution points to respond to PXE requests only on specified network interfaces If you allow the distribution point to respond to PXE requests on all network interfaces, this configuration might expose the PXE service to untrusted networks When you require a password for PXE boot, this configuration adds an extra level of security to the PXE boot process, to help safeguard against rogue clients joining the Configuration Manager hierarchy. Because of the inherent security risks involved with PXE boot and multicast, reduce the risks if rogue computer downloads the operating system image.

Require a password to PXE boot

Do not include line of business applications or software that contains sensitive data into an image that will be used for PXE boot or multicast

Do not include line of business applications or software that contains sensitive data in software packages that are installed by using task sequences variables

When you deploy software packages by using task sequences variables, software might be installed on computers and to users who are not authorized to receive that software.

When you migrate user state, secure the network channel between the client and the state migration point by using SMB signing or IPsec

After the initial connection over HTTP, user state migration data is transferred by using SMB. If you do not secure the network channel, an attacker can read and modify this
1855

Security best practice

More information

data. Use the latest version of the User State Migration Tool (USMT) that Configuration Manager supports Manually delete folders on state migration point when they are decommissioned The latest version of USMT provides security enhancements and greater control for when you migrate user state data. When you remove a state migration point folder in the Configuration Manager console on the state migration point properties, the physical folder is not deleted. To protect the user state migration data from information disclosure, you must manually remove the network share and delete the folder. If you configure the deletion policy on the state migration point to remove data that is marked for deletion immediately, and if an attacker manages to retrieve the user state data before the valid computer does, the user state data would be deleted immediately. Set the Delete after interval to be long enough to verify the successful restore of user state data. Configuration Manager does not automatically remove computer associations. Help to protect the identify of user state data by manually deleting computer associations that are no longer required. Configuration Manager Backup does not include the user state migration data. If a computer supports BitLocker, you must disable it by using a task sequence step if you want to install the operating system unattended. Configuration Manager does not enable BitLocker after the operating system is installed, so you must manually re-enable BitLocker. Control physical access to the media to prevent an attacker from using cryptographic attacks to obtain the client authentication certificate and sensitive data. Ensure that the reference computer that you
1856

Do not configure the deletion policy to delete user state immediately

Manually delete computer associations when the user state migration data restore is complete and verified

Manually back up the user state migration data on the state migration point Remember to enable BitLocker after the operating system is installed

Implement access controls to protect the prestaged media

Implement access controls to protect the

Security best practice

More information

reference computer imaging process

use to capture operating system images is in a secure environment with appropriate access controls so that unexpected or malicious software cannot be installed and inadvertently included in the captured image. When you capture the image, ensure that the destination network file share location is secure so that the image cannot be tampered with after it is captured. When the reference computer has current security updates, it helps to reduce the window of vulnerability for new computers when they first start up. Although provisioning unknown computers provides a convenient method to deploy new computers on demand, it can also allow an attacker to efficiently become a trusted client on your network. Restrict physical access to the network, and monitor clients to detect unauthorized computers. Also, computers responding to PXE-initiated operating system deployment might have all data destroyed during the operating system deployment, which could result in a loss of availability of systems that are inadvertently reformatted. For every operating system deployment package, you have the option to enable encryption when Configuration Manager transfers the package by using multicast. This configuration helps prevent rogue computers from joining the multicast session and helps prevent attackers from tampering with the transmission. If attackers can gain access to your network, they can configure rogue multicast servers to spoof operating system deployment. Restrict who can access the network folder. Use SMB signing or IPsec between the network location and the site server to prevent an
1857

Always install the most recent security updates on the reference computer

If you must deploy operating systems to an unknown computer, implement access controls to prevent unauthorized computers from connecting to the network

Enable encryption for multicast packages

Monitor for unauthorized multicast-enabled distribution points

When you export task sequences to a network location, secure the location and secure the network channel

Security best practice

More information

attacker from tampering with the exported task sequence. If you must use the Task Sequence Run As Account, take additional security precautions Take the following precautionary steps if you use the Task Sequence Run As Account: Use an account with the least possible permissions. Do not use the Network Access account for this account. Never make the account a domain administrator. Never configure roaming profiles for this account. When the task sequence runs, it will download the roaming profile for the account, which leaves the profile vulnerable to access on the local computer. Limit the scope of the account. For example, create different Task Sequence Run As Accounts for each task sequence, so that if one account is compromised, only the client computers to which that account has access are compromised. If the command line requires administrative access on the computer, consider creating a local administrator account solely for the Task Sequence Run As Account on all computers that will run the task sequence, and delete the account as soon as it is no longer required.

In addition:

Restrict and monitor the administrative users who are granted the Operating System Deployment Manager security role

Administrative users who are granted the Operating System Deployment Manager security role can create self-signed certificates that can then be used to impersonate a client and obtain client policy from Configuration Manager.

1858

Security Issues for Operating System Deployment

Although operating system deployment can be a convenient way to deploy the most secure operating systems and configurations for computers on your network, it does have the following security risks: Information disclosure and denial of service If an attacker can obtain control of your Configuration Manager infrastructure, she could run any task sequences, which might include formatting the hard drives of all client computers. Task sequences can be configured to contain sensitive information, such as accounts that have permissions to join the domain and volume licensing keys. Impersonation and elevation of privileges Task sequences can join a computer to domain, which can provide a rogue computer with authenticated network access. Another important security consideration for operating system deployment is to protect the client authentication certificate that is used for bootable task sequence media and for PXE boot deployment. When you capture a client authentication certificate, this gives an attacker an opportunity to obtain the private key in the certificate and then impersonate a valid client on the network. If an attacker obtains the client certificate that is used for bootable task sequence media and for PXE boot deployment, this certificate can be used to impersonate a valid client to Configuration Manager. In this scenario, the rogue computer can download policy, which can contain sensitive data. If clients use the Network Access Account to access data stored on the state migration point, these clients effectively share the same identity and could access state migration data from another client that uses the Network Access Account. The data is encrypted so only the original client can read it, but the data could be tampered with or deleted. The state migration point does not use authentication in Configuration Manager with no service pack In Configuration Manager with no service pack, the state migration point does not authenticate connections, so anybody can send data to the state migration point and anybody can retrieve data that is stored on there. Although only the original computer can read the retrieved user state data, do not consider this data secured. In Configuration Manager SP1, client authentication to the state migration point is achieved by using a Configuration Manager token that is issued by the management point. In addition, Configuration Manager does not limit or manage the amount of data that is stored on the state migration point and an attacker could fill up the available disk space and cause a denial of service. If you use collection variables, local administrators can read potentially sensitive information Although collection variables offer a flexible method to deploy operating systems, this might result in information disclosure.

1859

Privacy Information for Operating System Deployment

In addition to deploying operating systems to computers with no operating system, Configuration Manager can be used to migrate users files and settings from one computer to another. The administrator configures which information to transfer, including personal data files, configuration settings, and browser cookies. The information is stored on a state migration point and is encrypted during transmission and storage. The information is allowed to be retrieved by the new computer associated with the state information. If the new computer loses the key to retrieve the information, a Configuration Manager administrator with the View Recovery Information right on computer association instance objects can access the information and associate it with a new computer. After the new computer restores the state information, it deletes the data after one day by default. You can configure when the state migration point removes data marked for deletion. The state migration information is not stored in the site database and is not sent to Microsoft. If you use boot media to deploy operating system images, always use the default option to password-protect the boot media. The password encrypts any variables stored in the task sequence, but any information not stored in a variable might be vulnerable to disclosure. Operating system deployment can use task sequences to perform many different tasks during the deployment process, which includes installing applications and software updates. When you configure task sequences, you should also be aware of the privacy implications of installing software. Configuration Manager does not implement operating system deployment by default and requires several configuration steps before you collect user state information or create task sequences or boot images. Before you configure operating system deployment, consider your privacy requirements.

See Also
Operating System Deployment in Configuration Manager

Technical Reference for Deploying Operating Systems in Configuration Manager

This section contains reference material for example scenarios and material for when you plan and write task sequences in System Center 2012 Configuration Manager.

1860

Technical Reference Topics

Example Scenario for PXE-Initiated Operating System Deployment by Using Configuration Manager Task Sequence Variables in Configuration Manager Task Sequence Steps in Configuration Manager Task Sequence Scenarios in Configuration Manager How to Provision Windows To Go in Configuration Manager Prestart Commands for Task Sequence Media in Configuration Manager How to Create a PXE-Initiated Windows 8 Deployment for UEFI-Based or BIOS-Based Computers in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Operating System Deployment in Configuration Manager

Example Scenario for PXE-Initiated Operating System Deployment by Using Configuration Manager
Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. The example scenario in this topic describes how to deploy an operating system in System Center 2012 Configuration Manager. In this scenario, Adam, the Configuration Manager administrative user for Trey Research, must upgrade the operating system to Windows 7 on several Windows XP computers. In this scenario, Adam does not have to save the user data from the computers that will receive the new operating system because. Trey Research has a policy to store all user data on network shares.

Deployment Process
To capture and deploy the operating system, Adam follows the process described in the following table.

1861

Process

More information

As he plans for the deployment, Adam makes the following decisions: He plans to use PXE to deploy the new operating system. He will install and configure Windows 7 on a computer that has no operating system installed. Then, he will use capture media to capture the operating system image. The capture media will use a USB flash drive to store his capture media. He will use the boot images that are supplied by Configuration Manager. He must distribute the boot images that start the reference computer in order to capture the operating system image and to start the destination computers to install the operating system.

For more information about PXE deployments, see Planning for PXE-Initiated Operating System Deployments in Configuration Manager. For more information about planning how to capture the operating system image, see Planning for Capturing Operating System Images in Configuration Manager For more information about planning boot images deployments, see Planning for Boot Image Deployments in Configuration Manager

Adam obtains a computer that has no operating system installed. He refers to this as a bare metal computer. This is his reference computer, which he configures as follows: He installs and configures Windows 7 to match his company requirements. He does not install the Configuration Manager client. He will install the client when he deploys the operating system image.

For more information about planning how to capture the operating system image, see Planning for Capturing Operating System Images in Configuration Manager

In preparation to deploy the operating system image, Adam uses the Configuration Manager console to perform the following steps: Adam creates a collection and then adds the computers that will receive the new operating system. He will deploy his deployment task sequence to that collection. Then the computers in the collection will run the task sequence to install the operating system. Adam configures distribution points that can respond to PXE boot requests. Adam creates a boot image that will be used by the capture media.

For more information about how to create a collection that contains computers, see the To create a device collection section in the How to Create Collections in Configuration Manager topic. For more information about configuring distribution points to accept PXE boot requests, see the Configuring Distribution Points to Support PXE-Initiated Deployments section in the Planning for PXE-Initiated Operating System Deployments in Configuration Manager topic. For more information about PXE-enabled boot
1862

Process

More information

Adam creates an x86 PXE-enabled boot image and an x64 PXE-enabled boot image. Configuration Manager requires both PXE-enabled boot images.

images, see the How to Create a PXE-enabled Boot Image section in the How to Deploy Operating Systems by Using PXE in Configuration Manager topic. For more information about how to distribute boot images, see the How to Specify where Boot Images are Distributed section in the How to Manage Boot Images in Configuration Manager topic.

Adam distributes boot images to the PXEenabled distribution point with the following steps: Before Adam creates his capture media, he distributes the boot image that the media uses to start the reference computer. Before Adam runs his deployment task sequence, he distributes the PXE-enabled boot images that will start the destination computer during the deployment task sequence.

Adam creates capture media to capture the operating system image from the reference computer and also creates a deployment task sequence to deploy the captured operating system image: Adam inserts a USB flash drive into the computer and runs the Create Task Sequence Media wizard. When prompted by the wizard, he specifies where the operating system image is stored. Adam runs the Create Task Sequence Wizard. On the Create New Task Sequence page, he selects the option to create a task sequence that installs an existing operating system image package.

For more information about capture media, see the How to Create Capture Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic. For more information about how to create a task sequence to install an existing operating system image package, see the How to Create Task Sequences section in the How to Manage Task Sequences in Configuration Manager topic.

Adam inserts the USB flash drive into the No additional information. reference computer and starts the computer. The capture media starts the reference computer by using the boot image referenced by the media, and then captures the Windows 7 operating system image. After the operating system image is captured, Adam tests his deployment task sequence by deploying it to a collection that contains a single test computer. This strategy allows him to verify For more information about how to deploy the task sequence, see the How to Deploy a Task Sequence section in the How to Manage Task Sequences in Configuration Manager topic.
1863

Process

More information

that Windows 7 is installed correctly and that the Configuration Manager client is installed on the computer. When Adam has confirmed that the test deployment is ready for computers on the production network, he deploys his deployment task sequence to the collection that contains the destination computers and he monitors the results. To monitor the progress and verify that the operating system deployment was successful, Adam uses alerts and reports. As a result of Adams actions, the computers that wer e running the Windows XP operating system have been upgraded to Windows 7. For more information about how to deploy the task sequence, see the How to Deploy a Task Sequence section in the How to Manage Task Sequences in Configuration Manager topic. For more information about reports, see Reporting in Configuration Manager.

See Also
Technical Reference for Deploying Operating Systems in Configuration Manager

Task Sequence Variables in Configuration Manager

This section contains reference information about action variables and built-in variables that can be used in System Center 2012 Configuration Manager task sequences. Task sequence action variables provide a mechanism to configure and customize individual task sequence steps within a task sequence. Task sequence built-in variables supply configuration settings for computer, operating system, and user state configuration tasks that are performed on the destination computer. For more information about task sequence variables, see Planning a Task Sequences Strategy in Configuration Manager.

Task Sequence Variable Topics

Use the following topics to find information about action variables and built-in variables. Task Sequence Action Variables in Configuration Manager Task Sequence Built-in Variables in Configuration Manager

1864

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Technical Reference for Deploying Operating Systems in Configuration Manager

Task Sequence Action Variables in Configuration Manager

Task sequence action variables specify configuration settings that are used by a single step in a System Center 2012 Configuration Manager task sequence. By default, the settings used by a task sequence step are initialized before the step is run and available only while the associated task sequence step is run. In other words, the task sequence variable setting is added to the task sequence environment before the task sequence step is run, and the value is removed from the task sequence environment after the task sequence step has run.

Action Variable Example

For example, you can specify a start-in directory for a command-line action by using the Run Command Line task sequence step. This step includes a Start In property whose default value is stored in the task sequence environment as the WorkingDirectory variable. The WorkingDirectory environment variable is initialized before the Run Command Line task sequence action is run. During the Run Command Line step, the WorkingDirectory value can be accessed through the Start In property. Then after the task sequence step is completed, the value of the WorkingDirectory variable is removed from the task sequence environment. If the sequence contains another Run Command Line task sequence step, the new WorkingDirectory variable is initialized and set to the starting value for that task sequence step. Whereas the default value for a task sequence action setting is present while the task sequence step is run, any new value that you set can be used by multiple steps in the sequence. If you use one of the task sequence variable creation methods to override a built-in variable value, the new value remains in the environment and overrides the default value for other steps in the task sequence. In the previous example, if a Set Task Sequence Variable step is added as the first step of the task sequence and sets the WorkingDirectory environment variable to the value C:\, both Run Command Line steps in the task sequence will use the new starting directory value.

Action Variables for Task Sequence Actions

Configuration Manager task sequence variables are grouped by their associated task sequence action. Use the following links to gather information about the action variables associated with a specific action. The task sequence variables govern how the task sequence action operates. The task sequence action reads and uses the variables that you mark as input variables. Alternatively, you can use the Set Task Sequence Variable action or the TSEnvironment COM object to set the
1865

variables at runtime. Only the task sequence action marks variables as output variables, which are read by actions that occur later in the task sequence. Note Not all task sequence actions are associated with a set of task sequence variables. For example, although there are variables associated with the Enable BitLocker action, there are no variables associated with the Disable BitLocker action.

Apply Data Image Task Sequence Action Variables

The variables for this action specify which image of a WIM file is applied to the destination computer and whether to delete the files on the destination partition. For more information about the task sequence step associated with these variables, see Apply Data Image Task Sequence Step.

Details
Action Variable Name Description

OSDDataImageIndex (input) OSDWipeDestinationPartition (input)

Specifies the index value of the image that is applied to the destination computer. Specifies whether to delete the files located on the destination partition. Valid values: "true" (default) "false"

Apply Driver Package Task Sequence Action Variables

The variables for this action specify information the installation of mass storage drivers and whether to install unsigned drivers. For more information about the task sequence step associated with these variables, see Apply Driver Package Task Sequence Step.

Details
Action Variable Name Description

OSDApplyDriverBootCriticalContentUniqueID (input)

Specifies the content ID of the mass storage device driver to install from the driver package. If this is not specified, no mass storage driver is installed.

1866

Action Variable Name

Description

OSDApplyDriverBootCriticalINFFile (input)

Specifies the INF file of the mass storage driver to install. Note This task sequence variable is required if the OSDApplyDriverBootCriticalContentUniq ueID is set.

OSDApplyDriverBootCriticalHardwareCompo nent (input)

Specifies whether a mass storage device driver is installed, this must be scsi. Note This task sequence variable is required if the OSDApplyDriverBootCriticalContentUniq ueID is set. Specifies the boot critical ID of the mass storage device driver to install. This ID is listed in the "scsi" section of the device drivers txtsetup.oem file. Note This task sequence variable is required if the OSDApplyDriverBootCriticalContentUniq ueID is set.

OSDApplyDriverBootCriticalID (input)

OSDAllowUnsignedDriver (input)

Specifies whether to configure Windows to allow the installation of unsigned device drivers. This task sequence variable is not used when deploying the Windows Vista and later operating system. Valid values: "true" "false" (default)

Apply Network Settings Task Sequence Action Variables

The variables for this action specify network settings for the destination computer, such as settings for the network adapters of the computer, domain settings and workgroup settings. For
1867

more information about the task sequence step associated with these variables, see Apply Network Settings Step.

Details
Action Variable Name Description

OSDAdapter (input)

This task sequence variable is an array variable. Each element in the array represents the settings for a single network adapter on the computer. The settings defined for each adapter are accessed by combining the array variable name with the zero-based network adapter index and the property name. Note If multiple network adapters will be configured with this task sequence action, the properties for the second network adapter are defined by using their index in the variable name; for example, OSDAdapter1EnableDHCP, OSDAdapter1IPAddressList, OSDAdapter1DNSDomain, OSDAdapter1WINSServerList, OSDAdapter1EnableWINS, and so on. For example, the following variable names can be used to define the properties for the first network adapter that will be configured by this task sequence action: OSDAdapter0EnableDHCP true to enable Dynamic Host Configuration Protocol (DHCP) for the adapter. OSDAdapter0IPAddressList Comma-delimited list of IP addresses for the adapter. This property is ignored unless EnableDHCP is set to false. OSDAdapter0SubnetMask Comma-delimited list of subnet masks. This property is ignored unless EnableDHCP is set to false. OSDAdapter0Gateways Comma-delimited list of IP gateway addresses. This property is ignored unless EnableDHCP is set to false. OSDAdapter0DNSDomain - Domain Name System (DNS) domain for the adapter. OSDAdapter0DNSServerList Comma-delimited list of DNS servers for the adapter. OSDAdapter0EnableDNSRegistration true to
1868

Action Variable Name

Description

register the IP address for the adapter in DNS. OSDAdapter0EnableFullDNSRegistration true to register the IP address for the adapter in DNS under the full DNS name for the computer. OSDAdapter0EnableIPProtocolFiltering true to enable IP protocol filtering on the adapter. OSDAdapter0IPProtocolFilterList Comma-delimited list of protocols allowed to run over IP. This property is ignored if EnableIPProtocolFiltering is set to false. OSDAdapter0EnableTCPFiltering true to enable TCP port filtering for the adapter. OSDAdapter0TCPFilterPortList Comma-delimited list of ports to be granted access permissions for TCP. This property is ignored if EnableTCPFiltering is set to false. OSDAdapter0TcpipNetbiosOptions Options for NetBIOS over TCP/IP. Possible values are as follows: 0 Use NetBIOS settings from DHCP server. 1 Enable NetBIOS over TCP/IP. 2 Disable NetBIOS over TCP/IP. OSDAdapter0EnableWINS true to use WINS for name resolution. OSDAdapter0WINSServerList Comma-delimited list of WINS server IP addresses. This property is ignored unless EnableWINS is set to true. OSDAdapter0MacAddress Media access controller (MAC) address used to match settings to physical network adapter. OSDAdapter0Name Name of the network connection as it appears in the network connections control panel program. The name is between 0 and 255 characters in length. OSDAdapter0Index Index of the network adapter settings in the array of settings.

OSDAdapterCount (input)

Specifies the number of network adapters installed on the destination computer. When the OSDAdapterCount value is set, all the configuration options for each adapter must be set. For example, if you set the OSDAdapterTCPIPNetbiosOptions value for a specific adapter then all the values for that adapter must also be configured.
1869

Action Variable Name

Description

Caution If this value is not specified, all OSDAdapter values are ignored. OSDDNSDomain (input) OSDDomainName (input) OSDDomainOUName (input) Specifies the primary DNS server that is used by the destination computer. Specifies the name of the Windows domain that the destination computer joins. The specified value must be a valid Active Directory Domain Services domain name. Specifies the RFC 1779 format name of the organizational unit (OU) that the destination computer joins. If specified, the value must contain the full path. Example: LDAP://OU=MyOu,DC=MyDom,DC=MyCompany,DC=com OSDEnableTCPIPFiltering (input) Specifies whether TCP/IP filtering is enabled. Valid values: "true" "false" (default) OSDJoinAccount (input) OSDJoinPassword (input) OSDNetworkJoinType (input) Specifies the network account that is used to add the destination computer to a Windows domain. Specifies the network password that is used to add the destination computer to a Windows domain. Specifies whether the destination computer joins a Windows domain or a workgroup. "0" indicates that the destination computer joins a Windows domain. "1" specifies that the computer joins a workgroup. Valid values: "0" "1" OSDDNSSuffixSearchOrder (input) OSDWorkgroupName (input) Specifies the name of the workgroup that the destination computer joins. You must specify either this value or the OSDDomainName value. The workgroup name can be a maximum of 32
1870

Specifies the DNS search order for the destination computer.

Action Variable Name

Description

characters. Example: "Accounting"

Apply Operating System Image Task Sequence Action Variables

The variables for this action specify settings for the operating system that you want to install on the destination computer. For more information about the task sequence step associated with these variables, see Apply Operating System Image Step.

Details
Action Variable Name Description

OSDConfigFileName (input) OSDImageIndex (input) OSDInstallEditionIndex (input)

Specifies the file name of the operating system deployment answer file associated with the operating system deployment package. Specifies the image index value of the WIM file that is applied to the destination computer. Specifies the version of Windows Vista or later operating system that is installed. If no version is specified, Windows setup will determine which version to install using the referenced product key. Note Use only a value of zero (0) if the following conditions are true: You are installing a pre-Windows Vista operating system You are installing a volume license edition of Windows Vista or later, and no product key is specified.

Valid values: "0" (default) OSDTargetSystemDrive (output) Specifies the drive letter of the partition that contains the operating system files.
1871

Apply Windows Settings Task Sequence Action Variables

The variables for this action specify Windows settings for the destination computer, such as the computer name, Windows product key, registered user and organization, and the local administrator password. For more information about the task sequence step associated with these variables, see Apply Windows Settings Step.

Details
Action Variable Name Description

OSDComputerName (input)

Specifies the name of the destination computer. Example: "%_SMSTSMachineName%" (default)

OSDProductKey (input)

Specifies the Windows product key. Note The specified value must be between 1 and 255 characters. Specifies the default registered user name in the new operating system. Note The specified value must be between 1 and 255 characters.

OSDRegisteredUserName (input)

OSDRegisteredOrgName (input)

Specifies the default registered organization name in the new operating system. Note The specified value must be between 1 and 255 characters.

OSDTimeZone (input) OSDServerLicenseMode (input)

Specifies the default time zone setting that is used in the new operating system. Specifies the Windows Server license mode that is used. Valid values: "PerSeat" "PerServer"

OSDServerLicenseConnectionLimit (input)

Specifies the maximum number of connections allowed.

1872

Action Variable Name

Description

Note The specified number must be in the range between 5 and 9999 connections. OSDRandomAdminPassword (input) Specifies a randomly generated password for the administrator account in the new operating system. If set to true, the local administrator account will be disabled on the target computer. If set to false, the local administrator account will be enabled on the target computer, and the local administrator account password will be assigned the value of the variable OSDLocalAdminPassword. Valid values: "true" (default) "false" OSDLocalAdminPassword (input) Specifies the local administrator password. This value is ignored if the Randomly generate the local administrator password and disable the account on all supported platforms option is enabled. Note The specified value must be between 1 and 255 characters.

Auto Apply Drivers Task Sequence Action Variables

The variables for this action specify which Windows drivers are installed on the destination computer and whether unsigned drivers are installed. For more information about the task sequence step associated with these variables, see Auto Apply Drivers Step.

Details
Action Variable Name Description

OSDAutoApplyDriverCategoryList (input)

A comma-delimited list of the driver catalog category unique IDs. If specified, the Auto Apply Driver task sequence action considers
1873

Action Variable Name

Description

only those drivers that are in at least one of these categories when installing drivers. This value is optional, and it is not set by default. The available category IDs can be obtained by enumerating the list of SMS_CategoryInstance objects on the site. OSDAllowUnsignedDriver (input) Specifies whether Windows is configured to allow unsigned device drivers to be installed. This task sequence variable is not used when deploying Windows Vista and later operating systems. Valid values: "true" "false" (default) OSDAutoApplyDriverBestMatch (input) Specifies what the task sequence action does if there are multiple device drivers in the driver catalog that are compatible with a hardware device. If set to "true, only the best device driver will be installed. If false, all compatible device drivers will be installed, and the operating system will choose the best driver to use. Valid values: "true" (default) "false"

Capture Network Settings Task Sequence Action Variables

The variables for this action specify whether the network adapter settings (TCP/IP, DNS, and WINS) configuration information is captured and whether the workgroup or domain membership information is migrated as part of the operating system deployment. For more information about the task sequence step associated with these variables, see Capture Network Settings.

Details
Action Variable Name Description

OSDMigrateAdapterSettings

Specifies whether the network adapter settings (TCP/IP, DNS, and WINS) configuration
1874

Action Variable Name

Description

(input)

information is captured. Examples: "true" (default) "false"

OSDMigrateNetworkMembership (input)

Specifies whether the workgroup or domain membership information is migrated as part of the operating system deployment. Examples: "true" (default) "false"

Capture Operating System Image Task Sequence Action Variables

The variables for this action specify information about the operating system image that is being captured, such as where the image is stored, who created the image, and a description of the image. For more information about the task sequence step associated with these variables, see Capture Operating System Image.

Details
Action Variable Name Description

OSDCaptureAccount (input) OSDCaptureAccountPassword (input) OSDCaptureDestination (input)

Specifies a Windows account name that has permissions to store the captured image on a network share. Specifies the password for the Windows account used to store the captured image on a network share. Specifies the location where the captured operating system image is saved. The maximum directory name length is 255 characters. An optional name of the user who created the image. This name is stored in the WIM file. The
1875

OSDImageCreator (input)

Action Variable Name

Description

maximum length of the user name is 255 characters. OSDImageDescription (input) An optional user-defined description of the captured operating system image. This description is stored in the WIM file. The maximum length of the description is 255 characters. An optional user-defined version number to assign to the captured operating system image. This version number is stored in the WIM file. This value can be any combination of letters with a maximum length of 32 characters. Specifies the path to the Windows directory of the installed operating system on the reference computer. This operating system is verified as being a supported operating system for capture by Configuration Manager.

OSDImageVersion (input)

OSDTargetSystemRoot (input)

Capture User State Task Sequence Action Variables

The variables for this action specify information used by the User State Migration Tool (USMT), such as the folder where the user state is saved, command line options for USMT, and the configuration files used to control the capture of the user profiles. For more information about the task sequence step associated with these variables, see Capture User State.

Details
Action Variable Name Description

OSDStateStorePath (input) OSDMigrateAdditionalCaptureOptions (input)

The UNC or local path name of the folder where the user state is saved. No default. Specifies user state migration tool (USMT) command line options that are used when capturing the user state, but not exposed in the Configuration Manager user interface. The additional options are specified in the form of a string that is appended to the automatically generated USMT command line.

1876

Action Variable Name

Description

Note The USMT options specified with this task sequence variable are not validated for accuracy prior to running the task sequence. OSDMigrateMode (input) Allows you to customize the files that are captured by USMT. If this variable is set to Simple, then only the standard USMT configuration files are used. If this variable is set to Advanced, then the task sequence variable OSDMigrateConfigFiles specifies the configuration files that the USMT uses. Valid values: "Simple" "Advanced" OSDMigrateConfigFiles (input) Specifies the configuration files used to control the capture of user profiles. This variable is used only if OSDMigrateMode is set to Advanced. This comma-delimited list value is set to perform customized user profile migration. Example: miguser.xml,migsys.xml,migapps.xml OSDMigrateContinueOnLockedFiles (input) Allows the user state capture to proceed if some files cannot be captured. Valid values: "true" (default) "false" OSDMigrateEnableVerboseLogging (input) Enables verbose logging for the USMT. Valid values: "true" "false" (default) OSDMigrateSkipEncryptedFiles (input) Specifies whether encrypted files are captured. Valid values: "true" "false" (default)

1877

Action Variable Name

Description

_OSDMigrateUsmtPackageID (input)

Specifies the package ID of the Configuration Manager package that will contain the USMT files. This variable is required.

Capture Windows Settings Task Sequence Action Variables

The variables for this action specify whether specific Windows settings are migrated to the destination computer, such as the name of the computer, the register organization name, and time zone information. For more information about the task sequence step associated with these variables, see Capture Windows Settings.

Details
Action Variable Name Description

OSDMigrateComputerName (input)

Specifies whether the computer name is migrated. Valid values: "true" (default) "false" If the value is true, then the OSDComputerName variable is set to the NetBIOS name of the computer.

OSDComputerName (output)

Set to the NetBIOS name of the computer. The value is set only if the OSDMigrateComputerName variable is set to true. Specifies whether the computer user and organizational information is migrated. Valid values: "true" (default) "false" If the value is true, then the OSDRegisteredOrgName variable is set to the registered organization name of the computer.

OSDMigrateRegistrationInfo (input)

OSDRegisteredOrgName (output)

Set to the registered organization name of the computer. The value is set only if the OSDMigrateRegistrationInfo variable is set to
1878

Action Variable Name

Description

true. OSDMigrateTimeZone (input) Specifies whether the computer time zone is migrated. Valid values: "true" (default) "false" If the value is true, then the variable OSDTimeZone is set to the time zone of the computer. OSDTimeZone (output) Set to the time zone of the computer. The value is set only if the OSDMigrateTimeZone variable is set to true.

Connect to Network Folder Task Sequence Action Variables

The variables for this action specify information about a folder on a network, such as the account used and password to connect to the network folder, the drive letter of the folder, and the path to the folder. For more information about the task sequence step associated with these variables, see Connect To Network Folder.

Details
Action Variable Name Description

SMSConnectNetworkFolderAccount (input) SMSConnectNetworkFolderDriveLetter (input)

Specifies the administrator account that is used to connect to the network share. Specifies the network drive letter to connect to. This value is optional; if it is not specified, then the network connection is not mapped to a drive letter. Note If this value is specified, the value must be in the range from D: to Z:. In addition, do not use X: as it is the drive letter used by Windows PE during the Windows PE phase. Examples:
1879

Action Variable Name

Description

"D:" "E:" SMSConnectNetworkFolderPassword (input) SMSConnectNetworkFolderPath (input) Specifies the network password that is used to connect to the network share. Specifies the network path for the connection. Example: "\\servername\sharename"

Convert Disk to Dynamic Task Sequence Action Variables

The variable for this action specifies the number of the physical disk to convert from a basic to dynamic disk. For more information about the task sequence step associated with these variables, see Convert Disk to Dynamic.

Details
Action Variable Name Description

OSDConvertDiskIndex (input)

Specifies the physical disk number that is converted.

Enable BitLocker Task Sequence Action Variables

The variables for this action specify the recovery password and startup key options used to enable BitLocker on the destination computer. For more information about the task sequence step associated with these variables, see Enable BitLocker.

Details
Action Variable Name Description

OSDBitLockerRecoveryPassword (input)

Instead of generating a random recovery password, the Enable BitLocker task sequence action uses the specified value as the recovery password. The value must be a valid numerical BitLocker recovery password. Instead of generating a random startup key for the key management option Startup Key on
1880

OSDBitLockerStartupKey (input)

Action Variable Name

Description

USB only, the Enable BitLocker task sequence action uses the Trusted Platform Module (TPM) as the startup key. The value must be a valid, 256-bit Base64-encoded BitLocker startup key.

Format and Partition Disk Task Sequence Action Variables

The variables for this action specify information for formatting and partitioning a physical disk, such as the disk number and an array of partition settings. For more information about the task sequence step associated with these variables, see Format and Partition Disk.

Details
Action Variable Name Description

OSDDiskIndex (input) OSDDiskpartBiosCompatibilityMode (input)

Specifies the physical disk number to be partitioned. Specifies whether to disable cache alignment optimizations when partitioning the hard disk for compatibility with certain types of BIOS. This can be necessary when deploying Windows XP or Windows Server 2003 operating systems. For more information, see article 931760 and article 931761 in the Microsoft Knowledge Base. Valid values: "true" "false" (default)

OSDGPTBootDisk (input)

Specifies whether to create an EFI partition on a GPT hard disk so that it can be used as the startup disk on EFI-based computers. Valid values: "true" "false" (default)

OSDPartitions (input)

Specifies an array of partition settings; see the SDK topic for accessing array variables in the task sequence environment.
1881

Action Variable Name

Description

This task sequence variable is an array variable. Each element in the array represents the settings for a single partition on the hard disk. The settings defined for each partition can be accessed by combining the array variable name with the zero-based disk partition number and the property name. For example, the following variable names can be used to define the properties for the first partition that will be created by this task sequence action on the hard disk: Note If multiple partitions will be defined with this task sequence action, the properties for the second partition can be defined by using their index in the variable name; for example, OSDPartitions1Type, OSDPartitions1FileSystem, OSDPartitions1Bootable, OSDPartitions1QuickFormat, OSDPartitions1VolumeName, and so on. OSDPartitions0Type - Specifies the type of partition. This is a required property. Valid values are "Primary", "Extended", "Logical", and "Hidden". OSDPartitions0FileSystem - Specifies the type of file system to use when formatting the partition. This is an optional property; if no file system is specified, the partition will not be formatted. Valid values are "FAT32" and "NTFS". OSDPartitions0Bootable - Specifies whether the partition is bootable. This is a required property. If this value is set to "TRUE" for MBR disks, then this will be made the active partition. OSDPartitions0QuickFormat - Specifies the type of format that is used. This is a required property. If this value is set to
1882

Action Variable Name

Description

"TRUE", a quick format will be performed; otherwise, a full format will be performed. OSDPartitions0VolumeName - Specifies the name that is assigned to the volume when it is formatted. This is an optional property. OSDPartitions0Size - Specifies the size of the partition. Units are specified by the OSDPartitions0SizeUnits variable. This is an optional property. If this property is not specified, the partition is created using all remaining free space. OSDPartitions0SizeUnits - Specifies the units that will be used when interpreting the OSDPartitions0Size task sequence variable. This is an optional property. Valid values are "MB" (default), "GB", and "Percent". OSDPartitions0VolumeLetterVariable Partitions will always use the next available drive letter in Windows PE when they are created. Use this optional property to specify the name of another task sequence variable, which will be used to save the new drive letter for future reference.

OSDPartitionStyle (input)

Specifies the partition style to use when partitioning the disk. "MBR" indicates the master boot record partition style, and "GPT" indicates the GUID Partition Table style. Valid Values: "GPT" "MBR"

Install Software Updates Task Sequence Action Variables

The variable for this action specifies whether to install all updates or only mandatory updates. For more information about the task sequence step associated with these variables, see Install Software Updates.

Details
1883

Action Variable Name (input)

Description

SMSInstallUpdateTarget (input)

Specifies whether to install all updates or only mandatory updates. Valid values: "All" "Mandatory"

Join Domain or Workgroup Task Sequence Action Variables

The variables for this action specify information needed to join the destination computer to a Windows domain or workgroup. For more information about the task sequence step associated with these variables, see Join Domain or Workgroup.

Details
Action Variable Name Description

OSDJoinAccount (input) OSDJoinDomainName (input)

Specifies the account that is used by the destination computer to join the Windows domain. This variable is required when joining a domain. Specifies the name of a Windows domain the destination computer joins. Note The length of the Windows domain name must be between 1 and 255 characters.

OSDJoinDomainOUName (input)

Specifies the RFC 1779 format name of the organizational unit (OU) that the destination computer joins. If specified, the value must contain the full path. Example: LDAP://OU=MyOu,DC=MyDom,DC=MyCompany,DC=com Note The length of the Windows domain OU name must be between 0 and 32,767 characters. This value is not set if the OSDJoinType variable is set to "1" (join workgroup).

OSDJoinPassword

Specifies the network password that is used by the destination computer to join the Windows domain. If the
1884

Action Variable Name

Description

(input)

variable is not specified then a blank password is tried. Note This value is required if the variable OSDJoinType variable is set to "0" (join domain).

OSDJoinSkipReboot (input)

Specifies whether to skip restarting after the destination computer joins the domain or workgroup. Valid values: "true" "false"

OSDJoinType (input)

Specifies whether the destination computer joins a Windows domain or a workgroup. To join the destination computer to a Windows domain specify "0". To join the destination computer to a workgroup specify "1". Valid values: "0" "1"

OSDJoinWorkgroupName (input)

Specifies the name of a workgroup that the destination computer joins. Note The length of the workgroup name must be between 1 and 32 characters. Example: "Accounting"

Prepare Windows for Capture Task Sequence Action Variables

The variables for this action specify information used to capture the Windows operating system from the target computer. For more information about the task sequence step associated with these variables, see Prepare ConfigMgr Client for Capture.

Details
Action Variable Name Description

OSDBuildStorageDriverList (input)

Specifies whether sysprep builds a mass storage device driver list. This setting applies to
1885

Action Variable Name

Description

only Windows XP and Windows Server 2003. It will populate the [SysprepMassStorage] section of sysprep.inf with information on all the mass storage drivers that are supported by the image to be captured. Valid values: "true" "false" (default) OSDKeepActivation (input) Specifies whether sysprep resets the product activation flag. Valid values: "true" "false" (default) OSDTargetSystemRoot (output) Specifies the path to the Windows directory of the installed operating system on the reference computer. This operating system is verified as being a supported operating system for capture by Configuration Manager.

Release State Store Sequence Action Variables

The variables for this action specify information used to release the stored user state. For more information about the task sequence step associated with these variables, see Release State Store.

Details
Action Variable Name Description

OSDStateStorePath (input)

The UNC or local pathname to the location from which the user state is restored. This value is used by both the Capture User State task sequence action and the Restore User State task sequence action.

1886

Request State Store Task Sequence Action Variables

The variables for this action specify information used to request the stored user state, such as the folder on the state migration point where the user data is stored. For more information about the task sequence step associated with these variables, see Release State Store.

Details
Action Variable Name Description

OSDStateFallbackToNAA (input)

Specifies whether the Network Access Account is used as a fallback when the computer account fails to connect to the state migration point. Valid values: "true" "false" (default)

OSDStateSMPRetryCount (input)

Specifies the number of times that the task sequence step tries to find a state migration point before the step fails. Note The specified count must be between 0 and 600.

OSDStateSMPRetryTime (input)

Specifies the number of seconds that the task sequence step waits between retry attempts. The number of seconds can be a maximum of 30 characters. The UNC path to the folder on the state migration point where the user state is stored.

OSDStateStorePath (output)

Restart Computer Task Sequence Action Variables

The variables for this action specify information used to restart the destination computer. For more information about the task sequence step associated with these variables, see Restart Computer.

Details

1887

Action Variable Name

Description

SMSRebootMessage (input)

Specifies the message to be displayed to users before restarting the destination computer. If this variable is not set, the default message text is displayed. Note The specified message must not exceed 512 characters. Example: "This computer will be restarted; please save your work."

SMSRebootTimeout (input)

Specifies the number of seconds that the warning is displayed to the user before the computer restarts. Specify zero seconds to indicate that no reboot message is displayed. Examples: "0" (default) "5" "10"

Restore User State Task Sequence Action Variables

The variables for this action specify information used to restore the user state of the destination computer, such as pathname of the folder from which the user state is restored and whether the local computer account is restored. For more information about the task sequence step associated with these variables, see Restore User State.

Details
Action Variable Name Description

OSDStateStorePath (input) OSDMigrateContinueOnRestore (input)

The UNC or local pathname of the folder from which the user state is restored. Specifies that the user state restoration continues even if some files cannot be restored. Valid values: "true" (default)
1888

Action Variable Name

Description

"false" OSDMigrateEnableVerboseLogging (input) Enables verbose logging for the USMT tool. Note This value is required by the action; it must be set to "true" or "false". Valid values: "true" "false" (default) OSDMigrateLocalAccounts (input) Specifies whether the local computer account is restored. Valid values: "true" "false" (default) OSDMigrateLocalAccountPassword (input) If the OSDMigrateLocalAccounts variable is true, this variable must contain the password that is assigned to all local accounts that are migrated. Because the same password is assigned to all migrated local accounts, it is considered a temporary password that will be changed later by some method other than Configuration Manager operating system deployment. Specifies additional user state migration tool (USMT) command line options that are used when restoring the user state. The additional options are specified in the form of a string that is appended to the automatically generated USMT command line. Note The USMT options specified with this task sequence variable are not validated for accuracy prior to running the task sequence. _OSDMigrateUsmtRestorePackageID (input) Specifies the package ID of the Configuration Manager package that contains the USMT files. This variable is required.
1889

OSDMigrateAdditionalRestoreOptions (input)

Run Command Line Task Sequence Action Variables

The variables for this action specify information used to run a command from the command line, such as the working directory where the command is run. For more information about the task sequence step associated with these variables, see Run Command Line.

Details
Action Variable Name Description

SMSTSDisableWow64Redirection (input)

By default, when running on a 64-bit operating system, the program in the command line is located and run using the WOW64 file system redirector so that 32-bit versions of operating system programs and DLLs are found. Setting this variable to true disables the use of the WOW64 file system redirector so that native 64-bit versions of operating system programs and DLLs can be found. This variable has no effect when running on a 32-bit operating system. Specifies the starting directory for a commandline action. Note The specified directory name must not exceed 255 characters. Examples: "C:\" "%SystemRoot%"

WorkingDirectory (input)

SMSTSRunCommandLineUserName (input) SMSTSRunCommandLinePassword (input)

Specifies the account by which the command line is run. The value is a string of the form username or domain\username. Specifies the password for the account specified by the SMSTSRunCommandLineUserName variable.

Setup Windows and ConfigMgr Task Sequence Action Variables

The variable for this action specifies the client installation properties that are used when installing the Configuration Manager client. For more information about the task sequence step associated with these variables, see Setup Windows and ConfigMgr.
1890

Details
Action Variable Name (input) Description

SMSClientInstallProperties (input)

Specifies the client installation properties that are used when installing the Configuration Manager client.

See Also
Task Sequence Variables in Configuration Manager

Task Sequence Built-in Variables in Configuration Manager

Task sequence built-in variables are provided by System Center 2012 Configuration Manager. Built-in variables provide information about the environment where the task sequence is running, and their values are available throughout the whole task sequence. Typically, built-in variables are initialized before steps are run in the task sequence. For example, the built-in variable _SMSTSLogPath is an environment variable that specifies the path that Configuration Manager components use to write log files while the task sequence runs; any task sequence step can access this environment variable. However, some variables, such as _SMSTSCurrentActionName, are evaluated before each step. The values of built-in variables are generally read-only. The values are read only for built-in variables with a name that begins with an underscore.

Task Sequence Built-in Variable List

The following list describes the built-in variables that are available in Configuration Manager:
Built-in Variable Name Description

_SMSTSAdvertID

Stores the current running task sequence deployment unique ID. It uses the same format as a Configuration Manager software distribution deployment ID. If the task sequence is running from stand-alone media, this variable is undefined. Example:
1891

Built-in Variable Name

Description

ABC20001

_SMSTSBootImageID

Stores the Configuration Manager boot image package ID if a boot image package is associated with the current running task sequence. The variable will not be set if no Configuration Manager boot image package is associated. Example: ABC00001

_SMSTSBootUEFI

For Configuration Manager SP1 only: The task sequence sets the SMSTSBootUEFI variable when it detects a computer that is in UEFI mode.

_SMSTSClientGUID

Stores the value of Configuration Manager client GUID. This variable is not set if the task sequence is running from stand-alone media. Example: 0a1a9a4b-fc56-44f6-b7cd-c3f8ee37c04c

_SMSTSCurrentActionName

Specifies the name of the currently running task sequence step. This variable is set before the task sequence manager runs each individual step. Example: run command line

_SMSTSDownloadOnDemand

Set to true if the current task sequence is running in download-on-demand mode, which means the task sequence manager downloads content locally only when it must access the content. This variable is set to true when the current task sequence step is running in the Windows PE environment, and it is set to false if not. You can test this task sequence variable to determine the current operating system environment.

_SMSTSInWinPE

1892

Built-in Variable Name

Description

_SMSTSLastActionRetCode

Stores the return code that was returned by the last action that was run. This variable can be used as a condition to determine if the next step is run. Example: 0

_SMSTSLastActionSucceeded

The variable is set to true if the last action succeeded and to false if the last action failed. If the last action was skipped because the step was disabled or the associated condition evaluated to false, this variable is not reset, which means it still holds the value for the previous action. Specifies the task sequence launch method. The task sequence can have the following values: SMS - specifies that the task sequence is started by using the Configuration Manager client. UFD - specifies that the task sequence is started by using USB media and that the USB media was created in Windows XP/2003. UFD+FORMAT - specifies that the task sequence is started by using USB media and that the USB media was created in Windows Vista or later. CD - specifies that the task sequence is started by using a CD. DVD - specifies that the task sequence is started by using a DVD. PXE - specifies that the task sequence is started from PXE. HD specifies that the task sequence was started from a hard disk (prestaged media only).

_SMSTSLaunchMode

_SMSTSLogPath

Stores the full path of the log directory. This can be used to determine where actions are logged. This value is not set when a hard drive is not
1893

Built-in Variable Name

Description

available. _SMSTSMachineName Stores and specifies the computer name. Stores the name of the computer that the task sequence will use to log all status messages. To change the computer name in the new operating system, use the OSDComputerName variable. Example: ABC _SMSTSMDataPath Specifies the path defined by the SMSTSLocalDataDrive variable. When you define SMSTSLocalDataDrive before the task sequence starts, such as by setting a collection variable, Configuration Manager then defines the _SMSTSMDataPath variable once the Task Sequence starts. Specifies the type of media that is used to initiate the installation. Examples of types of media are Boot Media, Full Media, PXE, and Prestaged Media. Stores the name or IP address of a Configuration Manager management point. Stores the management point port number of a Configuration Manager management point. Example: 80 _SMSTSOrgName Stores the branding title name that is displayed in a task sequence progress user interface dialog box. Example: XYZ Organization _SMSTSPackageID Stores the current running task sequence ID. This ID uses the same format as a Configuration Manager software package ID. Example: HJT00001
1894

_SMSTSMediaType

_SMSTSMP

_SMSTSMPPort

Built-in Variable Name

Description

_SMSTSPackageName

Stores the current running task sequence name specified by the Configuration Manager administrator when the task sequence is created. Example: Deploy Windows 7 task sequence

_SMSTSRunFromDP

Set to true if the current task sequence is running in run-from-distribution-point mode, which means the task sequence manager obtains required package shares from distribution point. Stores the site code of the Configuration Manager site. Example: ABC

_SMSTSSiteCode

_SMSTSType

Specifies the type of the current running task sequence. It can have the following values: 1 - indicates a generic task sequence. 2 - indicates an operating system deployment task sequence.

_SMSTSTimezone

The _SMSTSTimezone variable stores the time zone information in the following format (without spaces): Bias, StandardBias, DaylightBias, StandardDate.wYear, wMonth, wDayOfWeek, wDay, wHour, wMinute, wSecond, wMilliseconds, DaylightDate.wYear, wMonth, wDayOfWeek, wDay, wHour, wMinute, wSecond, wMilliseconds, StandardName, DaylightName Example: For the Eastern Time U.S. and Canada, the value would be 300,0,60,0,11,0,1,2,0,0,0,0,3,0,2,2,0,0,0,Eastern Standard Time,Eastern Daylight Time

_SMSTSUseCRL

Specifies whether the task sequence uses the

1895

Built-in Variable Name

Description

certificate revocation list when it uses a Secure Socket Layer (SSL) certificate to communicate with the management point. _SMSTSUserStarted Specifies whether a task sequence is started by a user. This variable is set only if the task sequence is started from the Software Center. For example, if _SMSTSLaunchMode is set to SMS. The variable can have the following values: true - specifies that the task sequence is manually started by a user from the Software Center. false - specifies that the task sequence is initiated automatically by the Configuration Manager scheduler.

_SMSTSUseSSL

Specifies whether the task sequence uses SSL to communicate with the Configuration Manager management point. If your site is running in native mode, the value is set to true. For Configuration Manager SP1 only: Specifies if the computer is running as a Windows To Go device.

_SMSTSWTG

SMSTSAssignmentsDownloadInterval

For Configuration Manager SP1 only: Use this variable to specify the number of seconds to wait before the client will attempt to download the task sequence policy since the last attempt (which returned no policies). You can set this variable by using a prestart command from media or PXE.

SMSTSAssignmentsDownloadRetry

For Configuration Manager SP1 only: Use this variable to specify the number of times a client will attempt to download the task sequence policy after no policies are found on the first attempt. You can set this variable by using a prestart command from media or PXE.

SMSTSAssignUsersMode

Specifies how a task sequence associates users with the destination computer. Set the
1896

Built-in Variable Name

Description

variable to one of the following values. Auto: The task sequence creates a relationship between the specified users and destination computer when it deploys the operating system to the destination computer. Pending: The task sequence creates a relationship between the specified users and the destination computer, but waits for approval from the administrative user before the relationship is set. Disabled: The task sequence does not associate users with the destination computer when it deploys the operating system.

SMSTSDownloadProgram

For Configuration Manager SP1 only: Use this variable to specify an Alternate Content Provider, a downloader program that is used to download content instead of the default Configuration Manager downloader, for the task sequence. As part of the content download process, the task sequence checks the variable for a specified downloader program. If specified, the task sequence runs the program to perform the download.

SMSTSErrorDialogTimeout

When an error occurs in a task sequence, a dialog box is displayed that is dismissed automatically after a default time-out value. Use this variable to specify a time-out value in seconds other than the default of 15 minutes. For Configuration Manager SP1 only: Use this variable to change the display language of a language neutral boot image.

SMSTSLanguageFolder

SMSTSLocalDataDrive

Specifies where temporary files are stored on the destination computer while the task sequence is running. This variable must be set before the task sequence starts, such as by setting a collection variable. Once the task sequence starts,
1897

Built-in Variable Name

Description

Configuration Manager defines the _SMSTSMDataPath variable once the Task Sequence starts. SMSTSPersistContent For Configuration Manager SP1 only: Use this variable to temporarily persist content in the task sequence cache. SMSTSPostAction For Configuration Manager SP1 only: Specifies a command that is run after the task sequence completes. For example, you can use this variable to specify a script that enables write filters on embedded devices after the task sequence deploys an operating system to the device. SMSTSPreferredAdvertID Forces a specific targeted deployment on the destination computer to be run. This can be set through a prestart command from media or PXE. If this variable is set, the task sequence overrides any required deployments. For Configuration Manager SP1 only: This variable determines whether or not the task sequence uses the drive letter captured in the operating system image WIM file when applying that image to a destination computer. In Configuration Manager with no service pack, the drive letter captured in the WIM file was used when applying the operating system image WIM file. In Configuration Manager SP1, you can set the value for this variable to False to use the drive letter that you specify in the task sequence. SMSTSRebootDelay Specifies how many seconds to wait before the computer restarts. The task sequence manager will display a notification dialog before reboot if this variable is not set to 0. Examples: 0 30

OSDPreserveDriveLetter

1898

Built-in Variable Name

Description

SMSTSRebootMessage

Specifies the message to display in the shutdown dialog box when a restart is requested. If this variable is not set, a default message will appear. Example: This computer is being restarted by the task sequence manager.

SMSTSRebootRequested

Indicates that a restart is requested after the current task sequence step is completed. If a restart is required, just set this variable to true, and the task sequence manager will restart the computer after this task sequence step. The task sequence step must set this task sequence variable if it requires the restart to complete the task sequence step. After the computer is restarted, the task sequence will continue to run from the next task sequence step. Requests a retry after the current task sequence step is completed. If this task sequence variable is set, the SMSTSRebootRequested must also be set to true. After the computer is restarted, the task sequence manager will rerun the same task sequence step. Specifies the primary user of the destination computer. Specify the users by using the following format. Separate multiple users by using a comma (,). Example: domain\user1, domain\user2, domain\user3 For more information about associating users with the destination computer, see How to Associate Users with a Destination Computer.

SMSTSRetryRequested

SMSTSUDAUsers

See Also
Task Sequence Variables in Configuration Manager
1899

Task Sequence Steps in Configuration Manager

The following task sequence steps can be added to a System Center 2012 Configuration Manager task sequence. For information about editing a task sequence, see the How to Modify a Task Sequence section in the How to Manage Task Sequences in Configuration Manager topic.

Apply Data Image Task Sequence Step

Use the Apply Data Image task sequence step to copy the data image to the specified destination partition. This step runs only in Windows PE. It does not run in a standard operating system. For more information about the task sequence variables for this action, see Apply Data Image Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step.

Description More detailed information about the action taken in this step.

Image Package Specify the Image Package that will be used by this task sequence step by clicking Browse. Select the package you want to install in the Select a Package dialog box. The associated property information for each existing image package is displayed at the bottom of the Select a Package dialog box. Use the drop-down list to select the Image you want to install from the selected Image Package. Note This task sequence action treats the image as a data file and does not do any of the setup necessary to boot the image as an operating system.
1900

Destination Specifies an existing formatted partition and hard disk, specific logical drive letter, or the name of a task sequence variable that contains the logical drive letter. Next available partition Use the next sequential partition that has not been previously targeted by an Apply Operating System or Apply Data Image action in this task sequence. Specific disk and partition Select the Disk number (starting with 0) and the Partition number (starting with 1). Specific logical drive letter Specify the Drive Letter assigned to the partition by Windows PE. Note that this drive letter can be different from the drive letter that the newly deployed operating system will assign. Logical drive letter stored in a variable Specify the task sequence variable containing the drive letter assigned to the partition by Windows PE. This variable would typically be set in Advanced section of the Partition Properties dialog box for the Format and Partition Disk task sequence action.

Delete all content on the partition before applying the image Specifies that all files on the target partition will be deleted before the image is installed. By not deleting the content of the partition, this step can be used to apply additional content to a previously targeted partition.

Apply Driver Package

Use the Apply Driver Package task sequence step to download all of the drivers in the driver package and install them on the Windows operating system. This step is necessary to install boot-critical drivers on pre-Vista operating systems. The Apply Driver Package task sequence step makes all device drivers in a driver package available for use by Windows. This step can be added to a task sequence between the Apply Operating System and the Setup Windows and ConfigMgr steps to make the device drivers in the driver package available to Windows. Typically, the Apply Driver Package step is placed after the Auto Apply Drivers task sequence step. The Apply Driver Package task sequence step is also useful with stand-alone media deployment scenarios. Ensure that similar device drivers are put into a driver package and distribute them to the appropriate distribution points. After they are distributed Configuration Manager client computers can install them. For example, you can put all the device drivers from a manufacturer into a driver package, and then distribute the package to distribution points where the associated computers can access them. This action can also be used to install boot critical mass storage device drivers for Windows XP x64 SP2, Windows XP SP3, and Windows Server 2003 SP2.

1901

This step is useful for stand-alone media and for administrators who want to install a specific set of drivers, including drivers for devices that would not be detected in a Plug-n-Play scan (for example, network printers). Note When deploying pre-Vista operating systems, if the image already has a driver installed for a device on the computer, the Auto Apply Drivers step, the Apply Driver Package step, or any new drivers installed by a task sequence action will not be processed. To ensure the new drivers are installed, in the sysprep.inf file, set the UpdateInstalledDrivers option in the Unattended section to Yes. This task sequence step runs only in Windows PE. It does not run in a standard operating system. For more information about the task sequence variables for this action, see Apply Driver Package Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step.

Description More detailed information about the action taken in this step.

Driver package Specify the driver package that contains the needed device drivers by clicking Browse and launching the Select a Package dialog box. Specify an existing package to be made available. The associated package properties are displayed at the bottom of the dialog box.

Select the mass storage driver within the package that needs to be installed before setup on pre-Windows Vista operating systems Specify any mass storage device drivers that are needed for pre- Windows Vista operating system installations.

1902

Driver Select the mass storage device driver file to be installed before setup on pre-Windows Vista operating system deployments. The drop-down list is populated from the specified package.

Model Specify the boot-critical device that is needed for pre-Windows Vista operating system deployments.

Do unattended installation of unsigned drivers on version of Windows where this is allowed Select this option to allow Windows to install drivers that are unsigned on the reference computer.

Apply Network Settings Step

Use the Apply Network Settings task sequence step to specify the network or workgroup configuration information for the destination computer. The specified values are stored in the appropriate answer file format for use by Windows Setup when the Setup Windows and ConfigMgr task sequence step is run. This task sequence step runs in either a standard operating system or Windows PE. For more information about the task sequence variables for this action, see Apply Network Settings Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step.

Description More detailed information about the action taken in this step.

1903

Join a workgroup Select this option to have the destination computer join the specified workgroup. Enter the name of the workgroup on the Workgroup line. This value can be overridden by the value that is captured by the Capture Network Settings task sequence step.

Join a domain Select this option to have the destination computer join the specified domain. Specify or browse to the domain, such as fabricam.com. Specify or browse to a Lightweight Directory Access Protocol (LDAP) path for an organizational unit (i.e. LDAP//OU=computers, DC=Fabricam.com, C=com).

Account Click Set to specify an account with the necessary permissions to join the computer to the domain. In the Windows User Account dialog box you can enter the user name using the following format: Domain\User .

Adapter settings Specify network configurations for each network adapter in the computer. Click New to open the Network Settings dialog box, and then specify the network settings. If network settings were captured in a previous Capture Network Settings task sequence step, the previous settings are applied to the network adapter and the settings specified in this in this step are not applied. If network settings were not previously captured, the settings specified in the Apply Network Settings step are applied to network adapters in Windows device enumeration order.

Apply Operating System Image

Use the Apply Operating System Image task sequence step to install an operating system on the destination computer. This task sequence step performs a set of actions depending on whether it is using an operating system image or an operating system installation package to install the operating system. The Apply Operating System Image step performs the following actions when an operating system image is used. 1. Deletes all content on the targeted volume except for those files under the folder specified by the _SMSTSUserStatePath task sequence variable. 2. Extracts the contents of the specified .wim file to the specified destination partition. 3. Prepares the answer file: a. Creates a new default Windows Setup answer file (sysprep.inf or unattend.xml) for the operating system that is being deployed.
1904

b. Merges any values from the user-supplied answer file. 4. Copies Windows boot loaders into the active partition. 5. Sets up the boot.ini or the Boot Configuration Database (BCD) to reference the newly installed operating system. The Apply Operating System Image step performs the following actions when an operating system installation package is used. 1. Deletes all content on the targeted volume except for those files under the folder specified by the _SMSTSUserStatePath task sequence variable. 2. Prepares the answer file: a. Creates a fresh answer file with standard values created by Configuration Manager. b. Merges any values from the user-supplied answer file. Note Actual installation of Windows is started by the Setup Windows and ConfigMgr task sequence step. After the Apply Operating System task sequence action has run, the OSDTargetSystemDrive task sequence variable is set to the drive letter of the partition containing the operating system files. This task sequence step runs only in Windows PE. It does not run in a standard operating system. For more information about the task sequence variables for this action, see Apply Operating System Image Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Access content directly from the distribution point : For Configuration Manager SP1 only: Use this option to specify whether you want the task sequence to access the operating system image directly from the distribution point. For example, you can use this option when you deploy operating systems to embedded devices that have limited storage capacity. When this option is selected, you must also configure the package share settings on the Data Access tab of the package properties. Note This setting overrides the deployment option that is configured on the Distribution Points page in the Deploy Software Wizard only for the operating system image specified in this task sequence step, and not all content for the entire task sequence. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

1905

Name A short user-defined name that describes the action taken in this step.

Description More detailed information about the action taken in this step.

Apply operating system from a captured image Installs an operating system image that has previously been captured. Click Browse to open the Select a package dialog box, and then select the existing image package you want to install. If multiple images are associated with the specified Image package, use the drop-down list to specify the associated image that will be used for this deployment. You can view basic information about each existing image by clicking on the image.

Apply operating system image from an original installation source Installs an operating system using an original installation source. Click Browse to open the Select and Operating System Install Package dialog box, and then select the existing operating system installation package you want to use. You can view basic information about each existing image source by clicking on the image source. The associated image source properties are displayed in the results pane at the bottom of the dialog box. If there are multiple editions associated with the specified package, use the drop-down list to specify the associated Edition that is used.

Use an unattended or sysprep answer file for a custom installation Use this option to provide a Windows setup answer file ( unattend.xml, unattend.txt, or sysprep.inf) depending on the operating system version and installation method. The file you specify can include any of the standard configuration options supported by Windows answer files. For example, you can use it to specify the default Internet Explorer home page. You must specify the package that contains the answer file and the associated path to the file in the package. Note The Windows setup answer file that you supply can contain embedded task sequence variables of the form %varname%, where varname is the name of the variable. The % varname% string will be substituted for the actual variable values in the Setup Windows and ConfigMgr task sequence action. Note however, that such embedded task sequence variables cannot be used in numeric-only fields in an unattend.xml answer file. If you do not supply a Windows setup answer file, this task sequence action will automatically generate an answer file.

1906

Destination Specifies an existing formatted partition and hard disk, specific logical drive letter, or the name of a task sequence variable that contains the logical drive letter. Next available partition Use the next sequential partition that has not been previously targeted by an Apply Operating System or Apply Data Image action in this task sequence. Specific disk and partition Select the Disk number (starting with 0) and the Partition number (starting with 1). Specific logical drive letter Specify the Drive Letter assigned to the partition by Windows PE. Note that this drive letter can be different from the drive letter that the newly deployed operating system will assign. Logical drive letter stored in a variable Specify the task sequence variable containing the drive letter assigned to the partition by Windows PE. This variable would typically be set in Advanced section of the Partition Properties dialog box for the Format and Partition Disk task sequence action.

Apply Windows Settings

Use the Apply Windows Settings task sequence step to configure the Windows settings for the destination computer. The specified values are stored in the appropriate answer file format for use by Windows Setup when the Setup Windows and ConfigMgr task sequence step is run. This task sequence step runs only in Windows PE. It does not run in a standard operating system. For more information about the task sequence variables for this action, see Apply Windows Settings Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step

Description More detailed information about the action taken in this step.

1907

User name Specify the registered user name that is associated with the destination computer. This value can be overridden by the value that is captured by the Capture Windows Settings task sequence action.

Organization name Specify the registered organization name that is associated with the destination computer. This value can be overridden by the value that is captured by the Capture Windows Settings task sequence action.

Product key Specify the product key that is used for the Windows installation on the destination computer.

Server licensing Specify the server licensing mode. You can select Per server or Per user as the licensing mode. If you select per Server as the licensing mode you will also need to specify the maximum number of connections that will be permitted per your license agreement. Select Do not specify if the destination computer is not a server or you do not want to specify the licensing mode.

Maximum connections Specify the maximum number of connections that are available for this computer as stated in your license agreement.

Randomly generate the local administrator password and disable the account on all supported platforms (recommended) Select this option to randomly generate a local administrator password. This creates a local administrator password and causes the account to be disabled on supported platforms.

Enable the account and specify the local administrator password Select this option to enable the local administrator account and create the local administrator password. Enter the password on the Password line and confirm the password on the Confirm password line.

Time Zone Specify the time zone to configure on the destination computer. This value can be
1908

overridden by the value that is captured by the Capture Windows Settings task sequence step.

Auto Apply Drivers

Use the Auto Apply Drivers task sequence step to match and install drivers as part of the operating system deployment. The Auto Apply Drivers task sequence step performs the following actions: 1. Scans the hardware and finds the Plug-n-Play IDs for all devices present on the system. 2. Sends the list of devices and their Plug-n-Play IDs to the management point. The management point returns a list of compatible drivers from the driver catalog for each device. The management point considers all drivers regardless of what driver package they might be in. Only those drivers tagged with the specified driver category and those drivers that are not marked as disabled are considered. 3. For each device, the client picks the best driver that is appropriate for the operating system on which it is being deployed and that is on an accessible distribution point. 4. The selected driver or drivers are downloaded from a distribution point and staged on the target operating system. a. For image-based installations, the drivers are placed into the newly deployed operating system image and Windows is configured with where to find the drivers on any Plug-nPlay scan. On Vista and later, the drivers are placed into the operating system driver store. b. For setup-based installations, Windows Setup is configured with where to find the drivers. 5. When the Setup Windows and ConfigMgr task sequence action runs and Windows initially boots, it will find the drivers staged by this action. Important The Auto Apply Drivers task sequence step cannot be used with stand-alone media because Windows Setup will have no connection to the Configuration Manager site. Note When deploying pre-Vista operating systems, if the image already has a driver installed for a device on the computer, the Auto Apply Drivers action, the Apply Driver Package action, or any new drivers installed by a task sequence action will not be processed. To ensure the new drivers will be installed, in the sysprep.inf file, set the UpdateInstalledDrivers option in the Unattended section to Yes. For additional installation about deploying drivers, see Microsoft Support. This task sequence step runs only in Windows PE. It does not run in a standard operating system. For more information about the task sequence variables for this action, see Auto Apply Drivers Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.
1909

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step.

Description More detailed information about the action taken in this step.

Install only the best matched compatible drivers Specifies that the task sequence step installs only the best matched driver for each hardware device detected.

Install all compatible drivers Specifies that the task sequence step installs all compatible drivers for each hardware device detected and allows Windows setup to choose the best driver. This option takes more network bandwidth and disk space because it downloads more drivers, but it can result in a better driver being selected.

Consider drivers from all categories Specifies that the task sequence action searches all available driver categories for the appropriate device drivers.

Limit driver matching to only consider drivers in selected categories Specifies that the task sequence action searches for device drivers in specified driver categories for the appropriate device drivers.

Do unattended installation of unsigned drivers on versions of Windows where this is allowed Allows this task sequence action to install unsigned Windows device drivers. Important This option does not apply to operating systems where driver signing policy cannot be configured.
1910

Capture Network Settings

Use the Capture Network Settings task sequence step to capture Microsoft network settings from the computer running the task sequence. The settings are saved in task sequence variables that will override the default settings you configure on the Apply Network Settings task sequence step. This task sequence step runs only in a standard operating system. It does not run in Windows PE. For more information about the task sequence variables for this action, see Capture Network Settings Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name Specifies a short user-defined name that describes the action taken in this step.

Description Provides more detailed information about the action taken in this step.

Migrate domain and workgroup membership Captures the domain and workgroup membership information of the destination computer.

Migrate network adapter configuration Captures the network adapter configuration of the destination computer. The captured information includes the global network settings, the number of adapters, and the network settings associated with each adapter. These settings include settings associated with DNS, WINS, IP, and port filters.

1911

Capture Operating System Image

Use the Capture Operating System Image task sequence step to capture one or more images from a reference computer and store them in a WIM file on the specified network share. The Add Operating System Image Package Wizard can then be used to import this .WIM file into Configuration Manager so that it can be used for image-based operating system deployments. Each volume (drive) on the reference computer is captured as a separate image within the .wim file. If the referenced computer has multiple volumes, the resulting WIM file will contain a separate image for each volume. Only volumes that are formatted as NTFS or FAT32 are captured. Volumes with other formats and USB volumes are skipped. The installed operating system on the reference computer must be a version of Windows that is supported by Configuration Manager and must have been prepared by using the SysPrep tool. The installed operating system volume and the boot volume must be the same volume. You must also enter a Windows account that has write permissions to the network share that you selected. This task sequence step runs only in Windows PE. It does not run in a standard operating system. For more information about the task sequence variables for this action, see Capture Operating System Image Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step.

Description More detailed information about the action taken in this step.

Target File system pathname to the location that Configuration Manager uses when storing the captured operating system image.

Description An optional user-defined description of the captured operating system image that is
1912

stored in the .WIM file.

Version An optional user-defined version number to assign to the captured operating system image. This value can be any combination of letters and numbers and is stored in the .WIM file.

Created by The optional name of the user that created the operating system image and is stored in the WIM file.

Capture operating system image account You must enter the Windows account that has permissions to the network share you specified. Click Set to specify the name of that Windows account.

Capture User State

Use the Capture User State task sequence step to use the User State Migration Tool (USMT) to capture user state and settings from the computer running the task sequence. This task sequence step is used in conjunction with the Restore User State task sequence step. With USMT 3.0.1 and later, this option always encrypts the USMT state store by using an encryption key generated and managed by Configuration Manager. For more information about managing the user state when deploying operating systems, see How to Manage the User State in Configuration Manager. You can also use the Capture User State task sequence step with the Request State Store and Release State Store task sequence steps if you want to save the state settings to or restore settings from a state migration point in the Configuration Manager site. The Capture User State task sequence step provides control over a limited subset of the most commonly used USMT options. Additional command-line options can be specified using the OSDMigrateAdditionalCaptureOptions task sequence variable. This task sequence step runs only in Windows PE. It does not run in a standard operating system. For more information about the task sequence variables for this action, see Capture User State Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions:
1913

Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step.

Description More detailed information about the action taken in this step.

User state migration tool package Enter the Configuration Manager package that contains the version of USMT for this task sequence step to use when capturing the user state and settings. This package does not require a program. When the task sequence step is run, the task sequence will use the version of USMT in the package you specify. Specify a package containing the 32-bit or x64 version of USMT depending upon the architecture of the operating system from which you are capturing the state. Note USMT versions 3.0.1 and 4.0 are supported depending on the version of Windows that you are deploying.

Capture all user profiles with standard options Select this option to migrate all user profile information. This option is selected by default. If you select this option, but do not select the option to Restore local computer user profiles in the Restore User State task sequence step, the task sequence will fail because Configuration Manager cannot migrate the new accounts without assigning them passwords. Also, if you use the New Task Sequence wizard and create a task sequence to Install an existing image package, the resulting task sequence defaults to Capture all user profiles with standard options, but does not select the option to Restore local computer user profiles (i.e. non-domain accounts). Select Restore local computer user profiles and provide a password for the account to be migrated. In a manually created task sequence, this setting is found under the Restore User State step. In a task sequence created by the New Task Sequence wizard, this setting is found under the step Restore User Files and Settings wizard page. If you have no local user accounts, this does not apply.

1914

Customize how user profiles are captured Select this option to specify a custom profile file migration. Click Files to select the configuration files for USMT to use with this step. You must specify a custom .xml file that contains rules that define the user state files to migrate.

Click here to select configuration files: Select this option to select the configuration files in the USMT package you want to use for capturing user profiles. Click the Files button to launch the Configuration Files dialog box. To specify a configuration file, enter the name of the file on the Filename line and click the Add button.

Enable verbose logging Enable this option to generate more detailed log file information. When capturing state, the log Scanstate.log is generated and stored in the task sequence Log folder in the \windows\system32\ccm\logs folder by default.

Skip files using encrypted file system Enable this option if you want to skip capturing files that are encrypted with the Encrypted File System (EFS), including profile files. Depending on the operating system and the USMT version, encrypted files might not be readable after you restore. For more information, see the USMT documentation.

Copy by using file system access Enable this option to specify any of the following settings: Continue if some files cannot be captured: Enable this setting to continue the migration process even if some files cannot be captured. If you disable this option, if a file cannot be captured then the task sequence step will fail. This option is enabled by default. Capture locally by using links instead of by copying files: Enable this setting to use NTFS hard-links to capture files. This setting cannot be specified if you are using versions of USMT that are earlier than USMT 4.0. For more information about migrating data using hard-links, see Hard-Link

Migration Store
Capture in off-line mode (Windows PE only): Enable this setting to capture the user state while in Windows PE instead of the full operating system. This setting cannot be specified if you are using versions of USMT that are earlier than USMT 4.0. For more information about USMT 4.0 and off-line mode, see Offline Migration

1915

Capture by using Volume Copy Shadow Services (VSS) This option allows you to capture files even if they are locked for editing by another application, This option cannot be specified if you are using versions of USMT that are earlier than USMT 4.0.

Capture Windows Settings

Use the Capture Windows Settings task sequence step to capture the Windows settings from the computer running the task sequence. The settings are saved in task sequence variables that will override the default settings you configure on the Apply Windows Settings task sequence step. This task sequence step runs in either Windows PE or a standard operating system. For more information about the task sequence variables for this action, see Capture Windows Settings Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step.

Description More detailed information about the action taken in this step.

Migrate computer name Select this option to capture the NetBIOS computer name of the computer.

Migrate registered user and organization names Select this option to capture the registered user and organization names from the computer.

1916

Migrate time zone Select this option to capture the time zone setting on the computer.

Connect To Network Folder

Use the Connect to Network Folder task sequence action to create a connection to a shared network folder. This task sequence step runs in a standard operating system or Windows PE. For more information about the task sequence variables for this action, see Connect to Network Folder Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Convert Disk to Dynamic

Use the Convert Disk to Dynamic task sequence step to convert a physical disk from a basic disk type to a dynamic disk type. This step runs in either a standard operating system or Windows PE. For more information about the task sequence variables for this action, see Convert Disk to Dynamic Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step.

1917

Description More detailed information about the action taken in this step.

Disk Number The physical disk number of the disk that will be converted.

Disable BitLocker
Use the Disable BitLocker task sequence step to disable the BitLocker encryption on the current operating system drive, or on a specific drive. This action leaves the key protectors visible in clear text on the hard drive, but it does not decrypt the contents of the drive. Consequently this action is completed almost instantly. Note BitLocker drive encryption provides low-level encryption of the contents of a disk volume. If you have multiple drives encrypted, you must disable BitLocker on any data drives before disabling BitLocker on the operating system drive. This step runs only in a standard operating system. It does not run in Windows PE. Note You can use BitLocker only for client computers running Windows Vista SP2 or later and Windows Server 2008 SP2 or later.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name Specifies a short user-defined name that describes the action taken in this step.

Description Provides more detailed information about the action taken in this step.

Current operating system drive Disables BitLocker on the current operating system drive.

1918

Specific drive Disables BitLocker on a specific drive. Use the drop-down list to specify the drive where BitLocker is disabled.

Enable BitLocker
Use the Enable BitLocker task sequence step to enable BitLocker encryption on at least two partitions on the hard drive. The first active partition contains the Windows bootstrap code. Another partition contains the operating system. The bootstrap partition must remain unencrypted. Starting in Configuration Manager SP1, you can use the Pre-provision BitLocker task sequence step to enable BitLocker on a drive while in Windows PE. For more information, see the Preprovision BitLocker section in this topic. Note BitLocker drive encryption provides low-level encryption of the contents of a disk volume. The Enable BitLocker step runs only in a standard operating system. It does not run in Windows PE. For more information about the task sequence variables for this action, see Enable BitLocker Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic. Note BitLocker is used with computers running Windows Vista SP2 or later and Windows Server 2008 SP2 or later. The Trusted Platform Module (TPM) must be in the following state when you specify TPM Only, TPM and Startup Key on USB or TPM and PIN, before you can run the Enable BitLocker step: Enabled Activated Ownership Allowed

The task sequence step can complete any remaining TPM initialization, because the remaining steps do not require physical presence or reboots. The remaining TPM initialization steps which can be completed transparently by Enable BitLocker (if necessary) include: Create endorsement key pair Create owner authorization value and escrow to Active Directory, which must have been extended to support this value Take ownership Create the storage root key, or reset if already present but incompatible

If you want the Enable BitLocker step to wait until the drive encryption process has been completed before continuing with the next step in the task sequence, select the Wait check box. If
1919

you do not select the Wait check box, the drive encryption process will be performed in the background and task sequence execution will proceed immediately to the next step. BitLocker can be used to encrypt multiple drives on a computer system (both operating system and data drives). To encrypt a data drive, the operating system must already be encrypted and the encryption process must be completed, because the key protectors for the data drives are stored on the operating system drive. As a result, if you encrypt the operating system drive and the data drive in the same process, the wait option must be selected for the step that enables BitLocker for the operating system drive. If the hard drive is already encrypted but BitLocker is disabled then Enable BitLocker re-enables the key protector or protectors and will be completed almost instantly. Re-encryption of the hard drive is not necessary in this case. For more information about the task sequence variables for this action, see Enable BitLocker Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name Specifies a descriptive name for this task sequence step.

Description Allows you to optionally enter a description for this task sequence step.

Choose the drive to encrypt Specifies the drive to encrypt. To encrypt the current operating system drive, select Current operating system drive and then configure one of the following options for key management: TPM only: Select this option to use only Trusted Platform Module (TPM). Startup Key on USB only: Select this option to use a startup key stored on a USB flash drive. When you select this option, BitLocker locks the normal boot process until a USB device that contains a BitLocker startup key is attached to the computer. TPM and Startup Key on USB: Select this option to use TPM and a startup key stored on a USB flash drive. When you select this option, BitLocker locks the normal boot process until a USB device that contains a BitLocker startup key is
1920

attached to the computer. TPM and PIN: For Configuration Manager SP1 only: Select this option to use TPM and a personal identification number (PIN). When you select this option, BitLocker locks the normal boot process until the user provides the PIN.

To encrypt a specific, non-operating system data drive, select Specific drive, and then select the drive from the list.

Chose where to create the recovery key To specify where the recovery password is created, select In Active Directory to escrow the password in Active Directory. If you select this option you must extend Active Directory for the site so that the associated BitLocker recovery information is saved. You can decide to not create a password at all by selecting Do not create recovery key. However, creating a password is a best practice.

Wait for BitLocker to complete the drive encryption process on all drives before continuing task sequence execution Select this option to allow the BitLocker drive encryption to be completed prior to running the next step in the task sequence. If this option is selected the entire disk volume will be encrypted before the user is able to log in to the computer. The encryption process can take hours to be completed when a large hard drive is being encrypted. Not selecting this option will allow the task sequence to proceed immediately.

Format and Partition Disk

Use the Format and Partition Disk task sequence step to format and partition a specified disk on the destination computer. Important Every setting you specify for this task sequence step applies to a single specified disk. If you want to format and partition another disk on the destination computer, you must add an additional Format and Partition Disk task sequence step to the task sequence. This task sequence step runs only in Windows PE. It does not run in a standard operating system. For more information about the task sequence variables for this action, see Format and Partition Disk Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section.
1921

In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step.

Description More detailed information about the action taken in this step.

Disk Number The physical disk number of the disk that will be formatted. The number is based on Windows disk enumeration ordering.

Disk Type The type of the disk that is formatted. There are two options to select from the dropdown list: Standard(MBR) Master Boot Record. GPT GUID Partition Table Note If you change the disk type from Standard (MBR) to GPT, and the partition layout contains an extended partition, all extended and logical partitions will be removed from the layout. You will be prompted to confirm this action before changing the disk type.

Volume Specific information about the partition or volume that will be created, including the following: Name Remaining disk space

To create a new partition, click New to launch the Partition Properties dialog box. You can specify the partition type and size, and specify if this will be a boot partition. To modify an existing partition, click the partition to be modified and then click the properties button. For more information about how to configure hard drive partitions, see one of the following:

How to Configure UEFI/GPT-Based Hard Drive Partitions How to Configure BIOS/MBR-Based Hard Drive Partitions

To delete a partition, select the partition to be deleted and then click Delete.
1922

Install Application
Use the Install Application task sequence step to install applications as part of the task sequence. This step can install a set of applications that are specified by the task sequence step or a set of applications that are specified by a dynamic list of task sequence variables. When this step is run, the application installation begins immediately without waiting for a policy polling interval. The applications that are installed must meet the following criteria: It must run under the local system account and not the user account. It must not interact with the desktop. The program must run silently or in an unattended mode. It must not initiate a restart on its own. The application must request a restart by using the standard restart code, a 3010 exit code. This ensures that the task sequence step will handle the restart correctly. If the application does return a 3010 exit code, the underlying task sequence engine performs the restart. After the restart, the task sequence automatically continues.

When the Install Application step runs, the application checks the applicability of the requirement rules and detection method on the deployment types of the application. Based on the results of this check, the application installs the applicable deployment type. If a deployment type contains dependencies, the dependent deployment type is evaluated and installed as part of the install application step. Application dependencies are not supported for stand-alone media. This task sequence step runs only in a standard operating system. It does not run in Windows PE.

Details
On the Properties tab for this step, you can configure the settings that are described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step.

Description More detailed information about the action taken in this step.

1923

Install the following applications This setting specifies the applications that are installed in the order that they are specified. Configuration Manager will filter out any disabled applications or any applications with the following settings. These applications will not appear in the Select the application to install dialog box. Only when a user is logged on Run with user rights

Install applications according to dynamic variable list This setting specifies the base name for a set of task sequence variables that are defined for a collection or for a computer. These variables specify the applications that will be installed for that collection or computer. Each variable name consists of its common base name plus a numerical suffix starting at 01. The value for each variable must contain the name of the application and nothing else. For applications to be installed by using a dynamic variable list, the following setting must be enabled on the General tab of the applications Properties dialog box: Allow this application to be installed from the Install Application task sequence action instead of deploying manually Note You cannot install applications by using a dynamic variable list for stand-alone media deployments. For example, to install a single application by using a task sequence variable called AA01, you specify the following variable:

Variable Name

Variable Value

AA01

Microsoft Office

To install two applications, you would specify the following variables:

Variable Name

Variable Value

AA01 AA02
The following conditions will affect what is installed:

Microsoft Lync Microsoft Office

If the value of a variable contains any information other than the name of the application. That application is not installed and the task sequence continues. If no variable with the specified base name and "01" suffix are found, no
1924

applications are installed. When you select Continue on error on the Options tab of the task sequence step, the task sequence continues when an application fails to install. When the setting is not selected, the task sequence fails and will not install remaining applications.

If an application fails, continue installing other applications in the list This setting specifies that the step continues if an individual application installation fails. If this setting is specified, the task sequence will continue regardless of any installation errors that are returned. If this is not specified an installation fails, the task sequence step will end immediately.

Install Deployment Tools

Use the Install Deployment Tools task sequence step to install the Configuration Manager package that contains the Sysprep deployment tools.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step.

Description More detailed information about the action taken in this step.

Sysprep Package This setting specifies the Configuration Manager package that contains the Sysprep deployment tools for the following operating systems: Windows XP SP3 Windows XP X64 SP2 Windows Server 2003 SP2

1925

Install Package
Use the Install Package task sequence step to install software as part of the task sequence. When this step is run, the installation begins immediately without waiting for a policy polling interval The software that is installed must meet the following criteria: It must run under the local system account and not the user account. It should not interact with the desktop. The program must run silently or in an unattended mode. It must not initiate a restart on its own. The software must request a restart using the standard restart code, a 3010 exit code. This ensures that the task sequence step will properly handle the restart. If the software does return a 3010 exit code, the underlying task sequence engine will perform the restart. After the restart, the task sequence will automatically continue.

Programs that use the Run another program first option to install a dependent program are not supported when deploying an operating system. If Run another program first is enabled for the software and the dependent program has already been run on the destination computer, the dependent program will be run and the task sequence will continue. However, if the dependent program has not already been run on the destination computer, the task sequence step will fail. Note The central administration site does not have the necessary client configuration policies that are required to enable the software distribution agent during the execution of the task sequence. When you create stand-alone media for a task sequence at the central administration site, and the task sequence includes an Install Package step, the following error might appear in the CreateTsMedia.log file:
WMI method SMS_TaskSequencePackage.GetClientConfigPolicies failed (0x80041001)

For stand-alone media that includes an Install Package step, you must create the standalone media at a primary site that has the software distribution agent enabled or add a Run Command Line step after the Setup Windows and ConfigMgr step and before the first Install Package step. The Run Command Line step runs a WMIC command to enable the software distribution agent before the first Install package step runs. You can use the following in your Run Command Line task sequence step: Command Line: WMIC /namespace:\\root\ccm\policy\machine\requestedconfig path ccm_SoftwareDistributionClientConfig CREATE ComponentName="Enable SWDist", Enabled="true", LockSettings="TRUE", PolicySource="local", PolicyVersion="1.0", SiteSettingsKey="1" /NOINTERACTIVE For more information about creating stand-alone media, see How to Create Stand-alone Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic. This task sequence step runs only in a standard operating system. It does not run in Windows PE.
1926

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step.

Description More detailed information about the action taken in this step.

Install a single software package This setting specifies a Configuration Manager software package. The step will wait until the installation is complete.

Install software packages according to dynamic variable list This setting specifies the base name for a set of task sequence variables that are defined for a collection or for a computer. These variables specify the packages that will be installed for that collection or computer. Each variable name consists of its common base name plus a numerical suffix starting at 001. The value for each variable must contain a package ID and the name of the software separated by a colon. For software to be installed by using a dynamic variable list, the following setting must be enabled on the Advanced tab of the packages Properties dialog box: Allow this program to be installed from the Install Package task sequence without being deployed Note You cannot install software packages by using a dynamic variable list for stand-alone media deployments. For example, to install a single software package by using a task sequence variable called AA001, you specify the following variable:

Variable Name

Variable Value

AA001

CEN00054:Install

To install three software packages, you would specify the following variables:

1927

Variable Name

Variable Value

AA001 AA002 AA003

The following conditions will affect what is installed:

CEN00054:Install CEN00107:Install Silent CEN00031:Install

If the value of a variable is not created in the correct format or it does not specify a valid application ID and name, the installation of the software will fail. If the package Id contains lowercase characters, the installation of that software will fail. If no variables with the specified base name and "001" suffix are found, no packages are installed and the task sequence continues.

If installation of a software package fails, continue installing other packages in the list This setting specifies that the step continues if an individual software package installation fails. If this setting is specified, the task sequence will continue regardless of any installation errors that are returned. If this is not specified an installation fails, the task sequence step will end immediately.

Install Software Updates

Use the Install Software Updates task sequence step to install software updates on the destination computer. The destination computer is not evaluated for applicable software updates until this task sequence step runs. At that time, the destination computer is evaluated for software updates like any other Configuration Manager-managed client. In particular, this step installs only the software updates that are targeted to collections of which the computer is currently a member. This task sequence step runs only in a standard operating system. It does not run in Windows PE. For information about task sequence variables for this task sequence action, see Install Software Updates Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic. Important This task sequence step cannot suppress restarts if the software update indicates that a restart is required. If you install software updates on a computer that is in a production environment and you need to suppress a restart, do not use a task sequence to install the software update. Use the software update feature of Configuration Manager to install the software update. For more information about the install software update feature, see Software Updates in Configuration Manager.
1928

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step.

Description More detailed information about the action taken in this step.

Mandatory software updates Select this option to install all software updates flagged in Configuration Manager as mandatory for the destination computers that receive the task sequence. Mandatory software updates have administrator-defined deadlines for installation.

All software updates Select this option to install all available software updates targeting the Configuration Manager collection that will receive the task sequence. All available software updates will be installed on the destination computers.

Join Domain or Workgroup

Use the Join Domain or Workgroup task sequence step to add the destination computer to a workgroup or domain. This task sequence step runs only in a standard operating system. It does not run in Windows PE. For information about task sequence variables for this task sequence action, see Join Domain or Workgroup Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step.
1929

Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step.

Description More detailed information about the action taken in this step.

Join a workgroup Select this option to have the destination computer join the specified workgroup. If the computer is currently a member of a domain, selecting this option will cause the computer to reboot.

Join a domain Select this option to have the destination computer join the specified domain. Optionally, enter or browse for an organizational unit (OU) in the specified domain for the computer to join. If the computer is currently a member of some other domain or a workgroup, this will cause the computer to reboot. If the computer is already a member of some other OU, Active Directory Domain Services does not allow you to change the OU and this setting is ignored.

Enter the account which has permission to join the domain Click Set to enter an account and password that has permissions to join the domain. The account must be entered in the following format: Domain\account

Prepare ConfigMgr Client for Capture

Use the Prepare ConfigMgr Client for Capture step to take the Configuration Manager client on the reference computer and prepares it for capture as part of the imaging process by performing the following tasks: Removes the client configuration properties section from the smscfg.ini file in the Windows directory. These properties include client-specific information including the Configuration Manager GUID and other client identifiers. Deletes all SMS or Configuration Manager machine certificates. Deletes the Configuration Manager client cache. Clears the assigned site variable for the Configuration Manager client. Deletes all local Configuration Manager policy.
1930

Removes the trusted root key for the Configuration Manager client.

This task sequence step runs only in a standard operating system. It does not run in Windows PE.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step.

Description More detailed information about the action taken in this step.

Prepare Windows for Capture

Use the Prepare Windows for Capture task sequence step to specify the Sysprep options to use when capturing an operating system image on the reference computer. This task sequence action runs Sysprep and then reboots the computer into Windows PE boot image specified for the task sequence. The reference computer must not be joined to a domain for this action to be completed successfully. This task sequence step runs only in a standard operating system. It does not run in Windows PE. For information about task sequence variables for this task sequence action, see Prepare Windows for Capture Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step.

1931

Description More detailed information about the action taken in this step.

Automatically build mass storage driver list Select this option to have Sysprep automatically build a list of mass storage drivers from the reference computer. This option enables the Build Mass Storage Drivers option in the sysprep.inf file on the reference computer. For more information about this setting, refer to the Sysprep documentation.

Do not reset activation flag Select this option to prevent Sysprep from resetting the product activation flag.

Pre-provision BitLocker
Use the Pre-provision BitLocker task sequence step to enable BitLocker on a drive while in Windows PE. Only the used drive space is encrypted, and therefore, encryption times are much faster. You apply the key management options by using the Enable BitLocker task sequence step after the operating system installs. This step runs only in Windows PE. It does not run in a standard operating system. Important To pre-provision BitLocker, you must deploy a minimum operating system of Windows 7 and TPM must be supported and enabled on the computer.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name Specify a short user-defined name that describes the action taken in this step.

Description Specify detailed information about the action taken in this step.

1932

Apply BitLocker to the specified drive Specify the drive for which you want to enable BitLocker. Only the used space on the drive is encrypted.

Skip this step for computers that do not have a TPM or when TPM is not enabled Select this option to skip the drive encryption when the computer hardware does not support TPM or when TPM is not enabled. For example, you can use this option when you deploy an operating system to a virtual machine.

Release State Store

Use the Release State Store task sequence step to notify the state migration point that the capture or restore action is complete. This step is used in conjunction with the Request State Store, Capture User State, and Restore User State task sequence steps to migrate user state data using a state migration point and the User State Migration Tool (USMT). For more information about managing the user state when deploying operating systems, see How to Manage the User State in Configuration Manager. If you requested access to a state migration point to capture user state in the Request State Store task sequence step, this step notifies the state migration point that the capture process is complete and that the user state data is available to be restored. The state migration point sets the access control permissions for the captured state so that it can only be accessed (as readonly) by the restoring computer. If you requested access to a state migration point to restore user state in the Request State Store task sequence step, this task sequence step notifies the state migration point that the restore process is complete. At this point, whatever retention settings you configured for the state migration point are activated. Important It is a best practice to set Continue on Error on any task sequence steps between the Request State Store step and Release State Store step so that every Request State Store task sequence action has a matching Release State Store task sequence action. This task sequence step runs only in a standard operating system. It does not run in Windows PE. For information about task sequence variables for this task sequence action, see Release State Store Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions:
1933

Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step.

Description More detailed information about the action taken in this step.

Request State Store

Use the Request State Store task sequence step to request access to a state migration point when capturing state from a computer or restoring state to a computer. For more information about managing the user state when deploying operating systems, see How to Manage the User State in Configuration Manager. You can use the Request State Store task sequence step in conjunction with the Release State Store, Capture User State, and Restore User State task sequence steps to migrate computer state using a state migration point and the User State Migration Tool (USMT). Note If you have just established a new state migration point site role (SMP), it can take up to one hour to be available for user state storage. To expedite the availability of the SMP you can adjust any state migration point property setting to trigger a site control file update. This task sequence step runs in a standard operating system and in Windows PE for offline USMT. For information about the task sequence variables for this task sequence action, see Request State Store Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step.

1934

Description More detailed information about the action taken in this step.

Capture state from the computer Finds a state migration point that meets the minimum requirements as configured in the state migration point settings (maximum number of clients and minimum amount of free disk space) but it does not guarantee sufficient space is available at the time of state migration. Selecting this option will request access to the state migration point for the purpose of capturing the user state and settings from a computer. If the Configuration Manager site has multiple state migration points enabled, this task sequence step finds a state migration point that has disk space available by querying the site's management point for a list of state migration points, and then evaluating each until it finds one that meets the minimum requirements.

Restore state from another computer Select this option to request access to a state migration point for the purpose of restoring previously captured user state and settings to a destination computer. If the Configuration Manager site has multiple state migration points, this task sequence step finds the state migration point that has the computer state that was stored for the destination computer.

Number of retries The number of times that this task sequence step will try to find an appropriate state migration point before failing.

Retry delay (in seconds) The amount of time in seconds that the task sequence step waits between retry attempts.

If computer account fails to connect to a state store, use the network access account. Specifies that the Configuration Manager network access account credentials will be used to connect to the state migration point if the Configuration Manager client cannot access the SMP state store using the computer account. This option is less secure because other computers could use the network access account to access your stored state, but might be necessary if the destination computer is not domain joined.

1935

Restart Computer
Use the Restart Computer task sequence step to restart the computer running the task sequence. After the restart, the computer will automatically continue with the next step in the task sequence. This step can be run in either a standard operating system or Windows PE. For more information about the task sequence variables for this task sequence action, see Restart Computer Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name that describes the action taken in this step.

Description More detailed information about the action taken in this step.

The boot image assigned to this task sequence Select this option for the destination computer to use the boot image that is assigned to the task sequence. The boot image will be used to run subsequent task sequence steps that run in Windows PE.

The currently installed default operating system Select this option for the destination computer to reboot into the installed operating system.

Notify the user before restarting Select this option to display a notification to the user that the destination computer will be restarted. This option is selected by default.

Notification message Enter a notification message that is displayed to the user before the destination
1936

computer is restarted.

Message display time-out Specify the amount of time in seconds that a user will be given before the destination computer is restarted. The default amount of time is sixty (60) seconds.

Restore User State

Use the Restore User State task sequence step to initiate the User State Migration Tool (USMT) to restore user state and settings to the destination computer. This task sequence step is used in conjunction with the Capture User State task sequence step. For more information about managing the user state when deploying operating systems, see How to Manage the User State in Configuration Manager. You can also use the Restore User State task sequence step with the Request State Store and Release State Store task sequence steps if you want to save the state settings to or restore settings from a state migration point in the Configuration Manager site. With USMT 3.0 and above, this option always decrypts the USMT state store by using an encryption key generated and managed by Configuration Manager. The Restore User State task sequence step provides control over a limited subset of the most commonly used USMT options. Additional command-line options can be specified by using the OSDMigrateAdditionalRestoreOptions task sequence variable. Important If you are using the Restore User State task sequence step for a purpose unrelated to an operating system deployment scenario, add the Restart Computer task sequence step immediately following the Restore User State task sequence step. This task sequence step runs only in a standard operating system. It does not run in Windows PE. For information about the task sequence variables for this task sequence action, see Restore User State Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name Specifies a short user-defined name that describes the action taken in this step.
1937

Description Specifies more detailed information about the action taken in this step.

User state migration tool package Enter the Configuration Manager package that contains the version of USMT for this step to use when restoring the user state and settings. This package does not require a program. When the task sequence step is run, the task sequence will use the version of USMT in the package you specify. Specify a package containing the 32-bit or x64 version of USMT depending upon the architecture of the operating system to which you are restoring the state.

Restore all captured user profiles with standard options Restores the captured user profiles with the standard options. To customize the options that will be restored, select Customize user profile capture.

Customize how user profiles are restored Allows you to customize the files that you want to restore to the destination computer. Click Files to specify the configuration files in the USMT package you want to use for restoring the user profiles. To add a configuration file, enter the name of the file in the Filename box, and then click Add. The configuration files that will be used for the operation are listed in the Files pane. The .xml file you specify defines which user file will be restored.

Restore local computer user profiles Restores the local computer user (i.e. not domain user) profiles. You will need to assign new passwords to the restored local user accounts because the original local user account passwords cannot be migrated. Enter the new password in the Password box, and confirm the password in the Confirm Password box.

Continue if some files cannot be restored Continues restoring user state and settings even if some files are unable to be restored. This option is enabled by default. If you disable this option and errors are encountered while restoring files, the task sequence step will end immediately with a failure and not all files will be restored.

Enable verbose logging Enable this option to generate more detailed log file information. When restoring state,
1938

the log Loadstate.log is generated and stored in the task sequence log folder in the \windows\system32\ccm\logs folder by default.

Run Command Line

Use the Run Command Line task sequence step to run a specified command line. This step can be run in a standard operating system or Windows PE. For information about task sequence variables for this task sequence action, see Run Command Line Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name Specifies a short user-defined name that describes the command line that is run.

Description Specifies more detailed information about the command line that is run.

Command line Specifies the command line that is run. This field is required. Including file name extensions are a best practicefor example, .vbs and .exe. Include all required settings files, command-line options, or switches. If the file name does not have a file name extension specified, Configuration Manager tries .com, .exe, and .bat. If the file name has an extension that is not an executable, Configuration Manager tries to apply a local association. For example, if the command line is readme.gif, Configuration Manager starts the application specified on the destination computer for opening .gif files. Examples: setup.exe /a cmd.exe /c copy Jan98.dat c:\sales\Jan98.dat Note Command-line actions, such as output redirection, piping, or copyas in the preceding

1939

examplemust be preceded by the cmd.exe /c command to run successfully.

Disable 64-bit file system redirection By default, when running on a 64-bit operating system, the executable in the command line is located and run using the WOW64 file system redirector so that 32-bit versions of operating system executables and DLLs are found. Selecting this option disables the use of the WOW64 file system redirector so that native 64-bit versions of operating system executables and DLLs can be found. Selecting this option has no effect when running on a 32-bit operating system.

Start in Specifies the executable folder for the program, up to 127 characters. This folder can be an absolute path on the destination computer or a path relative to the distribution point folder that contains the package. This field is optional. Examples: c:\officexp i386 Note The Browse button browses the local computer for files and folders, so anything you select this way must also exist on the destination computer in the same location and with the same file and folder names.

Package When you specify files or programs on the command line that are not already present on the destination computer, select this option to specify the Configuration Manager package that contains the appropriate files. The package does not require a program. This option is not required if the specified files exist on the destination computer.

Time-out Specifies a value that represents how long Configuration Manager will allow the command line to run. This value can be from 10 minutes to 999 minutes. The default value is 15 minutes. This option is disabled by default. Important If you enter a value that does not allow enough time for the Run Command Line task sequence step to complete successfully, the task sequence step will fail and the entire task sequence could fail depending on other control settings. If the time-out expires, Configuration Manager will
1940

terminate the command-line process.

Run this step as the following account Specifies that the command line is run as a Windows user account other than the local system account.

Account Specifies the Run As Windows user account for the command-line task in the task sequence to be run by this action. The command line will be run with the permissions of the specified account. Click Set to specify the local user or domain account. Important If a Run Command Line task sequence action specifying a user account is executed while in Windows PE, the action will fail because Windows PE cannot be joined to a domain. The failure will be recorded in the smsts.log file.

Set Task Sequence Variable

Use the Set Task Sequence Variable task sequence step to set the value of a variable that is used with the task sequence. This step can be run in either a standard operating system or Windows PE. Task sequence variables are read by task sequence actions and specify the behavior of those actions. For more information about specific task sequence variables, see Task Sequence Action Variables in Configuration Manager.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Name A short user-defined name for this task sequence step.

Description More detailed information about the action taken in this step.

1941

Task sequence variable A user-defined name for the task sequence variable.

Value The value that is associated with the task sequence variable. The value could be another task sequence variable in %<varname>% syntax.

Setup Windows and ConfigMgr

Use the Setup Windows and ConfigMgr task sequence step to perform the transition from Windows PE to the new operating system. This task sequence step is a required part of any operating system deployment. It installs the Configuration Manager client into the new operating system and prepares for the task sequence to continue execution in the new operating system. This step runs only in WindowsPE. It does not run in a standard operating system. For more information about task sequence variables for this task sequence action, see Setup Windows and ConfigMgr Task Sequence Action Variables. The Setup Windows and ConfigMgr task sequence action replaces sysprep.inf or unattend.xml directory variables, such as %WINDIR% and %ProgramFiles%, with the WindowsPE installation directory X:\Windows. Task sequence variables specified by using these environment variables will be ignored. Use this task sequence step to perform the following actions: 1. Preliminaries: WindowsPE a. Performs task sequence variable substitution in the sysprep.inf (operating systems earlier than Windows Vista) or the unattend.xml (Windows Vista SP2, Windows Server 2008 SP2, and later operating systems) file. b. Downloads the package that contains the Configuration Manager client and puts it in the deployed image. 2. Set up Windows a. Image-based installation. i. ii. Disables the Configuration Manager client in the image (that is, disables Autostart for the Configuration Manager client service). Updates the registry in the deployed image to ensure that the deployed operating system starts with the same drive letter that it had on the reference computer.

iii. Restarts in the deployed operating system. iv. Windows mini-setup runs by using the previously specified sysprep.inf or unattend.xml file that has all end-user interaction suppressed. Note: If Apply Network Settings specified to join a domain, then that information is in the sysprep.inf or unattend.xml file, and Windows mini-setup performs the domain join.

1942

b. Setup.exe-based installation. Runs Setup.exe (Windows Vista SP2 and later operating systems) or WinNT32.exe (operating systems earlier than Windows Vista) which follows the typical Windows setup process: i. ii. Copies the operating system install package specified in an earlier Apply Operating System task sequence to the hard disk drive. Restarts in the newly deployed operating system.

iii. Windows mini-setup runs by using the previously specified sysprep.inf or unattend.xml file that has all user interface settings suppressed. Note: If Apply Network Settings specified to join a domain, then that information is in the sysprep.inf or unattend.xml file, and Windows mini-setup performs the domain join. 3. Set up the Configuration Manager client a. After Windows mini-setup finishes, the task sequence resumes by using an alternative graphical identification and authentication (GINA) library (earlier than Windows Vista) or setupcomplete.cmd (Windows Vista and later). b. Enables or disables the local administrator account, based on the option selected in the Apply Windows Settings step. c. Installs the Configuration Manager client by using the previously downloaded package (1.b) and installation properties specified in the Task Sequence Editor. The client is installed in "provisioning mode" to prevent it from processing new policy requests until the task sequence is completed.

d. Waits for the client to be fully operational. e. If the computer is operating in an environment with Network Access Protection enabled, the client checks for and installs any required updates so that all required updates are present before the task sequence continues running. 4. The task sequence continues running with its next step. Note The Setup Windows and ConfigMgr task sequence action is responsible for running Group Policy on the newly installed computer. The time at which Group Policy is applied during the task sequence action depends on the operating system being deployed. For example, with Windows XP and Windows Server 2003 Group Policy is applied after the Setup Windows and ConfigMgr task sequence action is completed. On Windows Vista and Windows Server 2008, Group Policy is applied after the task sequence is finished.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

1943

Name Specifies a short user-defined name that describes the action taken in this step.

Description Specifies additional information about the action taken in this step.

Package Specifies the Configuration Manager client installation package that will be used by this task sequence step. Click Browse and select the client installation package that you want to use to install the Configuration Manager client.

Installation Properties Site assignment and the default configuration are automatically specified by the task sequence action. You can use this field to specify any additional installation properties to use when you install the client. To enter multiple installation properties, separate them with a space. For Configuration Manager SP1 only: You can specify command-line options to use during client installation. For example, you can enter /skipprereq: silverlight.exe to inform CCMSetup.exe not to install the Microsoft Silverlight prerequisite. For more information about available command-line options for CCMSetup.exe, see the CCMSetup.exe Command-Line Properties section in the About Client Installation Properties in Configuration Manager topic.

See Also
Technical Reference for Deploying Operating Systems in Configuration Manager

Task Sequence Scenarios in Configuration Manager

Use the examples in this topic as a guide while you create your own operating system deployment task sequences in System Center 2012 Configuration Manager. These basic task sequence scenarios provide a framework that can be used when writing task sequences for your specific operating system deployment scenarios. To use these examples create a custom task sequence and then use the Task Sequence editor to add task sequence groups and task sequence steps. For more information about creating and editing task sequences, see How to Manage Task Sequences in Configuration Manager.
1944

Stand-alone Media Task Sequence Example

Use the following table as a guide as you create a task sequence to deploy an operating system using stand-alone media. The table will help you decide the general sequence for your task sequence steps and how to organize and structure those task sequence steps into logical groups. The task sequence that you create might vary from this sample and can contain more or fewer task sequence steps and groups. Note You must always use the Task Sequence Media Wizard to create stand-alone media.
Task Sequence Group or Step Description

Capture File and Settings - (New Task Sequence Group)

Create a task sequence group. A task sequence group keeps similar task sequence steps together for better organization and error control. Use this task sequence step to identify the Microsoft Windows settings that are captured from the existing operating system on the destination computer prior to reimaging. You can capture the computer name, user and organizational information, and the time zone settings. Use this task sequence step to capture network settings from the computer that receives the task sequence. You can capture the domain or workgroup membership of the computer and the network adapter setting information. Create a task sequence group within a task sequence group. This sub-group contains the steps needed to capture user state data from the existing operating system on the destination computer prior to reimaging. Similar to the initial group that you added, this sub-group keeps similar task sequence steps together for better organization and error control. Use this task sequence step to specify a local location using the protected path task sequence variable. The user state is stored on a protected directory on the hard drive.

Capture Windows Settings

Capture Network Settings

Capture User Files and Settings - (New Task Sequence Sub-Group)

Set Local State Location

1945

Task Sequence Group or Step

Description

Capture User State

Use this task sequence step to capture the user files and settings you want to migrate to the new operating system. Create another task sequence sub-group. This sub-group contains the steps needed to install the operating system. Use this task sequence step to specify restart options for the computer that receives this task sequence. This step will display a message to the user indicating that the computer will be restarted so that the installation can continue. This step uses the read-only _SMSTSInWinPE task sequence variable. If the associated value equals false the task sequence step will continue.

Install Operating System - (New Task Sequence Group)

Reboot to Windows PE or hard disk

Apply Operating System

Use this task sequence step to install the operating system image onto the destination computer. This step deletes all files on that volume (with the exception of Configuration Manager-specific control files) and then applies all volume images contained in the WIM file to the corresponding sequential disk volume. You can also specify a sysprep answer file to configure which disk partition to use for the installation. Use this task sequence step to configure the Windows settings configuration information for the destination computer. The windows settings you can apply are user and organizational information, product or license key information, time zone, and the local administrator password. Use this task sequence step to specify the network or workgroup configuration information for the destination computer. You can also specify if the computer uses a DHCP server or you can statically assign the IP address information.

Apply Windows Settings

Apply Network Settings

1946

Task Sequence Group or Step

Description

Apply Driver Package

Use this task sequence step to make all device drivers in a driver package available for use by Windows setup. All necessary device drivers must be contained on the stand-alone media. Create another task sequence sub-group. This sub-group contains the steps needed to install the Configuration Manager client. Use this task sequence step to install the Configuration Manager client software. Configuration Manager installs and registers the Configuration Manager client GUID. You can assign the necessary installation parameters in the Installation properties window. Create another task sequence sub-group. This sub-group contains the steps needed to restore the user state. Use this task sequence step to initiate the User State Migration Tool (USMT) to restore the user state and settings that were captured from the Capture User State Action to the destination computer.

Setup Operating System - (New Task Sequence Group)

Setup Windows and ConfigMgr

Restore User Files and Settings - (New Task Sequence Group)

Restore User State

Install Existing Operating System Image Task Sequence Example

Use the following table as a guide as you create a task sequence that deploys an operating system using an existing operating system image. The table will help you decide the general sequence for your task sequence steps and how to organize and structure those task sequence steps into logical groups. The task sequence that you create may vary from this sample and can contain more or less task sequence steps and groups. Important You must always use the Create Task Sequence Wizard to create this task sequence. When you use the Create Task Sequence Wizard to create this new task sequence some of the task sequence step names are different than what than what they would be if you manually added these task sequence steps to an existing task sequence. The following table displays the naming differences:
1947

Create Task Sequence Wizard Task Sequence Step name

Equivalent Task Sequence Editor Step Name

Request User State Storage Capture User Files and Settings Release User State Storage Restart in Windows PE Partition Disk 0 Restore User Files and Settings

Request State Store Capture User State Release State Store Reboot to Windows PE or hard disk Format and Partition Disk Restore User State

Task Sequence Group or Step

Description

Capture File and Settings - (New Task Sequence Group)

Create a task sequence group. A task sequence group keeps similar task sequence steps together for better organization and error control. This group contains the steps needed to capture files and settings from the operating system of a reference computer.

Capture Windows Settings

Use this task sequence step to identify the Microsoft Windows settings to capture from the reference computer. You can capture the computer name, user and organizational information and the time zone settings. Use this task sequence step to capture network settings from the reference computer. You can capture the domain or workgroup membership of the reference computer and the network adapter setting information. Create a task sequence group within a task sequence group. This sub-group contains the steps needed to capture user state data. Similar to the initial group that you added, this sub-group keeps similar task sequence steps together for better organization and error control. Use this task sequence step to request access to a state migration point where the user state
1948

Capture Network Settings

Capture User Files and Settings - (New Task Sequence Sub-Group)

Request User State Storage

Task Sequence Group or Step

Description

data is stored. You can configure this task sequence step to capture or restore the user state information. Capture User Files and Settings Use this task sequence step to use the User State Migration Tool (USMT) to capture the user state and settings from the reference computer that will receive the task sequence associated with this task step. You can capture the standard options or configure whish options to capture. Use this task sequence step to notify the state migration point that the capture or restore action is complete. Create another task sequence sub-group. This sub-group contains the steps needed to install and configure the Windows PE environment. Use this task sequence step to specify the restart options for the destination computer that receives this task sequence. This step will display a message to the user indicating that the computer will be restarted so that the installation can continue.. This step uses the read-only _SMSTSInWinPE task sequence variable. If the associated value equals false the task sequence step continues. Partition Disk 0 This task sequence step specifies the actions necessary to format the hard drive on the destination computer. The default disk number is 0. This step uses the read-only _SMSTSClientCache task sequence variable. This step will run if the Configuration Manager client cache does not exist. Apply Operating System Use this task sequence step to install the operating system image onto the destination computer. This step applies all volume images contained in the WIM file to the corresponding sequential disk volume on the target computer
1949

Release User State Storage

Install Operating System - (New Task Sequence Group)

Restart in Windows PE

Task Sequence Group or Step

Description

after first deleting all files on that volume (with the exception of Configuration Manager-specific control files). You can specify a sysprep answer file and also configure which disk partition is used for the installation. Apply Windows Settings Use this task sequence step to configure the Windows settings configuration information for the destination computer. The windows settings you can apply are user and organizational information, product or license key information, time zone, and the local administrator password. Use this task sequence step to specify the network or workgroup configuration information for the destination computer. You can also specify if the computer uses a DHCP server or you can statically assign the IP address information. Use this task sequence step to install drivers as part of the operating system deployment. You can allow Windows Setup to search all existing driver categories by selecting Consider drivers from all categories or limit which driver categories Windows Setup searches by selecting Limit driver matching to only consider drivers in selected categories. This step uses the read-only _SMSTSMediaType task sequence variable. This task sequence step runs only if the value of the variable does not equal FullMedia. Apply Driver Package Use this task sequence step to make all device drivers in a driver package available for use by Windows setup. Create another task sequence sub-group. This sub-group contains the steps needed to set up the installed operating system. Use this task sequence step to install the
1950

Apply Network Settings

Apply Device Drivers

Setup Operating System - (New Task Sequence Group)

Setup Windows and ConfigMgr

Task Sequence Group or Step

Description

Configuration Manager client software. Configuration Manager installs and registers the Configuration Manager client GUID. You can assign the necessary installation parameters in the Installation properties window. Install Updates Use this task sequence step to specify how software updates are installed on the destination computer. The destination computer is not evaluated for applicable software updates until this task sequence step runs. At that point, the destination computer is evaluated for software updates similar to any other Configuration Manager-managed client. This step uses the read-only _SMSTSMediaType task sequence variable. This task sequence step runs only if the value of the variable does not equal FullMedia.. Restore User Files and Settings - (New Task Sequence Sub-Group) Create another task sequence sub-group. This sub-group contains the steps needed to restore the user files and settings. Use this task sequence step to request access to a state migration point where the user state data is stored. Use this task sequence step to initiate the User State Migration Tool (USMT) to restore user state and settings to a destination computer. Use this task sequence step to notify the state migration point that the user state dat is no longer needed.

Request User State Storage

Restore User Files and Settings

Release User State Storage

Build and Capture Operating System Image Task Sequence Example

Use the following table as a guide as you create a task sequence that builds and captures an operating system image. The table will help you decide the general sequence for your task sequence steps and how to organize and structure those task sequence steps into logical groups.
1951

The task sequence that you create may vary from this sample and can contain more or less task sequence steps and groups. Important You must always use the Create Task Sequence Wizard to create this type of task sequence. When you use the New Task Sequence Wizard to create this new task sequence some of the task sequence step names are different than what they would be if you manually added these task sequence steps to an existing task sequence. The following table displays the naming differences:
New Task Sequence Wizard Task Sequence Step name Equivalent Task Sequence Editor Step Name

Restart in Windows PE Partition Disk 0 Apply Device Drivers Install Updates Join Workgroup Prepare ConfigMgr Client Prepare Operating System Capture the Reference Machine

Reboot to Windows PE or hard disk Format and Partition Disk Auto Apply Drivers Install Software Updates Join Domain or Workgroup Prepare ConfigMgr Client for Capture Prepare Windows for Capture Capture Operating System Image

Task Sequence Group/Step

Reference

Build the Reference Computer - (New Task Sequence Group)

Create a task sequence group. A task sequence group keeps similar task sequence steps together for better organization and error control. This group contains the actions necessary to build a reference computer.

Restart in Windows PE

Use this task sequence step to specify the restart options for the destination computer. This step will display a message to the user that the computer will be restarted so that the installation can continue. This step uses the read-only _SMSTSInWinPE task sequence variable. If the associated value equals false the task sequence step will
1952

Task Sequence Group/Step

Reference

continue. Partition Disk 0 Use this task sequence step to specify the actions necessary to format the hard drive on the destination computer. The default disk number is 0. This step uses the read-only _SMSTSClientCache task sequence variable. This step will run if the Configuration Manager client cache does not exist. Apply Operating System Use this task sequence step to install a specified operating system image on the destination computer. This step applies all volume images contained in the WIM file to the corresponding sequential disk volume on the target computer after first deleting all files on that volume (with the exception of Configuration Manager-specific control files). Use this task sequence step to configure the Windows settings configuration information for the destination computer. Use this task sequence step to specify the network or workgroup configuration information for the destination computer. You his task sequence step to match and install drivers as part of an operating system deployment. You can allow Windows Setup to search all existing driver categories by selecting Consider drivers from all categories or limit which driver categories Windows Setup searches by selecting Limit driver matching to only consider drivers in selected categories. This step uses the read-only _SMSTSMediaType task sequence variable. If the associated value does not equal FullMedia this task sequence step will run. Setup Windows and ConfigMgr Use this task sequence step to install the Configuration Manager client software.
1953

Apply Windows Settings

Apply Network Settings

Apply Device Drivers

Task Sequence Group/Step

Reference

Configuration Manager installs and registers the Configuration Manager client GUID. You can assign the necessary installation parameters in the Installation properties window. Install Updates Use this task sequence step to specify how software updates are installed on the destination computer. The destination computer is not evaluated for applicable software updates until this task sequence step runs. At that point, the destination computer is evaluated for software updates similar to any other Configuration Manager-managed client. This step uses the read-only _SMSTSMediaType task sequence variable. If the associated value does not equal FullMedia this task sequence step will run. Capture the Reference Computer - (New Task Sequence Group) Create another a task sequence group. This group contains the necessary steps to prepare and capture a reference computer.

Join Workgroup

Use this task sequence step to specify information needed to have the destination computer join a workgroup. Use this step to take the Configuration Manager client on the reference computer and prepares it for capture as part of the imaging process Use this task sequence step to specify the Sysprep options to use when capturing Windows settings from the reference computer. This task sequence step runs Sysprep and then reboots the computer into the Windows PE boot image specified for the task sequence. Use this task sequence step to enter a specific existing network share and .WIM file to use when saving the image. This location is used as the package source location when adding an operating system image package using the
1954

Prepare ConfigMgr Client for Capture

Prepare Operating System

Capture Operating System Image

Task Sequence Group/Step

Reference

Add Operating System Image Package Wizard.

See Also
Technical Reference for Deploying Operating Systems in Configuration Manager

How to Provision Windows To Go in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. This topic provides the steps to provision Windows To Go in Microsoft System Center 2012 Configuration Manager SP1. Windows To Go is an enterprise feature of Windows 8 that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on computers that meet the Windows 7 or Windows 8 certification requirements, regardless of the operating system running on the computer. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. For more information about Windows To Go, see the Windows To Go feature overview topic in the Windows 8 TechNet documentation library.

Provision Windows To Go
Windows To Go is an operating system stored on a USB-connected external drive. You can provision the Windows To Go drive much like you provision other operating system deployments. However, because Windows To Go is designed to be a user-centric and highly mobile solution, you must take a slightly different approach to provisioning these drives. At a high level, Windows To Go is a two-phased deployment that allows you to configure the Windows To Go device and prestage content for the operating system deployment. You can achieve this with minimal impact to the user and limit downtime for the users computer. After you prestage the computer, you must complete the provisioning process to ensure the computer is ready for the user. The provisioning process is similar to the current operating system deployment
1955

process. The following lists the general workflow to prestage content and provision Windows To Go: 1. Create a Task Sequence to Deploy Windows 8 2. Create Prestaged Media 3. Create a Windows To Go Creator package 4. Update the Task Sequence to Enable BitLocker for Windows To Go 5. Deploy the Windows To Go Creator Package and Task Sequence 6. User Runs the Windows To Go Creator 7. Configuration Manager Configures and Stages the Windows To Go Drive 8. User Logs In to Windows 8

Prerequisites to Provision Windows To Go

Before you provision Windows To Go, you must complete the following in Configuration Manager: Distribute a boot image to a distribution point: Before you create prestaged media, you must distribute the boot image to a distribution point. Note Boot images are used to install the operating system on the destination computers in your Configuration Manager environment. They contain a version of Windows PE that installs the operating system, as well as any additional device drivers that are required. Configuration Manager provides two boot images: One to support x86 platforms and one to support x64 platforms. You can also create your own boot images. For more information about boot images, see Planning for Boot Image Deployments in Configuration Manager Distribute the Windows 8 operating system image to a distribution point: Before you create prestaged media, you must distribute the Windows 8 operating system image to a distribution point. Note Operating system images are .WIM format files and represent a compressed collection of reference files and folders that are required to successfully install and configure an operating system on a computer. For more information about operating system images, see Planning for Deploying Operating System Images in Configuration Manager. Create a Task Sequence to Deploy Windows 8: You must create a task sequence for a Windows 8 deployment that you will reference when you create prestaged media. For more information about how to create a task sequence, see How to Manage Task Sequences in Configuration Manager.

1956

Create Prestaged Media

Prestaged media contains the boot image used to start the destination computer and the operating system image that is applied to the destination computer. The computer that you provision with prestaged media can be started by using the boot image. The computer can then run an existing operating system deployment task sequence to install a complete operating system deployment. The task sequence that deploys the operating system is not included in the media. Starting with Microsoft System Center 2012 Configuration Manager SP1, you can add content, such as applications and device drivers, in addition to the operating system image and boot image during the prestage phase. This reduces the time it takes to deploy an operating system and reduces network traffic because the content is already on the drive. Use the following procedure to create the prestaged media. To create prestaged media 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence Media to start the Create Task Sequence Media Wizard. 4. On the Select Media Type page, specify the following information, and then click Next. Select Prestaged media. Select Allow unattended operating system deployment to boot to the Windows To Go deployment with no user interaction. Important When you use this option with the SMSTSPreferredAdvertID custom variable (set later in this procedure), no user interaction is required and the computer will automatically boot to the Windows To Go deployment when it detects a Windows To Go drive. The user is still prompted for a password if the media is configured for password protection. If you use the Allow unattended operating system deployment setting without configuring the SMSTSPreferredAdvertID variable, an error will occur when you deploy the task sequence. 5. On the Media Management page, specify the following information, and then click Next. Select Dynamic media if you want to allow a management point to redirect the media to another management point, based on the client location in the site boundaries. Select Site-based media if you want the media to contact only the specified management point. Created by: Specify who created the media.
1957

6. On the Media Properties page, specify the following information, and then click Next.

Version: Specify the version number of the media. Comment: Specify a unique description of what the media is used for. Media file: Specify the name and path of the output files. The wizard writes the output files to this location. For example: \\servername\folder\outputfile.wim Select Enable unknown computer support to allow the media to deploy an operating system to a computer that is not managed by Configuration Manager. There is no record of these computers in the Configuration Manager database. Unknown computers include the following: A computer where the Configuration Manager client is not installed A computer that is not imported into Configuration Manager A computer that is not discovered by Configuration Manager

7. On the Security page, specify the following information, and then click Next.

Select Protect the media with a password and enter a strong password to help protect the media from unauthorized access. When you specify a password, the user must provide that password to use the prestaged media. Security As a security best practice, always assign a password to help protect the prestaged media. Note When you protect the prestaged media with a password, the user is prompted for the password even when the media is configured with the Allow unattended operating system deployment setting.

For HTTP communications, select Create self-signed media certificate, and then specify the start and expiration date for the certificate. For HTTPS communications, select Import PKI certificate, and then specify the certificate to import and its password. For more information about this client certificate that is used for boot images, see PKI Certificate Requirements for Configuration Manager.

User Device Affinity: To support user-centric management in Configuration Manager, specify how you want the media to associate users with the destination computer. For more information about how operating system deployment supports user device affinity, see How to Associate Users with a Destination Computer. Specify Allow user device affinity with auto-approval if you want the media to automatically associate users with the destination computer. This functionality is based on the actions of the task sequence that deploys the operating system. In this scenario, the task sequence creates a relationship between the specified users and destination computer when it deploys the operating system to the destination computer. Specify Allow user device affinity pending administrator approval if you want the media to associate users with the destination computer after approval is granted. This functionality is based on the scope of the task sequence that
1958

deploys the operating system. In this scenario, the task sequence creates a relationship between the specified users and the destination computer, but waits for approval from an administrative user before the operating system is deployed. Specify Do not allow user device affinity if you do not want the media to associate users with the destination computer. In this scenario, the task sequence does not associate users with the destination computer when it deploys the operating system.

8. On the Task Sequence page, specify the Windows 8 task sequence that you created in the previous section. 9. On the Boot image page, specify the following information, and then click Next. Important The architecture of the boot image that is distributed must be appropriate for the architecture of the destination computer. For example, an x64 destination computer can boot and run an x86 or x64 boot image. However, an x86 destination computer can boot and run only an x86 boot image. For Windows 8 certified computers in EFI mode, you must use an x64 boot image. Boot image: Specify the boot image to start the destination computer. Distribution point: Specify the distribution point that hosts the boot image. The wizard retrieves the boot image from the distribution point and writes it to the media. Note The administrative user must have Read access rights to the boot image content on the distribution point. For more information about setting access rights, see the Manage Accounts to Access Package Content in the Operations and Maintenance for Content Management in Configuration Manager topic. If you selected Site-based media on the Media Management page of this wizard, in the Management point box, specify a management point from a primary site. If you selected Dynamic media on the Media Management page of the wizard, in the Associated management points box, specify the primary site management points to use and a priority order for the initial communications. Image package: Specify the package that contains the Windows 8 operating system image. Image index: Specify the image to deploy if the package contains multiple operating system images. Distribution point: Specify the distribution point that hosts the operating system image package. The wizard retrieves the operating system image from the distribution point and writes it to the media. Note
1959

10. On the Images page, specify the following information, and then click Next.

The administrative user must have Read access rights to the operating system image content on the distribution point. For more information about setting access rights, see the Manage Accounts to Access Package Content in the Operations and Maintenance for Content Management in Configuration Manager topic. 11. On the Select Application page, select application content to include in the media file, and then click Next. 12. On the Select Package page, select additional package content to include in the media file, and then click Next. 13. On the Select Driver Package page, select driver package content to include in the media file, and then click Next. 14. On the Distribution Points page, select one or more distribution points that contain the content required by the task sequence, and then click Next. 15. On the Customization page, specify the following information, and then click Next. Variables: Specify the variables that the task sequence uses to deploy the operating system. For Windows To Go, use the SMSTSPreferredAdvertID variable to automatically select the Windows To Go deployment by using the following format: SMSTSPreferredAdvertID = {DeploymentID}, where DeploymentID is the deployment ID associated with the task sequence that you will use to complete the provisioning process for the Windows To Go drive. Tip When you use this variable with a task sequence that is set to run unattended (set earlier in this procedure), no user interaction is required and the computer automatically boots to the Windows To Go deployment when it detects a Windows To Go drive. The user is still prompted for a password if the media is configured for password protection. Prestart commands: Specify any prestart commands that you want to run before the task sequence runs. Prestart commands can be a script or executable that can interact with the user in Windows PE before the task sequence runs to install the operating system. Configure the following for the Windows To Go deployment: OSDBitLockerPIN: BitLocker for Windows To Go requires a passphrase. Set the OSDBitLockerPIN variable as part of a prestart command to set the BitLocker passphrase for the Windows To Go drive. BitLocker for Windows To Go requires a passphrase. Set the OSDBitLockerPIN variable as part of a prestart command to set the BitLocker passphrase for the Windows To Go drive. Warning After BitLocker is enabled for the passphrase, the user must enter the passphrase each time the computer boots to the Windows To Go drive. SMSTSUDAUsers: Specifies the primary user of the destination computer. Use this variable to collect the user name, which can then be used to associate the user and device. For more information about associating users with the
1960

destination computer, see How to Associate Users with a Destination Computer. Tip To retrieve the username, you can create an input box as part of the prestart command, have the user enter their username, and then set the variable with the value. For example, you can add the following lines to the prestart command script file:
UserID = inputbox("Enter Username" ,"Enter your username:","",400,0) env("SMSTSUDAUsers") = UserID

For more information about how to create a script file to use as your prestart command, see Prestart Commands for Task Sequence Media in Configuration Manager. 16. Complete the wizard. Note It can take an extended period of time for the wizard to complete the prestaged media file.

Create a Windows To Go Creator package

As part of the Windows To Go deployment, you must create a package to deploy the prestage media file. The package must include the tool that configures the Windows To Go drive and extracts the prestaged media to the drive. Use the following procedure to create the Windows To Go Creator package. To create the Windows To Go Creator package 1. On the server to host the Windows To Go Creator package files, create a source folder for the package source files. Note The computer account of the site server must have Read access rights to the source folder. 2. Copy the prestaged media file that you created in the Create Prestaged Media section to the package source folder. 3. Copy the Windows To Go Creator tool (WTGCreator.exe) to the package source folder. The creator tool is available on any Configuration Manager SP1 primary site server at the following location: <ConfigMgrInstallationFolder>\OSD\Tools\WTG\Creator. 4. Create a package and program by using the Create Package and Program Wizard. 5. In the Configuration Manager console, click Software Library. 6. In the Software Library workspace, expand Application Management, and then click Packages.
1961

7. On the Home tab, in the Create group, click Create Package. 8. On the Package page, specify the name and description of the package. For example, enter Windows To Go for the package name and specify Package to configure a Windows To Go drive using System Center Configuration Manager for the package description. 9. Select This package contains source files, specify the path to the package source folder that you created in step 1, and then click Next. 10. On the Program Type page, select Standard program, and then click Next. 11. On the Standard Program page, specify the following: Name: Specify the name of the program. For example, type Creator for the program name. Command Line: Type WTGCreator.exe /wim:PrestageName.wim, where PrestageName is the name of prestaged file that you created and copied to the package source folder for the Windows To Go Creator package. Optionally, you can add the following options: enableBootRedirect: command-line option to change the Windows To Go startup options to allow boot redirection. When you use this option, the computer will boot from USB without having to change the boot order in the computer firmware or have the user select from a list of boot options during startup. If a Windows To Go drive is detected, the computer boots to that drive.

Run: Specify Normal to run the program based on the system and program defaults. Program can run: Specify whether the program can run only when a user is logged on. Run mode: Specify whether the program will run with the logged on users permissions or with administrative permissions. The Windows To Go Creator requires elevated permissions to run. Select Allow users to view and interact with the program installation , and then click Next. Platform requirements: Select the applicable Windows 8 platforms to allow provisioning. Estimated disk space: Specify the size of the package source folder for the Windows To Go Creator. Maximum allowed run time (minutes): Specifies the maximum time that the program is expected to run on the client computer. By default, this value is set to 120 minutes. Important If you are using maintenance windows for the collection on which this program is run, a conflict might occur if the Maximum allowed run time is longer than the scheduled maintenance window. If the maximum run time is set to Unknown, it will start during the maintenance window, but will continue to run until it completes or fails after the maintenance window is closed. If
1962

12. On the Requirements page, specify the following:

you set the maximum run time to a specific period (not set to Unknown) that exceeds the length of any available maintenance window, then that program will not be run. Note If the value is set to Unknown, Configuration Manager sets the maximum allowed run time to 12 hours (720 minutes). Note If the maximum run time (whether set by the user or as the default value) is exceeded, Configuration Manager stops the program if run with administrative rights is selected and Allow users to view and interact with the program installation is not selected on the Standard Program page. Click Next and complete the wizard.

Update the Task Sequence to Enable BitLocker for Windows To Go

Windows To Go enables BitLocker on an external bootable drive without the use of TPM. Therefore, you must use a separate tool to configure BitLocker on the Windows To Go drive. To enable BitLocker, you must add an action to the task sequence after the Setup Windows and ConfigMgr step. Note BitLocker for Windows To Go requires a passphrase. In the Create Prestaged Media step, you set the passphrase as part of a prestart command by using the OSDBitLockerPIN variable. Use the following procedure to update the Windows 8 task sequence to enable BitLocker for Windows To Go. To update the Windows 8 task sequence to enable BitLocker 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Packages. 3. On the Home tab, in the Create group, click Create Package. 4. On the Package page, specify the name and description of the package. For example, type BitLocker for Windows To Go for the package name and specify Package to update BitLocker for Windows To Go for the package description. 5. Select This package contains source files, specify the location for the BitLocker tool for Windows To Go, and then click Next. The BitLocker tool is available on any Configuration Manager SP1 primary site server at the following location: <ConfigMgrInstallationFolder>\OSD\Tools\WTG\BitLocker\
1963

6. On the Program Type page, select Do not create a program. 7. Click Next and complete the wizard. 8. In the Configuration Manager console, click Software Library. 9. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 10. Select the Windows 8 task sequence that you reference in the prestaged media. 11. On the Home tab, in the Task Sequence group, click Edit. 12. Click the Setup Windows and ConfigMgr step, click Add, click General, and then click Run Command Line. The Run Command Line step is added after the Setup Windows and ConfigMgr step. 13. On the Properties tab for the Run Command Line step, add the following: a. Name: Specify a name for the command line, such as Enable BitLocker for Windows To Go. b. Command Line: x86\osdbitlocker_wtg.exe /Enable Optional parameters: /pwd:<None|AD> Specify the BitLocker password recovery mode. Select AD to configure BitLocker Drive Encryption to back up recovery information for BitLocker-protected drives to Active Directory Domain Services (AD DS). Backing up recovery passwords for a BitLocker-protected drive allows administrative users to recover the drive if it is locked. This ensures that encrypted data belonging to the enterprise can always be accessed by authorized users. When you specify None, the user is responsible for keeping a copy of the recovery password or recovery key. If the user loses that information or neglects to decrypt the drive before leaving the organization, administrative users cannot easily access to the drive. /wait:<TRUE|FALSE> Specify whether the task sequence waits for encryption to complete before it completes.

c.

Select Package, and then specify the package that you created at the start of this procedure. Condition = Task Sequence Variable Variable = _SMSTSWTG Condition = Equals Value = True

d. On the Options tab, add the following conditions:

Note The Enable BitLocker step, which is likely after the new command-line step, is not used to enable BitLocker for Windows To Go. However, you can keep this step in the task sequence to use for Windows 8 deployments that do not use a Windows To Go drive.

1964

Deploy the Windows To Go Creator Package and Task Sequence

Windows To Go is a hybrid deployment process. Therefore, you must deploy the Windows To Go Creator package and the Windows 8 task sequence. Use the following procedures to complete the deployment process. To deploy the Windows To Go Creator package 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Packages. 3. Select the Windows To Go package that you created in the Create a Windows To Go Creator package step. 4. On the Home tab, in the Deployment group, click Deploy. 5. On the General page, specify the following settings: a. Software: Verify that the Windows To Go package is selected. b. Collection: Click Browse to select the collection to which you want to deploy the Windows To Go package. c. Use default distribution point groups associated to this collection : Select this option if you want to store the package content on the collections default distribution point group. If you have not associated the selected collection with a distribution point group, this option will be unavailable.

6. On the Content page, click Add and then select the distribution points or distribution point groups to which you want to deploy the content associated with this package and program. 7. On the Deployment Settings page, select Available for the deployment type, and then click Next. 8. On the Scheduling, configure when this package and program will be deployed or made available to client devices. The options on this page will differ depending on whether the deployment action is set to Available or Required. 9. On the Scheduling, configure the following settings, and then click Next. a. Schedule when this deployment will become available: Specify the date and time when the package and program is available to run on the destination computer. When you select UTC, this setting ensures that the package and program is available for multiple destination computers at the same time rather than at different times, according to the local time on the destination computers. b. Schedule when this deployment will expire: Specify the date and time when the package and program expires on the destination computer. When you select UTC, this setting ensures that the task sequence expires on multiple destination computers at the same time rather than at different times, according to the local time on the destination computers. 10. On the User Experience page of the Wizard, specify the following information:
1965

Software installation: Allows the software to be installed outside of any configured maintenance windows. System restart (if required to complete the installation) : Allows a device to restart outside of configured maintenance windows when required by the software installation. Embedded Devices: For Configuration Manager SP1 only. When you deploy packages and programs to Windows Embedded devices that are write filter enabled, you can specify to install the packages and programs on the temporary overlay and commit changes later, or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. Deployment options: Specify Download content from distribution point and run locally. Allow clients to share content with other clients on the same subnet : Select this option to reduce load on the network by allowing clients to download content from other clients on the network that have already downloaded and cached the content. This option utilizes Windows BranchCache and can be used on computers running Windows Vista SP2 and later. All clients to use a fallback source location for content : Specify whether to allow clients to fall back and use a non-preferred distribution point as the source location for content when the content is not available on a preferred distribution point.

11. On the Distribution Points page, specify the following information:

12. Complete the wizard. To deploy the Windows 8 task sequence 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. Select the Windows 8 task sequence that you created in the Create a Task Sequence to Deploy Windows 8 step. 4. On the Home tab, in the Deployment group, click Deploy. 5. On the General page, specify the following settings: a. Task sequence: Verify that the Windows 8 task sequence is selected. b. Collection: Click Browse to select the collection that includes all devices for which a user might provision Windows To Go. Important If the prestaged media that you created in the Create Prestaged Media section uses the SMSTSPreferredAdvertID variable, you can deploy the task sequence to the All Systems collection and specify the Windows PE only (hidden) setting on the Content page. Because the task sequence is hidden,
1966

it will only be available to media. c. Use default distribution point groups associated to this collection : Select this option if you want to store the package content on the collections default distribution point group. If you have not associated the selected collection with a distribution point group, this option will be unavailable.

6. On the Deployment Settings page, configured the following settings, and then click Next. Purpose: Select Available. When you deploy the task sequence to a user, the user sees the published task sequence in the Application Catalog and can request it on demand. If you deploy the task sequence to a device, the user will see the task sequence in Software Center and can install it on demand. Make available to the following: Specify whether the task sequence is available to Configuration Manager clients, media, or PXE. Important Use the Only media and PXE (hidden) setting for automated task sequence deployments. Select Allow unattended operating system deployment and set the SMSTSPreferredAdvertID variable as part of the prestaged media to have the computer automatically boot to the Windows To Go deployment with no user interaction when it detects a Windows To Go drive. For more information about these prestaged media settings, see the Create Prestaged Media section. 7. On the Scheduling page, configure the following settings, and then click Next. a. Schedule when this deployment will become available: Specify the date and time when the task sequence is available to run on the destination computer. When you select UTC, this setting ensures that the task sequence is available for multiple destination computers at the same time rather than at different times, according to the local time on the destination computers. b. Schedule when this deployment will expire: Specify the date and time when the task sequence expires on the destination computer. When you select UTC, this setting ensures that the task sequence expires on multiple destination computers at the same time rather than at different times, according to the local time on the destination computers. 8. On the User Experience page, specify the following information: Show Task Sequence progress: Specify whether the Configuration Manager client displays the progress of the task sequence. Software installation: Specify whether the user is allowed to install software outside a configured maintenance windows after the scheduled time. System restart (if required to complete the installation) : Allows a device to restart outside of configured maintenance windows when required by the software installation. Embedded Devices: When you deploy packages and programs to Windows Embedded devices that are write filter enabled, you can specify to install the
1967

packages and programs on the temporary overlay and commit changes later, or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. Internet-based clients: Specify whether the task sequence is allowed to run on an Internet-based client. Operations that install software, such as an operating system, are not supported with this setting. Use this option only for generic script-based task sequences that perform operations in the standard operating system.

9. On the Alerts page, specify the alert settings that you want for this task sequence deployment, and then click Next. 10. On the Distribution Points page, specify the following information, and then click Next. Deployment options: Select Download content locally when needed by running task sequence. When no local distribution point is available, use a remote distribution point : Specify whether clients can use distribution points that are on slow and unreliable networks to download the content that is required by the task sequence. Allow clients to use a fallback source location for content : Specify whether to allow clients to fall back and use a non-preferred distribution point as the source location for content when the content is not available on a preferred distribution point.

11. Complete the wizard.

User Runs the Windows To Go Creator

After you deploy the Windows To Go package and Windows 8 task sequence, the Windows To Go Creator is available to the user. The user can go to the software catalog, or Software Center if the Windows To Go Creator was deployed to devices, and run the Windows To Go Creator program. Once the creator package is downloaded, a flashing icon is displayed on the task bar. When the user clicks the icon, a dialog box is displayed for the user to select the Windows To Go drive to provision (unless the /drive command-line option is used). If the drive does not meet the requirements for Windows To Go or if the drive does not have enough free disk space to install the image, the creator program displays an error message. The user can verify the drive and image that will be applied from the confirmation page. As the creator configures and prestages content to the Windows To Go drive, it displays a progress dialog box. After the prestaging is complete, the creator displays a prompt to restart the computer to boot to the Windows To Go drive. Note If you did not enable boot redirection as part of the command line for the creator program in the Create a Windows To Go Creator package section, the user might be required to manually boot to the Windows To Go drive on every system restart.

1968

Configuration Manager Configures and Stages the Windows To Go Drive

After the computer restarts to the Windows To Go drive, the drive will boot into Windows PE and connect to the management point to get the policy to complete the operating system deployment. Configuration Manager configures and stages the drive. After Configuration Manager stages the drive, the user can restart the computer to finalize the provisioning process (such as to join a domain or install apps). This process is the same for any prestaged media.

User Logs In to Windows 8

After Configuration Manager completes the provisioning process and the Windows 8 lock screen is displayed, the user can login to the operating system.

See Also
Technical Reference for Deploying Operating Systems in Configuration Manager

Prestart Commands for Task Sequence Media in Configuration Manager

You can create a prestart command in System Center 2012 Configuration Manager to use with boot media, stand-alone media, and prestaged media. The prestart command is a script or executable that runs before the task sequence is selected and can interact with the user in Windows PE. The prestart command can prompt a user for information and save it in the task sequence environment or query a task sequence variable for information. When the destination computer boots, the command-line is run before the policy is downloaded from the management point. Use the following procedures to create a script to use for the prestart command, distribute the content associated with the prestart command, and configure the prestart command in media.

Create a Script File to Use for the Prestart Command

Task Sequence variables can be read and written by using the Microsoft.SMS.TSEnvironment COM object while the task sequence is running. The following example illustrates a Visual Basic script file that queries the _SMSTSLogPath task sequence variable to get the current log location. The script also sets a custom variable.
dim osd: set env = CreateObject("Microsoft.SMS.TSEnvironment") dim logPath ' You can query the environment to get an existing variable. logPath = env("_SMSTSLogPath") 1969

' You can also set a variable in the OSD environment. env("MyCustomVariable") = "varname"

Create a Package for the Script File and Distribute the Content
After you create the script or executable for the prestart command, you must create a package source to host the files for the script or executable, create a package for the files (no program required), and then distribute the content to a distribution point. For more information about creating a package, see How to Create Packages and Programs in Configuration Manager. For more information about distributing content, see the Distribute Content on Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager.

Configure the Prestart Command in Media

You can configure a prestart command in the Create Task Sequence Media Wizard for standalone media, bootable media, or prestaged media. For more information about the media types, see Planning for Media Operating System Deployments in Configuration Manager. Use the following procedure to create a prestart command in media. To create a prestart command in media 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence Media to start the Create Task Sequence Media Wizard. 4. On the Select Media Type page, select Stand-alone media, Bootable media, or Prestaged media, and then click Next. 5. Navigate to the Customization page of the wizard. For more information about configuring the other pages in the wizard, see How to Deploy Operating Systems by Using Media in Configuration Manager 6. On the Customization page, specify the following information, and then click Next. Select Enable prestart command. In the Command line text box, enter the script or executable that you created for the prestart command. Important Use cmd /C <prestart command> to specify the prestart command. For example, if you used TSScript.vbs as the name for your prestart command script, you would enter cmd /C TSScript.vbs for the command line. Where
1970

cmd /C opens a new Windows command interpreter window and uses the Path environment variable to find the prestart command script or executable. You can also specify the full path to the prestart command, but the drive letter could be different on computers with different drive configurations. Select Include files for the prestart command. Click Set to select the package that is associated with the prestart command files. Click Browse to select the distribution point that hosts the content for the prestart command.

7. Complete the wizard.

See Also
Technical Reference for Deploying Operating Systems in Configuration Manager

How to Create a PXE-Initiated Windows 8 Deployment for UEFI-Based or BIOS-Based Computers in Configuration Manager
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. Operating system deployment provides System Center 2012 Configuration Manager administrative users with a tool for creating operating system images that they can deploy to computers that are managed by Configuration Manager. This topic shows how you can create a reference operating system image, partition computers differently based on whether the computer starts in UEFI mode or BIOS mode, and deploy Windows 8 to computers that are managed by Configuration Manager

Scenario Overview
This scenario represents one way to deploy Windows 8 to computers based on specific assumptions and business requirements. The following table provides an outline of the sections that make up this scenario.

1971

Technical Requirements

This section lists the technical requirements of your Configuration Manager environment and client hardware to support this scenario. This section lists the business requirements for this scenario. This section provides information that you might consider before you perform the steps in this scenario. This section provides information about how to prepare and distribute a boot image.

Business Requirements

Pre-Deployment Considerations

Step 1: Prepare and Deploy the Boot Image

Step 1a: Prepare the Boot Image Step 1b: Distribute the Boot Image

Step 2: Build and Capture a Reference Operating System Image

Step 2a: Add the Windows 8 Operating System Image Step 2b: Create a Build and Capture Task Sequence Step 2c: Distribute the Task Sequence Content Step 2d: Deploy the Build and Capture Task Sequence Step 2e: Run the Task Sequence from the Reference Computer Step 2f: Add the Reference Operating System Image Step 2g: Schedule Operating System Image Updates

This section provides information about how to build and capture a Windows 8 operating system image from a reference computer by using a task sequence.

Step 3: Create a Task Sequence to Deploy the Operating System

Step 3a: Create the Task Sequence to Deploy Windows 8 Step 3b: Review the Task Sequence Settings Step 3c: Distribute the Task Sequence Content Step 3d: Deploy the Task Sequence to Install Windows 8

This section provides information about how to create a task sequence to deploy Windows 8. The task sequence is available to computers when they startup in PXE.

1972

Technical Requirements
This scenario requires the following technical requirements: All sites in the Configuration Manager hierarchy are running Configuration Manager SP1 and are fully functional. PXE-enabled distribution points are configured and available to select as the content location for task sequence content. For more information about how to configure the distribution point to support PXE, see the Planning for PXE-Initiated Operating System Deployments in Configuration Manager topic. Windows Assessment and Deployment Kit (Windows ADK) for Windows 8 is installed on all site servers and computers that have the SMS Provider site system role. For more information about Windows ADK, see Windows Deployment with the Windows ADK. All computers that are managed by Configuration Manager have x64 system architecture. The computers that are managed by Configuration Manager have either firmware that meets the Unified Extensible Firmware Interface (UEFI) 2.3.1 specifications or a BIOS firmware interface. For more information about UEFI, see the Unified EFI Forum website. All computers that are managed by Configuration Manager have Trusted Platform Module (TPM) enabled. The task sequence steps that support BitLocker require TPM.

Business Requirements
This scenario accommodates the following business requirements: Create a single task sequence to deploy Windows 8 to computers that have firmware that meets the UEFI specifications or a BIOS firmware interface. The deployment for Windows 8 will be PXE-initiated only. Install all mandatory software updates with the Windows 8 deployment. Enable BitLocker on all computers that install Windows 8.

Pre-Deployment Considerations
Before you deploy Windows 8 to Configuration Manager clients, consider the following predeployment steps Windows 8 upgrade assessment: The Microsoft System Center 2012 Configuration Manager Upgrade Assessment Tool gives you information that you can use to determine whether the hardware and software on computers that are managed by Configuration Manager are compatible with Windows 8. The Upgrade Assessment Tool provides the following functionality: Retrieves device driver compatibility for installed peripheral devices and creates reports that you can use to determine which device drivers have to be upgraded to support the Windows operating system. Lets you see which computers meet the recommended system requirements for Windows operating systems and to customize these requirements for your environments.

1973

Creates summary reports that you can use to see an enterprise wide view of operating system upgrade readiness. Lets you create dynamic collections for an operating system deployment. The collection query rules can be based on system requirements, application compatibility status, and device driver status.

Download the Upgrade Assessment Tool from the Microsoft Download Center site. For more information, see Configuration Manager Upgrade Assessment Tool. UEFI-based computers: Before you install Windows 8 on a UEFI-based computer, note the following. All computers that are certified for Windows 8 use firmware that meets the UEFI specifications. For some computers, you might have to perform additional steps to make sure that Windows is installed in UEFI mode, and not in legacy BIOS-compatibility mode. It is not supported to switch from legacy BIOS-compatibility mode to UEFI mode by using a task sequence. For more information, see How to Switch from BIOS-Compatibility Mode to UEFI Mode. Some computers might support UEFI. However, they do not support a PXE-initiated boot when in UEFI mode. To provision these computers in UEFI mode, you must start them from boot media instead of using PXE. If the computer performs a PXE-initiated boot, Configuration Manager detects that the computer is in BIOS mode and therefore provisions the computer as such. For more information about how to create boot media, see the How to Create Bootable Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic. UEFI and BIOS have different disk partitioning requirements. UEFI hard disks require the GUID partition table (GPT) partition structure, instead of the master boot record (MBR) partition structure that is used in BIOS. When you use a task sequence to deploy Windows 8, the task sequence detects whether the computer was started in UEFI mode or BIOS-compatibility mode, and the task sequence configures the partitions on the hard disk to accommodate the associated requirements.

Step 1: Prepare and Deploy the Boot Image

A boot image contains a version of Windows PE that provides a boot environment for a computer. Windows PE is a minimal operating system with limited components and services that prepare the destination computer for Windows installation. In this scenario, after a computer starts in Windows PE, Configuration Manager begins the Windows 8 installation. You can use the steps in this section to prepare and deploy the boot image that you will use in your Windows 8 deployment task sequence. This section consists of the following steps: Step 1a: Prepare the Boot Image Step 1b: Distribute the Boot Image

For more information about how to manage boot images, see the How to Manage Boot Images in Configuration Manager topic.

1974

Step 1a: Prepare the Boot Image

Configuration Manager provides two boot images: One to support the x86 architecture and one to support the x64 architecture. For computers that start in UEFI mode, you must use a boot image that matches the architecture of the computer; that is, x86 for x86-based computers or x64-based computers. You cannot use an x86 boot image for both architectures for computers that boot in UEFI mode in the same manner that you can for computers that boot in BIOS. For this scenario, only x64-based computers are in the environment. Therefore, this scenario uses the default x64 boot image (Boot image (x64)). Important Configuration Manager does not support a PXE-initiated startup for computers that have the IA-32 architecture. The default boot image contains standard device drivers and might be sufficient for your deployment. However, you can customize the boot image with one or more of the following configurations: Image properties Drivers Prestart command settings Windows PE background image Command shell support Windows PE scratch space Optional components to use in Windows PE

For more information about how to change the boot image, see the How to Modify a Boot Image section in the topic, How to Manage Boot Images in Configuration Manager.

Step 1b: Distribute the Boot Image

After you prepare the boot image, you must distribute the image to all PXE-enabled distribution points. When the task sequence is run by a client, the client downloads the boot image from the distribution point. You distribute boot images to distribution points in the same way that you distribute other content. You can specify single distribution points, distribution point groups, or collections that are associated with distribution point groups. For more information about distributing content in Configuration Manager, see the Distribute Content on Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager topic. Follow these steps to distribute the boot image to distribution points. To distribute the boot image to distribution points 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Boot Images.
1975

3. In the Boot Images node, select the boot image objects that you want to deploy. 4. On the Home tab, in the Deployment group, click Distribute Content to start the Distribute Content Wizard. 5. On the General page, verify that the content listed is the content that you want to distribute, and then click Next. 6. On the Content Destination page, click Add, choose one of the following, and then follow the associated step: Collections: Select User Collections or Device Collections, click the collection associated with one or more distribution point groups, and then click OK. Note Only the collections that are associated with a distribution point group are displayed. For more information about how to associate collections with distribution point groups, see the Configure Distribution Point Groups section in the Configuring Content Management in Configuration Manager topic. Distribution Point: Select an existing distribution point, and then click OK. Distribution points that have previously received the content are not displayed. Distribution Point Group: Select an existing distribution point group, and then click OK. Distribution point groups that have previously received the content are not displayed.

When you finish adding content destinations, click Next. 7. On the Summary page, review the settings for the distribution before you continue. To distribute the content to the selected destinations, click Next. 8. The Progress page displays the progress of the distribution. 9. The Confirmation page displays whether the content was successfully assigned to the points. For more information about how to monitor the content distribution, see the Monitor Content section in the Operations and Maintenance for Content Management in Configuration Manager topic.

Step 2: Build and Capture a Reference Operating System Image

Operating system images are WIM files and represent a compressed collection of reference files and folders that are required to successfully install and configure an operating system on a computer. You can use the steps in this section to import the base operating system image (install.wim) located on the Windows 8 installation media. Then, you create a task sequence that installs Windows 8, mandatory software updates, and applications to a reference computer. You deploy the task sequence to a reference computer and the task sequence captures a new reference operating system image and stores it on a network shared folder. Finally, you can configure Configuration Manager to apply mandatory software updates to the operating system image on a schedule that you specify. This section consists of the following steps: Step 2a: Add the Windows 8 Operating System Image
1976

Step 2b: Create a Build and Capture Task Sequence Step 2c: Distribute the Task Sequence Content Step 2d: Deploy the Build and Capture Task Sequence Step 2e: Run the Task Sequence from the Reference Computer Step 2f: Add the Reference Operating System Image Step 2g: Schedule Operating System Image Updates

For more information about how to build and capture a reference operating system image, see the How to Create Task Sequences section in the How to Manage Task Sequences in Configuration Manager topic.

Step 2a: Add the Windows 8 Operating System Image

You must add a Windows 8 operating system image to the Configuration Manager console before you can build the reference operating system image. Follow these steps to add the Windows 8 operating system image to the Configuration Manager console. To add the Windows 8 operating system image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Operating System Images. 3. On the Home tab, in the Create group, click Add Operating System Image to start the Add Operating System Image Wizard. 4. On the Data Source page, specify the network path to the Windows 8 operating system image. For example, specify \\MyServer\MyShare\Window8InstallationFiles\sources\install.wim. 5. On the General page, specify the following information, and then click Next. Name: Specify the name of the image. By default, the name of the image is taken from the WIM file. Version: Specify the version of the image. Comment: Specify a brief description of the image.

6. Complete the wizard.

Step 2b: Create a Build and Capture Task Sequence

The build and capture task sequence is run on a reference computer where the task sequence creates an operating system image that is based on a set of operating system source files. The task sequence uses the Windows 8 operating system image that you added in Step 2a: Add the Windows 8 Operating System Image to install Windows 8 on the reference computer. Then, the task sequence adds software updates, applications, and custom settings to the reference

1977

computer. Finally, the task sequence captures a new Windows 8 image from the reference computer and stores it on a network shared folder. Follow these steps to create the build and capture task sequence. To create a task sequence that builds and captures an operating system image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence to start the Create Task Sequence Wizard. 4. On the Create a New Task Sequence page, select Build and capture a reference operating system image, and then click Next. 5. On the Task Sequence Information page, specify the following settings, and then click Next. Task sequence name: Specify a name that identifies the task sequence. Description: Specify a description of the task that is performed by the task sequence, such as a description of the operating system that is created by the task sequence. Boot image: Specify the default x64 boot image (Boot image (x64)). Image package: Click Browse, select the Windows 8 operating system image that you added in Step 2a: Add the Windows 8 Operating System Image, and then click OK. Product key: Specify the product key for the Windows operating system to install. You can specify encoded volume license keys or standard product keys. If you use a non-encoded product key, each group of 5 characters must be separated by a dash (-). For example: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX Server licensing mode: Specify that the server license is Per seat, Per server, or that no license is specified. If the server license is Per server, you must also specify the maximum number of server connections. Specify how to handle the administrator account that is used when the operating system is deployed. Disable local administrator account: Specify whether the local administrator account is disabled when the operating system is deployed. Always use the same administrator password: Specify whether the same password is used for the local administrator account on all computers where the operating system is deployed.

6. On the Install Windows page, specify the following settings, and then click Next.

7. On the Configure Network page, specify the following settings, and then click Next. Join a workgroup: Specify whether to add the destination computer to a workgroup when the operating system is deployed. Join a domain: Specify whether to add the destination computer to a domain when
1978

the operating system is deployed. In Domain, specify the name of the domain. Important You can browse to locate domains in the local forest. However, you must specify the domain name for a remote forest. You can also specify an organizational unit (OU). This is an optional setting that specifies the LDAP X.500-distinguished name of the OU in which to create the computer account if it does not already exist. Account: Specify the user name and password for the account that has permissions to join the specified domain. For example: domain\user or %variable%. Important You must enter the appropriate domain credentials if you plan to migrate either the domain settings or the workgroup settings. 8. On the Install Configuration Manager page, verify that the Configuration Manager client package is selected, add any additional properties to use for client installation, and then click Next. For more information about properties that can be used to install a client, see About Client Installation Properties in Configuration Manager. 9. On the Include Updates page, specify Mandatory software updates. Configuration Manager installs only the software updates that target the collections for which the destination computer is a member. 10. On the Install Applications page, specify the applications to install on the destination computer, and then click Next. If you specify multiple applications, you can also specify that the task sequence continues if the installation of a specific application fails. 11. On the System Preparation page, click Next. Sysprep is automatically available on Windows 8 and you do not have to specify a package. 12. On the Images Properties page, specify the following settings for the operating system image, and then click Next. Created by: Specify the name of the user who created the operating system image. Version: Specify a user-defined version number that is associated with the operating system image. Description: Specify a user-defined description of the operating system computer image. Path: Specify a shared network folder where the output .WIM file is stored. This file contains the operating system image that is based on the settings that you specify in the wizard. Configuration Manager overwrites a .WIM file with the same name, if it exists. Use the following account to access the output folder: Specify the Windows account that has Read and Write permissions to the output shared network folder.

13. On the Capture Image page, specify the following settings, and then click Next.

14. Complete the wizard.

1979

Step 2c: Distribute the Task Sequence Content

Before the reference computer can run the task sequence to build and capture the reference operating system task sequence, you must distribute that content to distribution points. Follow these steps to distribute the content that is referenced by a task sequence. To distribute the task sequence content to distribution points 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequences node, select the task sequence that you created in step 2b. 4. On the Home tab, in the Deployment group, click Distribute Content to start the Distribute Content Wizard. 5. On the General page, verify that the content listed is the content that you want to distribute, and then click Next. 6. On the Content Destination page, click Add, choose one of the following, and then follow the associated step: Collections: Select User Collections or Device Collections, click the collection associated with one or more distribution point groups, and then click OK. Note Only the collections that are associated with a distribution point group are displayed. For more information about how to associate collections with distribution point groups, see the Configure Distribution Point Groups section in the Configuring Content Management in Configuration Manager topic. Distribution Point: Select an existing distribution point, and then click OK. Distribution points that have previously received the content are not displayed. Distribution Point Group: Select an existing distribution point group, and then click OK. Distribution point groups that have previously received the content are not displayed.

When you finish adding content destinations, click Next. 7. On the Summary page, review the settings for the distribution before you continue. To distribute the content to the selected destinations, click Next. 8. The Progress page displays the progress of the distribution. 9. The Confirmation page displays whether the content was successfully assigned to the distribution points. For more information about how to monitor the content distribution, see the Monitor Content section in the Operations and Maintenance for Content Management in Configuration Manager topic.

Step 2d: Deploy the Build and Capture Task Sequence

Now that you created the task sequence to build and capture the reference operating system and the content is available on a distribution point, you must deploy it to the reference computer.
1980

When the task sequence runs on the reference computer, the computer starts in Windows PE. Then, the task sequence partitions and formats the hard disk on the reference computer, installs Windows 8, installs software updates and applications, and then creates a new reference Windows 8 operating system image that you will use to deploy Windows 8. Follow these steps to deploy the task sequence to the reference computer. To deploy the task sequence to build and capture the reference operating system image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequence list, select the task sequence that you created in Step 2b: Create a Build and Capture Task Sequence. 4. On the Home tab, in the Deployment group, click Deploy. 5. On the General page, specify the following information, and then click Next. Task sequence: Verify that the correct task sequence is selected. Collection: Specify the collection that contains the reference computer. Important Verify that the collection you select contains only the reference computer that will run the task sequence. Comments (optional): Specify additional information that describes this deployment of the task sequence.

6. On the Deployment Settings page, specify the following information, and then click Next. Purpose: Choose Available from the drop-down list. Specify when to make this task sequence available. For this scenario, choose Only media and PXE to have the task sequence available when you use the preexecution environment (PXE) to initiate the task sequence deployment.

7. On the Scheduling page, specify the following information, and then click Next. Specify the current date and time for Schedule when this deployment will become available, and then click Next. Schedule when this deployment will become available: Specify the current date and time to make the task sequence available on the reference computer. Schedule when this deployment will expire: Specify the date and time when the task sequence expires on the destination computer.

8. On the User Experience page, review the default settings, and then click Next. For this scenario, the default settings are likely sufficient. 9. On the Alerts page, specify whether to generate an alert for a failed deployment, and then click Next. 10. On the Distribution Points page, click Next. For this scenario, the default settings are likely sufficient.
1981

11. Complete the wizard.

Step 2e: Run the Task Sequence from the Reference Computer
You have deployed the build and capture task sequence to a collection that contains the reference computer. Now, you must start the reference computer to PXE and run the task sequence to create the new Windows 8 reference operating system image. When you start in PXE, the task sequence that you created in Step 2b: Create a Build and Capture Task Sequence should be available to run. Start the task sequence to restart the computer to Windows PE, partition and format the hard disk drive, and install Windows 8. When the operating system installation is complete, the task sequence begins a capture and stores the new operating system image on a network shared folder.

Step 2f: Add the Reference Operating System Image

After the task sequence creates the Windows 8 reference operating system image, you must add the image to the Configuration Manager console before it will be available to use in the task sequence to deploy Windows 8 to clients. Follow these steps to add the Windows 8 reference operating system image to the Configuration Manager console. To add the Windows 8 operating system image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Operating System Images. 3. On the Home tab, in the Create group, click Add Operating System Image to start the Add Operating System Image Wizard. 4. On the Data Source page, specify the path to the Windows 8 reference operating system image. This is the same path that you specified on the Capture Image page in step 2b. 5. On the General page, specify the following information, and then click Next. Name: Specify the name of the image. By default, the name of the image is taken from the WIM file. Version: Specify the version of the image. Comment: Specify a brief description of the image.

6. Complete the wizard.

Step 2g: Schedule Operating System Image Updates

Periodically, new software updates are released that apply to the operating system in your operating system image. You can apply applicable software updates to an image on a specified schedule to reduce the number of required software updates to install after the operating system is installed. This process reduces your vulnerability footprint on the image. On the schedule that
1982

you specify, Configuration Manager applies the software updates that you select to the operating system image, and then optionally distributes the updated image to distribution points. For more information about scheduling operating system image updates, see the How to Manage Operating System Images and Installers in Configuration Manager topic. Follow these steps to apply software updates to an operating system image. To apply software updates to an operating system image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Operating System Images. 3. Select the operating system image to which to apply software updates. 4. On the Home tab, in the Operating System Image group, click Schedule Updates to start the wizard. 5. On the Choose Updates page, select the software updates to apply to the operating system image, and then click Next. 6. On the Set Schedule page, specify the following settings, and then click Next. a. Schedule: Specify the schedule for when the software updates are applied to the operating system image. b. Continue on error: Select this option to continue to apply software updates to the image even when there is an error. c. Distribute the image to distribution points: Select this option to update the operating system image on distribution points after the software updates are applied.

7. On the Summary page, verify the information, and then click Next. 8. On the Completion page, verify that the software updates were successfully applied to the operating system image.

Step 3: Create a Task Sequence to Deploy the Operating System

The task sequence performs multiple steps on a client computer at the command-line level without requiring user intervention. In this section, you will create a task sequence to install Windows 8 on computers. The task sequence uses the default x64 boot image, Boot image (x64), to start the computer in Windows PE, partition the hard disk, pre-provision BitLocker, install Windows 8, enable BitLocker, and restore user files and settings. This section consists of the following steps: Step 3a: Create the Task Sequence to Deploy Windows 8 Step 3b: Review the Task Sequence Settings Step 3c: Distribute the Task Sequence Content Step 3d: Deploy the Task Sequence to Install Windows 8

1983

For more information about how to create and deploy a task sequence, see the How to Manage Task Sequences in Configuration Manager topic.

Step 3a: Create the Task Sequence to Deploy Windows 8

The task sequence to deploy Windows 8 provides the steps to format and partition the computer, install Windows 8, enable BitLocker, and install mandatory software updates. Follow these steps to create the task sequence to deploy Windows 8. To create a task sequence to deploy Windows 8 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence to start the Create Task Sequence Wizard. 4. On the Create a New Task Sequence page, select Install an existing image package, and then click Next. 5. On the Task Sequence Information page, specify the following settings, and then click Next. Task sequence name: Specify a name that identifies the task sequence. Description: Specify a description of the task that is performed by the task sequence. Boot image: Specify the default x64 boot image (Boot image (x64)). Image package: Click Browse, select the Windows 8 operating system image that you captured and then added in Step 2f: Add the Reference Operating System Image, and then click OK. Partition and format the target computer before installing the operating system: Configure task sequence for use with BitLocker: Select this setting to use Product key: Specify the product key for the Windows operating system to install. You can specify encoded volume license keys or standard product keys. If you use a non-encoded product key, each group of 5 characters must be separated by a dash (-). For example: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX Server licensing mode: Specify that the server license is Per seat, Per server, or that no license is specified. If the server license is Per server, also specify the maximum number of server connections. Specify how to handle the administrator account that is used when the operating system is deployed. Randomly generate the local administrator password and disable the account on all supported platforms (recommended): Specify whether the
1984

6. On the Install Windows page, specify the following settings, and then click Next.

local administrator account is disabled when the operating system is deployed. Enable the account and specify the local administrator password : Specify whether to enable the local administrator account. When enabled, specify the password to use for this account.

7. On the Configure Network page, specify the following settings, and then click Next. Join a workgroup: Specify whether to add the destination computer to a workgroup when the operating system is deployed. Join a domain: Specify whether to add the destination computer to a domain when the operating system is deployed. In Domain, specify the name of the domain. Important You can browse to locate domains in the local forest. However, you must specify the domain name for a remote forest. You can also specify an organizational unit (OU). This is an optional setting that specifies the LDAP X.500-distinguished name of the OU in which to create the computer account if it does not already exist. Account: Specify the user name and password for the account that has permissions to join the specified domain. For example: domain\user or %variable%. Important You must enter the appropriate domain credentials if you plan to migrate either the domain settings or the workgroup settings. 8. On the Install Configuration Manager page, verify that the Configuration Manager client package is selected, add any additional properties to use for client installation, and then click Next. For more information about properties that can be used to install a client, see About Client Installation Properties in Configuration Manager. 9. On the State Migration page, clear the following settings, and then click Next. The user settings are not captured in this scenario. Capture user settings: The task sequence captures the user state. For more information about how to capture and restore the user state, see How to Manage the User State in Configuration Manager. Capture network settings: The task sequence captures network settings from the computer. You can capture the membership of the domain or workgroup in addition to the network adapter settings. Capture Microsoft Windows settings: The task sequence captures Windows settings from the computer before the operating system image is installed. You can capture the computer name, registered user and organization name, and the time zone settings.

10. On the Include Updates page, specify Mandatory software updates. Configuration Manager installs only applicable software updates that are deployed to a collection for which the computer is a member. 11. On the Install Applications page, specify the applications to install on the destination
1985

computer, and then click Next. If you specify multiple applications, you can also specify that the task sequence continues if the installation of a specific application fails. 12. Complete the wizard.

Step 3b: Review the Task Sequence Settings

The Create Task Sequence creates the steps that you must follow to deploy Windows 8. However, before you deploy the task sequence review the settings to make sure that they meet your business requirements. Follow these steps to review the task sequence: To review the task sequence 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequence list, select the task sequence that you created in Step 3a: Create the Task Sequence to Deploy Windows 8. 4. On the Home tab, in the Task Sequence group, click Edit. 5. Verify each step in the task sequence, including the following steps: Partition Disk 0 BIOS: Verify that the volume disk space is sufficient for the boot partition. Notice on the Options tab that there several conditions specified to so this step is not run if the task sequence detects that the computer starts in UEFI mode. Partition Disk 0 UEFI: Verify that the volume disk space is sufficient for the various partitions. Notice on the Options tab that there several conditions specified to so this step is not run if the task sequence detects that the computer does not boot in UEFI mode. Pre-provision BitLocker: Verify that BitLocker will be applied to the appropriate destination drive and that the Skip this step for computers that do not have a TPM or when TPM is not enabled setting is enabled. This step enables BitLocker on a drive while in Windows PE. Only the used drive space is encrypted, and therefore, encryption times are much faster. The step can only be run on computers that have TPM enabled. Pre-provision BitLocker section of the Task Sequence Steps in Configuration Manager topic. Enable BitLocker: Verify that the Current operating system drive is selected and the encryption type is TPM only. For more information about the Enable BitLocker task sequence step, see the Enable BitLocker section of the Task Sequence Steps in Configuration Manager topic.

6. Add additional steps to the task sequence to support the business requirements in your environment. 7. Click OK to save the changes.

1986

Step 3c: Distribute the Task Sequence Content

Before you deploy the task sequence to computers, distribute the content to distribution points to make sure that the content is available. Follow these steps to distribute the content that is referenced by a task sequence. To distribute the task sequence content to distribution points 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequences node, select the task sequence that you created in Step 3a: Create the Task Sequence to Deploy Windows 8. 4. On the Home tab, in the Deployment group, click Distribute Content to start the Distribute Content Wizard. 5. On the General page, verify that the content listed is the content that you want to distribute, and then click Next. 6. On the Content Destination page, click Add, choose one of the following, and then follow the associated step: Collections: Select User Collections or Device Collections, click the collection associated with one or more distribution point groups, and then click OK. Note Only the collections that are associated with a distribution point group are displayed. For more information about how to associate collections with distribution point groups, see the Configure Distribution Point Groups section in the Configuring Content Management in Configuration Manager topic. Distribution Point: Select an existing distribution point, and then click OK. Distribution points that have previously received the content are not displayed. Distribution Point Group: Select an existing distribution point group, and then click OK. Distribution point groups that have previously received the content are not displayed.

When you finish adding content destinations, click Next. 7. On the Summary page, review the settings for the distribution before you continue. To distribute the content to the selected destinations, click Next. 8. The Progress page displays the progress of the distribution. 9. The Confirmation page displays whether the content was successfully assigned to the distribution points. For more information about how to monitor the content distribution, see the Monitor Content section in the Operations and Maintenance for Content Management in Configuration Manager topic.

1987

Step 3d: Deploy the Task Sequence to Install Windows 8

As soon as you create the task sequence to install Windows 8 and the content is available on your distribution points, you can deploy the task sequence to Configuration Manager clients. Before you deploy the task sequence, make sure that you have a deployment strategy that includes the collections for which you will deploy the task sequence. If you used the Upgrade Assessment Tool in the Pre-Deployment Considerations section, you likely created collections with clients that are ready to upgrade to Windows 8. Follow these steps to deploy the task sequence to deploy Windows 8. To deploy the task sequence to install Windows 8 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequence list, select the task sequence that you created in Step 3a: Create the Task Sequence to Deploy Windows 8. 4. On the Home tab, in the Deployment group, click Deploy. 5. On the General page, specify the following information, and then click Next. Task sequence: Verify that the correct task sequence is selected. Collection: Specify the collection for this deployment. Members of this collection will receive the task sequence to install Windows 8 when they boot to PXE. Important To install Windows 8 to computers that are not managed by Configuration Manager, you must use a collection that includes All Unknown Computers. Comments (optional): Specify additional information that describes this deployment. 6. On the Deployment Settings page, specify the following information, and then click Next. Purpose: Choose Available from the drop-down list. Specify when to make this task sequence available. For this scenario, choose Only media and PXE to have the task sequence available when the destination computer boots to PXE. Schedule when this deployment will become available: Specify the current date and time to make the task sequence available to destination computers. Schedule when this deployment will expire: Specify the date and time when the task sequence expires on the destination computer.

7. On the Scheduling page, specify the following information, and then click Next.

8. On the User Experience page, review the default settings, and then click Next. For this scenario, the default settings are likely sufficient. 9. On the Alerts page, specify whether to generate an alert for a failed deployment, and then click Next. 10. On the Distribution Points page, click Next. For this scenario, the default settings are
1988

likely sufficient. 11. Complete the wizard.

Assets and Compliance in System Center 2012 Configuration Manager

The Assets and Compliance in System Center 2012 Configuration Manager guide provides documentation to help you manage your network devices (computers and mobile devices) in Microsoft System Center 2012 Configuration Manager. If you are new to Configuration Manager, read Getting Started with System Center 2012 Configuration Manager before you read this guide.

Assets and Compliance Topics

Use the following topics to help you manage your network devices in System Center 2012 Configuration Manager: Collections in Configuration Manager Queries in Configuration Manager Inventory in Configuration Manager Power Management in Configuration Manager Remote Control in Configuration Manager Software Metering in Configuration Manager Out of Band Management in Configuration Manager Compliance Settings in Configuration Manager Endpoint Protection in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Documentation Library for System Center 2012 Configuration Manager

Collections in Configuration Manager

Collections in System Center 2012 Configuration Manager provide a method of managing groups of computers, mobile devices, users, and other resources in your organization.

1989

Collection Topics
Use the following topics to help you create and manage Configuration Manager collections in your organization: Introduction to Collections in Configuration Manager Planning for Collections in Configuration Manager Operations and Maintenance for Collections in Configuration Manager Security and Privacy for Collections in Configuration Manager Technical Reference for Collections in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Assets and Compliance in System Center 2012 Configuration Manager

Introduction to Collections in Configuration Manager

Collections in System Center 2012 Configuration Manager represent logical groupings of resources, such as users and devices. You can use collections to help you perform many tasks, such as managing applications, deploying compliance settings, or installing software updates. You can also use collections to manage groups of client settings. For more information, see How to Configure Client Settings in Configuration Manager. Additionally, System Center 2012 Configuration Manager uses collections with role-based administration to specify the collections that an administrative user can access. For more information, see Planning for Security in Configuration Manager. In Configuration Manager, recently viewed collections appear in the Users node and in the Devices node in the Assets and Compliance workspace in the Configuration Manager console.

Collection Rules
Configuration Manager collections contain one or more rules that control the membership of the collection. There are four rules that you can use:

Direct Rule
Direct rules let you to choose the users or computers that you want to add as members to a collection. This rule gives you direct control over which resources are members of the collection. The membership does not automatically change unless a resource is removed from Configuration Manager. Configuration Manager must discover the resources or you must import the resources before you can add them to a direct rule collection. Direct rule collections have a higher
1990

administrative overhead than query rule collections because you must modify this collection type manually. For more information about direct rule collections, see How to Create Collections in Configuration Manager.

Query Rule
Query rules dynamically update the membership of a collection based on a query that Configuration Manager runs on a schedule. For example, you can create a collection of users who are a member of the Human Resources organizational unit in Active Directory Domain Services. Unlike direct rule collections, this collection membership automatically updates when you add or remove new users to the Human Resources organizational unit. For more information about query rule collections, see How to Create Collections in Configuration Manager.

Include Collections Rule

The include collections rule lets you include the members of another collection in a Configuration Manager collection. Configuration Manager updates the membership of the current collection on a schedule if the membership of the included collection changes. For more information about the include collection rule, see How to Create Collections in Configuration Manager.

Exclude Collections Rule

The exclude collections rule lets you exclude the members of another collection from a Configuration Manager collection. Configuration Manager updates the membership of the current collection on a schedule if the membership of the excluded collection changes. For more information about the exclude collection rule, see How to Create Collections in Configuration Manager. Note If a collection includes both include collection and exclude collection rules and there is a conflict, the exclude rule takes priority over the include rule.

Default Collections in Configuration Manager

By default, Configuration Manager includes the following collections, which cannot be modified.
Collection name Description

All User Groups

Contains the user groups that are discovered by using Active Directory Security Group Discovery. Contains the users who are discovered by using Active Directory User Discovery. Contains the All Users and the All User Groups
1991

All Users

All Users and User Groups

Collection name

Description

collections. This collection cannot be modified and contains the largest scope of user and user group resources. All Desktop and Server Clients Contains the server and desktop devices that have the Configuration Manager client installed. Membership is maintained by Heartbeat Discovery. Contains the mobile devices that are managed by Configuration Manager. Membership is restricted to those mobile devices that are successfully assigned to a site or discovered by the Exchange Server connector. Note In Configuration Manager SP1, this collection excludes the mobile devices that are enrolled by Windows Intune. All Systems Contains the All Desktop and Server Clients, the All Mobile Devices, and All Unknown Computers collections. In Configuration Manager SP1, this collection also includes the mobile devices that are enrolled by Windows Intune. This collection cannot be modified and contains the largest scope of device resources. All Unknown Computers Contains generic computer records for multiple computer platforms. You can use this collection to deploy an operating system by using a task sequence and PXE boot, bootable media, or prestaged media.

All Mobile Devices

Incremental Collection Updates

When you enable incremental updates for a collection, Configuration Manager periodically scans for new or changed resources from the previous collection evaluation and updates a collections membership with these resources, independently of a full collection evaluation. By default, when you enable incremental collection updates, it runs every 10 minutes and helps keep your collection data up-to-date without the overhead of a full collection evaluation.

1992

Note When you create a new collection, incremental updates are disabled by default.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following table lists features that are new or that have changed in collections since Configuration Manager 2007.
Feature Description

User Collections and Device Collections nodes

You can no longer combine user resources and device resources in the same collection. The Configuration Manager console has two new nodes for user collections and device collections. Sub collections are no longer used in System Center 2012 Configuration Manager. In Configuration Manager 2007, sub collections had two main uses: Organize collections in folders. In System Center 2012 Configuration Manager, you can now create a hierarchy of folders in which to store collections. Sub collections were often used in Configuration Manager 2007 for phased software deployments to a larger collection of computers. In System Center 2012 Configuration Manager, you can use include rules to progressively increase the membership of a collection.

Sub collections

For more information, see How to Manage Collections in Configuration Manager. Include collection rules and exclude collection rules In System Center 2012 Configuration Manager, you can include or exclude the contents of another collection from a specified collection. Incremental collection member evaluation periodically scans for new or changed
1993

Incremental collection member evaluation

Feature

Description

resources from the previous collection evaluation and updates a collections membership with these resources, independently of a full collection evaluation. By default, when you enable incremental collection member updates, it runs every 10 minutes and helps to keep your collection data up-to-date without the overhead of a full collection evaluation. Migration support Collections can be migrated from Configuration Manager 2007 collections. For more information, see Planning a Migration Job Strategy in System Center 2012 Configuration Manager. You can use collections to limit access to Configuration Manager objects. For more information, see Planning for Security in Configuration Manager. In Configuration Manager 2007, collections contained only resources from the site where they were created and from child sites of that site. In System Center 2012 Configuration Manager, collections contain resources from all sites in the hierarchy. In System Center 2012 Configuration Manager, all collections must be limited to the membership of another collection. When you create a collection, you must specify a limiting collection. A collection is always a subset of its limiting collection.

Role-based administration security scopes

Collection resources

Collection limiting

Whats New in Configuration Manager SP1

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for collections in Configuration Manager SP1: The built-in collections are now read-only and cannot be modified.
1994

See Also
Collections in Configuration Manager

Planning for Collections in Configuration Manager

Use the following topics in this section to help you plan for collections in System Center 2012 Configuration Manager.

In this Section
Prerequisites for Collections in Configuration Manager Best Practices for Collections in Configuration Manager

See Also
Collections in Configuration Manager

Prerequisites for Collections in Configuration Manager

Collections in System Center 2012 Configuration Manager contain only dependencies within the product.

Configuration Manager Dependencies

Dependency More information

Reporting services point

The reporting services point site system role must be installed before you can run reports for collections. For more information, see Reporting in Configuration Manager. You must have the following security permissions to manage compliance settings: To create and manage collections: Create, Delete, Modify, Modify Folder, Move Object, Read and Read Resource for the Collection Object.
1995

Specific security permissions must have been granted to manage collections

Dependency

More information

To manage collection settings: Modify Collection Setting for the Collection Object. Note The Modify Folder permission is required for all collection folders, including the root folder.

See Also
Planning for Collections in Configuration Manager

Best Practices for Collections in Configuration Manager

Use the following best practices for collections in System Center 2012 Configuration Manager.

Do not use incremental updates for a large number of collections

When you enable the Use incremental updates for this collection option, this configuration might cause evaluation delays when you enable it for many collections. The threshold is about 200 collections. The exact number depends on the following factors: The total number of collections The frequency of new resources being added and changed in the hierarchy The number of clients in your hierarchy The complexity of collection membership rules in your hierarchy

Do not modify the built-in collections and instead, copy and then modify the pasted collection (Configuration Manager with no service pack)
If a default collection (such as All Desktop and Server Clients) does not meet your business requirements, do not modify the collection. Instead, copy and paste the collection, and then modify the new collection. This practice helps to troubleshoot collection queries and safeguards against the possibility that future upgrades might overwrite and change the built-in collections.
1996

In Configuration Manager SP1, the built-in collections are read-only and cannot be modified.

Make sure that maintenance windows are large enough to deploy critical software updates
You can configure maintenance windows for device collections to restrict the times that Configuration Manager can install software on these devices. If you configure the maintenance window to be too small, the client might not be able to install critical software updates, which leaves the client vulnerable to the attack that is mitigated by the software update.

See Also
Collections in Configuration Manager

Operations and Maintenance for Collections in Configuration Manager

Use the following topics in this section to help you create and manage collections in the System Center 2012 Configuration Manager hierarchy.

In this Section
How to Create Collections in Configuration Manager How to Manage Collections in Configuration Manager How to Use Maintenance Windows in Configuration Manager

See Also
Collections in Configuration Manager

How to Create Collections in Configuration Manager

Create collections in System Center 2012 Configuration Manager to represent logical groupings of users or devices. You can use collections to help you perform many tasks including application management, deploying compliance settings, or installing software updates. You can also use collections to manage groups of client settings or use them with role-based administration to specify the resources that an administrative user can access. Configuration Manager contains

1997

several built-in collections. For more information, see Introduction to Collections in Configuration Manager. Note A collection cannot contain both users and devices. The following table lists the rules that you can use to configure the members of a collection in Configuration Manager.
Membership rule type More information

Direct rule

Direct rules let you choose the users or computers that you want to add as members to a collection. This rule gives you direct control over which resources are members of the collection. This membership does not change unless a resource is removed from Configuration Manager. Configuration Manager must have discovered the resources or you must have imported the resources before you can add them to a direct rule collection. Direct rule collections have a higher administrative overhead than query rule collections because you must make changes to this collection type manually. Query rules dynamically update the membership of a collection based on a query that Configuration Manager runs on a schedule. For example, you can create a collection of users that are a member of the Human Resources organizational unit in Active Directory Domain Services. Unlike direct rule collections, this collection membership is automatically updated when new users are added to or removed from the Human Resources organizational unit. Tip For example queries that you can use to build collections, see the section Example WQL Queries in the topic How to Create Queries in Configuration Manager.

Query rule

Include collection rule

The include collection rule let you include the

1998

Membership rule type

More information

members of another collection in a Configuration Manager collection The membership of the current collection is updated on a schedule if the membership of the included collection has changed. Exclude collection rule The exclude collection rule let you exclude the members of another collection from a Configuration Manager collection. The membership of the current collection is updated on a schedule if the membership of the excluded collection has changed. Note If a collection includes both include collection and exclude collection rules and there is a conflict, the exclude collection rule takes priority over the include collection rule. Use the following procedures to help you create collections in Configuration Manager. You can also import collections that were created at this or another Configuration Manager site. For information about how to export collections, see How to Manage Collections in Configuration Manager. Note For Configuration Manager SP1 only: For information about creating collections for computers that run Linux and UNIX, see the Collections of Linux and UNIX Servers section in the How to Manage Linux and UNIX Clients in Configuration Manager topic. To create a device collection 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Device Collections. 3. On the Home tab, in the Create group, click Create Device Collection. 4. On the General page of the Create Device Collection Wizard, specify the following information: Name: Specify a unique name for the collection. Comment: Specify a description for the collection. Limiting collection: Click Browse to select a limiting collection. The collection that you are creating will only contain members from the limiting collection.
1999

5. On the Membership Rules page of the Create Device Collection Wizard, specify the following information: In the Add Rule list, select the type of membership rule that you want to use for this collection. You can configure multiple rules for each collection. Use the following procedures to configure each membership rule type. To configure a direct rule a. On the Search for Resources page of the Create Direct Membership Rule Wizard, specify the following information: Resource class: In the list, select the type of resource you want to search for and add to the collection. Select from System Resource values to search for inventory data returned from client computers or Unknown Computer to select from values returned by unknown computers. Attribute name: In the list, select the attribute associated with the selected resource class that you want to search for. For example, if you want to select computers by their NetBIOS name, select System Resource in the Resource class list and NetBIOS name in the Attribute name list. Exclude resources marked as obsolete If a client computer is marked as obsolete, do not include this value in the search results. Exclude resources that do not have the Configuration Manager client installed If the search results include a resource that does not have a Configuration Manager client installed, this value will not be displayed in the search results. Value: Enter a value for which you want to search the selected attribute name. You can use the percent character % as a wildcard. For example, if you wanted to search for computers that have a NetBIOS name beginning with M, enter M% in this field.

b. On the Select Resources page of the Create Direct Membership Rule Wizard, select the resources that you want to add to the collection in the Resources list, and then click Next. c. Complete the Create Direct Membership Rule Wizard.

To configure a query rule a. In the Query Rule Properties dialog box, specify the following information: Name: Specify a unique name for the query rule. Import Query Statement Opens the Browse Query dialog box where you can select a System Center 2012 Configuration Manager query to use as the query rule for the collection. For more
2000

information about queries, see Queries in Configuration Manager. Resource class: In the list, select the type of resource you want to search for and add to the collection. Select a value from System Resource values to search for inventory data returned from client computers or Unknown Computer to select from values returned by unknown computers. Edit Query Statement Opens the Query Statement Properties dialog box where you can author a query to use as the rule for the collection. For more information about queries, see Queries in Configuration Manager.

b. Click OK to close the Query Rule Properties dialog box and to save the query membership rule.

To configure an include collection rule a. In the Select Collections dialog box, select the collections you want to include in the new collection. b. Click OK to close the Select Collections dialog box and to save the include membership rule.

To configure an exclude collection rule a. In the Select Collections dialog box, select the collections you want to exclude from the new collection. b. Click OK to close the Select Collections dialog box and to save the exclude membership rule.

Use incremental updates for this collection Select this option to periodically scan for only new or changed resources from the previous collection evaluation and update the collection membership with only these resources, independently of a full collection evaluation. By default, incremental updates occur at 5 minute intervals. You can configure this interval by using the Evaluate Collection Members site maintenance task. Important Collections configured by using query rules that use the following classes do not support incremental updates:

SMS_G_System_CollectedFile SMS_G_System_LastSoftwareScan SMS_G_System_AppClientState SMS_G_System_DCMDeploymentState

2001

SMS_G_System_DCMDeploymentErrorAssetDetails SMS_G_System_DCMDeploymentCompliantAssetDetails SMS_G_System_DCMDeploymentNonCompliantAssetDetails SMS_G_User_DCMDeploymentCompliantAssetDetails (for collections of users only) SMS_G_User_DCMDeploymentNonCompliantAssetDetails (for collections of users only) SMS_G_System_SoftwareUsageData SMS_G_System_CI_ComplianceState SMS_G_System_EndpointProtectionStatus SMS_GH_System_* SMS_GEH_System_* Schedule a full update on this collection Select this option to schedule a regular full evaluation of the collection membership.

6. Complete the wizard to create the new collection. The new collection is displayed in the Device Collections node of the Assets and Compliance workspace. To create a user collection 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click User Collections. 3. On the Home tab, in the Create group, click Create User Collection. 4. On the General page of the Create User Collection Wizard, specify the following information: Name: Specify a unique name for the collection. Comment: Specify a description for the collection. Limiting collection: Click Browse to select a limiting collection. The collection you are creating will only contain members from the limiting collection.

5. On the Membership Rules page of the Create User Collection Wizard, specify the following information: In the Add Rule list, select the type of membership rule you want to use for this collection. You can configure multiple rules for each collection. Use the following procedures to configure each membership rule type. To configure a direct rule a. On the Search for Resources page of the Create Direct Membership Rule Wizard, specify the following information: Resource class: In the list, select the type of resource you want to search for and add to the collection. Select from System Resource values to search for inventory data returned from client computers or Unknown Computer to select from values returned by unknown computers.
2002

Attribute name: In the list, select the attribute associated with the selected resource class that you want to search for. For example, if you want to select computers by their NetBIOS name, select System Resource in the Resource class list and NetBIOS name in the Attribute name list. Exclude resources marked as obsolete If a client computer is marked as obsolete, do not include this in the search results. Exclude resources that do not have the Configuration Manager client installed If the search results include a resource that does not have a Configuration Manager client installed, this resource is not displayed in the search results. Value: Enter a value that you want to search the selected attribute name for. You can use the percent character % as a wildcard. For example, if you wanted to search for computers that have a NetBIOS name beginning with M, enter M% in this field.

b. On the Select Resources page of the Create Direct Membership Rule Wizard, select the resources that you want to add to the collection in the Resources list, and then click Next. c. Complete the Create Direct Membership Rule Wizard.

To configure a query rule a. In the Query Rule Properties dialog box, specify the following information: Name: Specify a unique name for the query rule. Import Query Statement Opens the Browse Query dialog box where you can select a System Center 2012 Configuration Manager query to use as the query rule for the collection. For more information about queries, see Queries in Configuration Manager. Resource class: In the list, select the type of resource you want to search for and add to the collection. Select from System Resource values to search for inventory data returned from client computers or Unknown Computer to select from values returned by unknown computers. Edit Query Statement Opens the Query Statement Properties dialog box where you can author a query to use as the rule for the collection. For more information about queries, see Queries in Configuration Manager.

b. Click OK to close the Query Rule Properties dialog box and to save the query membership rule.

2003

To configure an include collection rule a. In the Select Collections dialog box, select the collections you want to include in the new collection. b. Click OK to close the Select Collections dialog box and to save the include membership rule.

To configure an exclude collection rule a. In the Select Collections dialog box, select the collections you want to exclude from the new collection. b. Click OK to close the Select Collections dialog box and to save the exclude membership rule.

Use incremental updates for this collection Select this option to periodically scan for only new or changed resources from the previous collection evaluation and update the collection membership with only these resources, independently of a full collection evaluation. By default, incremental updates occur at 5 minute intervals. You can configure this interval by using the Evaluate Collection Members site maintenance task. Important Collections configured by using query rules that use the following classes do not support incremental updates:

SMS_G_System_CollectedFile SMS_G_System_LastSoftwareScan SMS_G_System_AppClientState SMS_G_System_DCMDeploymentState SMS_G_System_DCMDeploymentErrorAssetDetails SMS_G_System_DCMDeploymentCompliantAssetDetails SMS_G_System_DCMDeploymentNonCompliantAssetDetails SMS_G_User_DCMDeploymentCompliantAssetDetails (for collections of users only) SMS_G_User_DCMDeploymentNonCompliantAssetDetails (for collections of users only) SMS_G_System_SoftwareUsageData SMS_G_System_CI_ComplianceState SMS_G_System_EndpointProtectionStatus SMS_GH_System_* SMS_GEH_System_* Schedule a full update on this collection Select this option to schedule a regular
2004

full evaluation of the collection membership. 6. Complete the wizard to create the new collection. The new collection is displayed in the User Collections node of the Assets and Compliance workspace. To import a collection 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click User Collections or Device Collections. 3. On the Home tab, in the Create group, click Import Collections. 4. On the General page of the Import Collections Wizard, click Next. 5. On the MOF File Name page, click Browse and then browse to the MOF file that contains the collection information you want to import. Note The file you want to import must have been exported from a site running the same version of Configuration Manager as this one. For more information about exporting collections, see How to Manage Collections in Configuration Manager. 6. Complete the wizard to import the collection. The new collection is displayed in the User Collections of Device Collections node of the Assets and Compliance workspace.

See Also
Operations and Maintenance for Collections in Configuration Manager

How to Manage Collections in Configuration Manager

Use the overview information in this topic to help you perform management tasks for collections in System Center 2012 Configuration Manager. Note For information about how to create Configuration Manager collections, see How to Create Collections in Configuration Manager.

How to Manage Device Collections

In the Assets and Compliance workspace, select Device Collections, select the collection to manage, and then select a management task. Use the following table for more information about the management tasks that might require some information before you select them.
2005

Management task

Details

More information

Show Members

Displays all of the resources that are members of the selected collection in a temporary node under the Devices node. Provides the following options to perform one of the following actions: Add Selected Items to Existing Device Collection Opens the Select Collection dialog box where you can select the collection to which you want to add the members of the selected collection. The selected collection is included in this collection by using an Include Collections membership rule. Add Selected Items to New Device Collection Opens the Create Device Collection Wizard where you can create a new collection. The selected collection is included in this collection by using an Include Collections membership rule.

No additional information.

Add Selected Items

How to Create Collections in Configuration Manager

Install Client

Opens the Install Client Wizard How to Install Configuration which uses client push installation Manager Clients by Using to install a Configuration Manager Client Push client on all computers in the selected collection. Opens the Manage User Device Affinity Requests dialog box where you can approve or reject pending requests to establish user device affinities for devices in the selected collection. How to Manage User Device Affinity in Configuration Manager

Manage Affinity Requests

2006

Management task

Details

More information

Manage Out of Band

Provides the following options for using out of band management on computers in the selected collection: Discover AMT Status Power Control Clear Audit Log

Out of Band Management in Configuration Manager

Clear Required PXE Deployments

Clears any required PXE boot deployments from all members of the selected collection.

Operating System Deployment in Configuration Manager

Update Membership

Evaluates the membership for the No additional information. selected collection. For collections with many members, this update might take some time to finish. Use the Refresh action to update the display with the new collections members after the update is completed. Opens the Add Resources to Collection dialog box where you can search for new resources to add to the selected collection. Note The icon for the selected collection displays an hourglass symbol while the update is in progress. No additional information.

Add Resources

Endpoint Protection

Performs a full or quick antimalware scan or downloads the latest antimalware definitions to computers in the selected collection. Opens the Export Collection Wizard that helps you export this collection to a Managed Object Format (MOF) file that can then be archived or used at another Configuration Manager site.

Endpoint Protection in Configuration Manager

Export

No additional information.

2007

Management task

Details

More information

Important When you export a collection, collections that are referenced by the selected collection through the use of an Include or Exclude rule are not exported. Copy Creates a copy of the selected collection. The new collection uses the selected collection as a limiting collection. Deletes the selected collection. You can also delete all of the resources in the collection from the site database. Note You cannot delete the collections that are built into Configuration Manager. Simulate Deployment Opens the Simulate Application Deployment Wizard which lets you test the results of an application deployment without installing or uninstalling the application. Displays the following options: Application Opens the Deploy Software Wizard where you can select and configure an application deployment to the selected collection. How to Simulate an Application Deployment in Configuration Manager No additional information.

Delete

For a list of the built-in collections, see Introduction to Collections in Configuration Manager.

Deploy

How to Deploy Applications in Configuration Manager How to Deploy Packages and Programs in Configuration Manager

How to Deploy Configuration Baselines in Configuration Program - Opens the Deploy Manager Software Wizard where you Planning a Task Sequences can select and configure a Strategy in Configuration package and program Manager deployment to the selected
2008

Management task

Details

More information

collection. Configuration Baseline Opens the Deploy Configuration Baselines dialog box where you can configure the deployment of one or more configuration baselines to the selected collection. Task Sequence - Opens the Deploy Software Wizard where you can select and configure a task sequence deployment to the selected collection. Software Updates Opens the Deploy Software Updates Wizard where you can configure the deployment of software updates to resources in the selected collection.

Operations and Maintenance for Software Updates in Configuration Manager

How to Manage User Collections

In the Assets and Compliance workspace, select User Collections, select the collection to manage, and then select a management task. Use the following table for more information about the management tasks that might require some information before you select them.
Management task Details More information

Show Members

Displays all of the resources that are members of the selected collection in a temporary node under the Users node. This option lets you perform one of the following actions: Add Selected Items to Existing User Collection Opens the Select Collection

No additional information.

Add Selected Items

How to Create Collections in Configuration Manager

2009

Management task

Details

More information

dialog box where you can select the collection to which you want to add the members of the selected collection. The selected collection is included in this collection by using an Include Collections membership rule. Add Selected Items to New User Collection Opens the Create User Collection Wizard where you can create a new collection. The selected collection is included in this collection by using an Include Collections membership rule. How to Manage User Device Affinity in Configuration Manager

Manage Affinity Requests

Opens the Manage User Device Affinity Requests dialog box where you can approve or reject pending requests to establish user device affinities for users in the selected collection.

Update Membership

Evaluates the membership for the No additional information. selected collection. For collections with many members, this update might take some time to finish. Use the Refresh action to update the display with the new collections members after the update is completed. Note The icon for the selected collection displays an hourglass symbol while the update is in progress.

Add Resources

Opens the Add Resources to Collection dialog box where you can search for new resources to add to the selected collection.

No additional information.

2010

Management task

Details

More information

Export

Opens the Export Collection Wizard that helps you to export this collection to a Managed Object Format (MOF) file that can then be archived or used at another Configuration Manager site. Important When you export a collection, collections that are referenced by the selected collection through the use of an Include or Exclude rule are not exported.

No additional information.

Copy

Creates a copy of the selected collection. The new collection uses the selected collection as a limiting collection. Deletes the selected collection. You can also delete all of the resources in the collection from the site database. Note You cannot delete the collections that are built into Configuration Manager.

No additional information.

Delete

For a list of the built-in collections, see Introduction to Collections in Configuration Manager.

Simulate Deployment

Opens the Simulate Application Deployment Wizard which lets you test the results of an application deployment without installing or uninstalling the application. Displays the following options: Application Opens the Deploy Software Wizard where you can select and

How to Simulate an Application Deployment in Configuration Manager

Deploy

How to Deploy Applications in Configuration Manager How to Deploy Packages and Programs in Configuration
2011

Management task

Details

More information

configure an application deployment to the selected collection.

Manager

How to Deploy Configuration Baselines in Configuration Program - Opens the Deploy Manager Software Wizard where you can select and configure a package and program deployment to the selected collection. Configuration Baseline Opens the Deploy Configuration Baselines dialog box where you can configure the deployment of one or more configuration baselines to the selected collection.

Collection Properties
When you open the Properties dialog box for a collection, you can view and configure the following properties for a collection.
Tab name More information

General

Lets you view and configure general information about the selected collection including the collection name and the limiting collection. Lets you configure the membership rules that define the membership of this collection. For more information, see How to Create Collections in Configuration Manager. Lets you configure power management plans that are assigned to computers in the selected collection. For more information, see Power Management in Configuration Manager. Displays any software that has been deployed to members of the selected collection. Lets you view and configure maintenance
2012

Membership Rules

Power Management

Deployments

Maintenance Windows

Tab name

More information

windows that are applied to members of the selected collection. For more information, see How to Use Maintenance Windows in Configuration Manager. Collection Variables Lets you configure variables that apply to this collection and can be used by task sequences. For more information, see How to Manage Task Sequences in Configuration Manager. If an out of band service point is installed, this option enables members of the selected collection for provisioning for AMT-based computers. For more information, see Out of Band Management in Configuration Manager. Lets you associate one or more distribution point groups to members of the selected collection. For more information, see Content Management in Configuration Manager. Displays the administrative users who have permissions for the selected collection from associated roles and security scopes. Lets you configure when alerts are generated for client status and Endpoint Protection. For more information, see How to Configure Client Status in Configuration Manager and How to Configure Alerts for Endpoint Protection in Configuration Manager.

Out of Band Management

Distribution Point Groups

Security

Monitor

See Also
Operations and Maintenance for Collections in Configuration Manager

How to Use Maintenance Windows in Configuration Manager

Maintenance windows in System Center 2012 Configuration Manager provide a means by which administrative users can define a time period when various Configuration Manager operations
2013

can be carried out on members of a device collection. You can use maintenance windows to help ensure that client configuration changes occur during periods that do not affect the productivity of the organization. The following Configuration Manager operations support maintenance windows: Software deployments Software update deployments Compliance settings deployment and evaluation Operating system deployments Task sequence deployments

Maintenance windows are configured for a collection with a start date, a start and finish time, and a recurrence pattern. Each maintenance window must have a duration of less than 24 hours. By default, computer restarts caused by a deployment are not allowed outside of a maintenance window, but you can override the default in the settings for each deployment. Maintenance windows affect only the time when the deployment program runs; applications configured to download and run locally can download content outside of the maintenance window. When a client computer is a member of a device collection that has a maintenance window configured, a deployment program runs only if the maximum allowed run time does not exceed the duration configured for the maintenance window. If the program fails to run, an alert is generated and the deployment is rerun during the next scheduled maintenance window that has available time.

Using Multiple Maintenance Windows

When a client computer is a member of multiple device collections that have configured maintenance windows, the following rules apply: If the maintenance windows do not overlap, they are treated as two independent maintenance windows. If the maintenance windows overlap, they are treated as a single maintenance window encompassing the time period covered by both maintenance windows. For example, if two maintenance windows, each an hour in duration overlap by 30 minutes, the effective duration of the maintenance window would be 90 minutes.

When a user initiates an application installation from Software Center, the application is installed immediately, regardless of any configured maintenance windows. If an application deployment with a purpose of Required reaches its installation deadline during the nonbusiness hours configured by a user in Software Center, it is installed regardless of the configured nonbusiness hours. How to configure maintenance windows in Configuration Manager 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Device Collections. 3. In the Device Collections list, select the collection for which you want to configure a
2014

maintenance window. 4. On the Home tab, in the Properties group, click Properties. 5. In the Maintenance Windows tab of the <collection name> Properties dialog box, click the New icon. Note You cannot create maintenance windows for the All Systems collection. 6. In the <new> Schedule dialog box, specify a name, a schedule, and a recurrence pattern for the maintenance window. You can also enable the option to apply the schedule to only task sequences. 7. Click OK to close the <new> Schedule dialog box and create the new maintenance window. 8. Close the <collection name> Properties dialog box.

See Also
Operations and Maintenance for Collections in Configuration Manager

Security and Privacy for Collections in Configuration Manager

This topic contains security best practices and privacy information for collections in System Center 2012 Configuration Manager. There is no privacy information specifically for collections in Configuration Manager. Collections are containers for resources, such as users and devices. Collection membership often depends on the information that Configuration Manager collects during standard operation. For example, by using resource information that has been collected from discovery or inventory, a collection can be configured to contain the devices that meet specified criteria. Collections might also be based on the current status information for client management operations, such as deploying software and checking for compliance. In addition to these query-based collections, administrative users can also add resources to collections. For more information about collections, see Introduction to Collections in Configuration Manager. For more information about any security best practices and privacy information for Configuration Manager operations that can be used to configure collection membership, see Security Best Practices and Privacy Information for Configuration Manager.

Security Best Practices for Collections

Use the following security best practice for collections.

2015

Security best practice

More information

When you export or import a collection by using a Managed Object Format (MOF) file that is saved to a network location, secure the location, and secure the network channel.

Restricts who can access the network folder. Use Server Message Block (SMB) signing or Internet Protocol security (IPsec) between the network location and the site server to prevent an attacker from tampering with the exported collection data. Use IPsec to encrypt the data on the network to prevent information disclosure.

Security Issues for Collections

Collections have the following security issues: If you use collection variables, local administrators can read potentially sensitive information. Collection variables can be used when you deploy an operating system.

See Also
Collections in Configuration Manager

Technical Reference for Collections in Configuration Manager

There is currently no technical reference information for collections in System Center 2012 Configuration Manager.

See Also
Collections in Configuration Manager

Queries in Configuration Manager

Queries in System Center 2012 Configuration Manager return information from the site database based on criteria that you specify. You can use queries to retrieve information about resources in your site or about inventory data and status messages.

2016

Queries Topics
Use the following topics to help you use queries in Configuration Manager. Introduction to Queries in Configuration Manager Operations and Maintenance for Queries in Configuration Manager Security and Privacy for Queries in Configuration Manager Technical Reference for Queries in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Assets and Compliance in System Center 2012 Configuration Manager

Introduction to Queries in Configuration Manager

You can create and run queries to locate objects in a System Center 2012 Configuration Manager hierarchy that match your query criteria. These objects include items such as specific types of computers or user groups. Queries can return most types of Configuration Manager objects, which include sites, collections, applications, and inventory data. When you create a query, you must specify a minimum of two parameters: where you want to search and what you want to search for. For example, to find the amount of hard disk space that is available on all computers in a Configuration Manager site, you can create a query to search the Logical Disk attribute class and the Free Space (MB) attribute for available hard disk space. After you create an initial query, you can specify additional query criteria. For example, you can specify that the query results include only computers that are assigned to a specified site. You can also modify how results are displayed so that you can view the results in an order that is meaningful to you. For example, you can specify that the results are sorted by the amount of free hard disk space in either ascending or descending order. When you create a query, it is stored by Configuration Manager and displayed in the Queries node in the Monitoring workspace. From this location, you can create a new query and then run, update, or manage an existing query. You can also import a query into a query rule in a Configuration Manager collection. For more information, see How to Create Collections in Configuration Manager.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.
2017

The following items are new or have changed for queries since Configuration Manager 2007: The option to export the results of a query is not available in this release. As a workaround, you can copy the query results to the Windows clipboard.

See Also
Queries in Configuration Manager

Operations and Maintenance for Queries in Configuration Manager

Use the following topics in this section for operations and maintenance information for queries in System Center 2012 Configuration Manager.

In This Section
How to Create Queries in Configuration Manager How to Manage Queries in Configuration Manager

See Also
Queries in Configuration Manager

How to Create Queries in Configuration Manager

Use the following sections in this topic to help you create or import queries in System Center 2012 Configuration Manager. How to Create Queries How to Import Queries Example WQL Queries

How to Create Queries

Use this procedure to help you create queries in Configuration Manager. To create a query 1. In the Configuration Manager console, click Monitoring.
2018

2. In the Monitoring workspace, click Queries and then, in the Home tab, in the Create group, click Create Query. 3. On the General tab of the Create Query Wizard, specify a unique name and an optional comment for the query. 4. If you want to import an existing query to use as a basis for the new query, click Import Query Statement and then, in the Browse Query dialog box, select an existing query that you want to import, and then click OK. 5. In the Object Type list, select the type of object you want the query to return. The following table describes some examples of the type of object you can search for:
Object type Description

System Resource

Use to search for typical system attributes, such as the NetBIOS name of a device, the client version, the client IP address, and Active Directory Domain Services information. Use to search for typical user information such as user names, user group names, and security group names. Use to search for typical attributes of a deployment, such as the deployment name, schedule, and the collection to which it was deployed.

User Resource

Deployment

6. Click Edit Query Statement to open the <Query Name> Statement Properties dialog box. 7. On the General tab in the <Query Name> Statement Properties dialog box, specify the attributes that this query returns and how they are to be displayed. Click the New icon to add a new attribute. You can also click Show Query Language to enter or edit the query directly in WMI Query Language (WQL). For examples of WMI queries, see the Example WQL Queries section in this topic. Tip You can use the following MSDN reference documentation to help you construct your own WQL queries: WQL (SQL for WMI) WHERE Clause WQL Operators

8. On the Criteria tab of the <Query Name> Statement Properties dialog box, specify criteria that are used to refine the results of the query. For example, you could return only resources that have a site code of XYZ in the query results. You can configure multiple
2019

criteria for a query. Important If you create a query that contains no criteria, the query will return all devices in the All Systems collection. 9. On the Joins tab in the <Query Name> Statement Properties dialog box, you can combine data from two different attributes into your query results. Although Configuration Manager automatically creates query joins when you choose different attributes for your query result, the Joins tab provides more advanced options. The attribute classes supported by System Center 2012 Configuration Manager are shown in the following table:
Join type Description

Inner

Displays only matching results always used by joins that are created automatically. Displays all results for the base attribute and only the matching results for the join attribute. Displays all the results for the join attribute and only the matching results for the base attribute. Displays all the results for both the base attribute and the join attribute.

Left

Right

Full

For more information about how to use Join operations, see your SQL Server documentation. 10. Click OK to close the <Query Name> Statement Properties dialog box. 11. On the General tab of the Create Query Wizard, specify whether the results of this query are not limited to the members of a collection, are limited to the members of a specified collection, or prompt for a collection each time the query is run. 12. Complete the wizard to create the query. The new query is displayed in the Queries node in the Monitoring workspace.

How to Import Queries

Use this procedure to help you import a query into Configuration Manager. For information about how to export queries, see How to Manage Queries in Configuration Manager. To import a query

2020

1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Queries and then, in the Home tab, in the Create group, click Import Objects. 3. On the MOF File Name page of the Import Objects Wizard, click Browse to select the Managed Object Format (MOF) file containing the query that you want to import. 4. Review information about the query to be imported and then complete the wizard. The new query is displayed in the Queries node in the Monitoring workspace.

Example WQL Queries

This section contains example WMI queries that you can use in your hierarchy or modify for other purposes. To use these queries, click Show Query Language in the Query Statement Properties dialog box, and then copy and paste the query into the Query Statement field. Tip Use the wildcard character % to signify any string of characters. For example, %Visio% returns Microsoft Office Visio 2010.

Computers that run Windows 7

Use the following query to return the NetBIOS name and operating system version of all computers that run Windows 7. Tip To return computers that run Windows Server 2008 R2, change %Workstation 6.1% to %Server 6.1%.
select SMS_R_System.NetbiosName, SMS_R_System.OperatingSystemNameandVersion from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Workstation 6.1%"

Computers with a specific software package installed

Use the following query to return the NetBIOS name and software package name of all computers that have a specific software package installed. This example displays all computers with a version of Microsoft Visio installed. Replace %Visio% with the software package you want to query for. Tip This query searches for the software package by using the names that are displayed in the programs list in Windows Control Panel.
select SMS_R_System.NetbiosName, SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName from 2021

SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "%Visio%"

Computers that are in a specific Active Directory Domain Services Organizational Unit (OU)
Use the following query to return the NetBIOS name and OU name of all computers in a specified OU. Replace the text OU Name with the name of the OU that you want to query for.
select SMS_R_System.NetbiosName, SMS_R_System.SystemOUName from SMS_R_System where SMS_R_System.SystemOUName = "OU Name"

Computers with a specific NetBIOS name

Use the following query to return the NetBIOS name of all computers that begin with a specific string of characters. In this example, the query returns all computers with a NetBIOS name that begins with ABC.
select SMS_R_System.NetbiosName from SMS_R_System where SMS_R_System.NetbiosName like "ABC%"

Devices of a specific type

Device types are stored in the Configuration Manager database under the resource class sms_r_system and the attribute name AgentEdition. Use the following query to retrieve only the devices that match the agent edition of the device type you specify:
Select SMS_R_System.ClientEdition from SMS_R_System where SMS_R_System.ClientEdition = <Device ID>

Use one of the following values for <Device ID>:

Device type Value of AgentEdition

Windows Desktop or laptop computer Mac computer Windows ARM-based device Windows Phone Windows Mobile 6.5

12 5 1 4 2
2022

Device type

Value of AgentEdition

Nokia Symbian Managed by Exchange Connector Windows CE Windows Embedded iOS Android Intel System on a Chip devices Unix and Linux servers

3 0 6 7 8 9 10 11

For example, if you want the query to return only Mac computers, use the following query:
Select SMS_R_System.ClientEdition from SMS_R_System where SMS_R_System.ClientEdition = 5

See Also
Operations and Maintenance for Queries in Configuration Manager

How to Manage Queries in Configuration Manager

Use the information in this topic to help you manage queries in System Center 2012 Configuration Manager. For information about how to create queries, see How to Create Queries in Configuration Manager.

How to Manage Queries

In the Monitoring workspace, select Queries, select the query to manage, and then select a management task. Use the following table for more information about the management tasks that might require some information before you select them.
Management task Details More information

Run

Runs the selected query and displays the results in the

No additional information.

2023

Management task

Details

More information

Configuration Manager console. Install Client Opens the Install Client Wizard that lets you install the Configuration Manager client on computers returned by the selected query. Important This option is not available for queries that return mobile devices, users, or user groups. Export Opens the Export Objects Wizard that lets you export this query to a Managed Object Format (MOF) file that can then be imported at another site. Opens the Move Selected Items dialog box where you can move the selected query to a folder that you previously created under the Queries node. No additional information. For more information about how to install Configuration Manager clients by using client push, see How to Install Configuration Manager Clients by Using Client Push.

Move

No additional information.

See Also
Operations and Maintenance for Queries in Configuration Manager

Security and Privacy for Queries in Configuration Manager

Queries in Configuration Manager let you retrieve information from the site database based on the criteria that you specify. Configuration Manager collects the site database information during standard operation. For example, by using information that has been collected from discovery or inventory, you can configure a query to identify devices that meet specified criteria. For more information about queries, see Introduction to Queries in Configuration Manager. For more information about any security best practices and privacy information for Configuration
2024

Manager operations that collect the information that you can retrieve by using queries, see Security Best Practices and Privacy Information for Configuration Manager.

Security Best Practices for Queries

Use the following security best practice for queries.
Security best practice More information

When you export or import a query that is Restrict who can access the network folder. saved to a network location, secure the location Use server message block (SMB) signing or and secure the network channel. Internet Protocol Security (IPsec) between the network location and the site server to prevent an attacker from tampering with the query data before it is imported.

See Also
Queries in Configuration Manager

Technical Reference for Queries in Configuration Manager

There is currently no technical reference information for queries in System Center 2012 Configuration Manager.

See Also
Queries in Configuration Manager

Inventory in Configuration Manager

You can use a number of methods in System Center 2012 Configuration Manager to inventory hardware and software in your organization. Use hardware inventory for detailed information about the hardware of client computers and mobile devices that are enrolled by Configuration Manager. Use software inventory for information about software and files present on client computers. Asset Intelligence extends these inventory capabilities to help you manage licenses for software in the enterprise.

2025

Inventory Topics
Use the following topics to help you find information about hardware inventory, software inventory, and Asset Intelligence in Configuration Manager. Hardware Inventory in Configuration Manager Software Inventory in Configuration Manager Asset Intelligence in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Assets and Compliance in System Center 2012 Configuration Manager

Hardware Inventory in Configuration Manager

Use System Center 2012 Configuration Manager hardware inventory to collect detailed information about the hardware of client devices in your enterprise.

In This Section
Use the following topics to help you plan, configure, operate and maintain, and troubleshoot hardware inventory in System Center 2012 Configuration Manager. Introduction to Hardware Inventory in Configuration Manager Planning for Hardware Inventory in Configuration Manager Configuring Hardware Inventory in Configuration Manager Operations and Maintenance for Hardware Inventory in Configuration Manager Hardware Inventory for Linux and UNIX in Configuration Manager Security and Privacy for Hardware Inventory in Configuration Manager Technical Reference for Hardware Inventory in Configuration Manager

See Also
Inventory in Configuration Manager

2026

Introduction to Hardware Inventory in Configuration Manager

Use hardware inventory in System Center 2012 Configuration Manager to collect information about the hardware configuration of client devices in your organization. To collect hardware inventory, the Enable hardware inventory on clients setting must be enabled in client settings. After hardware inventory is enabled and a hardware inventory cycle is run by the client, the client sends the inventory information that it has collected to a management point in the clients site. The management point then forwards the inventory information to the Configuration Manager site server which stores the inventory information in the site database. Hardware inventory runs on clients according to the schedule that you specify in client settings. You can use several methods to view the hardware inventory data that System Center 2012 Configuration Manager collects. These include the following: Create queries that return devices that are based on a specific hardware configuration. For more information, see Queries in Configuration Manager. Create query-based collections that are based on a specific hardware configuration. Querybased collection memberships automatically update on a schedule. You can use collections for several tasks, which include software deployment. For more information, see Collections in Configuration Manager. Run reports that display specific details about hardware configurations in your organization. For more information, see Reporting in Configuration Manager. Use Resource Explorer to view detailed information about the hardware inventory that is collected from client devices. For more information, see How to Use Resource Explorer to View Hardware Inventory in Configuration Manager.

When hardware inventory runs on a client device, the first inventory data that the client returns is always a full inventory. Subsequent inventory information contains only delta inventory information. The site server processes delta inventory information in the order in which it is received. If delta inventory information for a client is missing, the site server rejects additional delta inventory information and instructs the client to run a full inventory cycle. Configuration Manager provides limited support for dual-boot computers. Configuration Manager can discover dual-boot computers but only returns inventory information from the operating system that was active at the time the inventory cycle ran. Note For Configuration Manager SP1 only: For information about how to use hardware inventory with clients that run Linux and UNIX, see Hardware Inventory for Linux and UNIX in Configuration Manager.

2027

Extending Configuration Manager Hardware Inventory

In addition to the built-in hardware inventory in Configuration Manager, you can also use one of the following methods to extend hardware inventory to collect additional information:
Method Description

Add and remove inventory classes from the Configuration Manager console

In System Center 2012 Configuration Manager, you can enable, disable, add and remove inventory classes for hardware inventory from the Configuration Manager console. Use NOIDMIF files to collect information about client devices that cannot be inventoried by Configuration Manager. For example, you might want to collect device asset number information that exists only as a label on the device. NOIDMIF inventory is automatically associated with the client device that it was collected from. Use IDMIF files to collect information about assets in your organization that are not associated with a Configuration Manager client, for example, projectors, photocopiers and network printers.

NOIDMIF files

IDMIF files

For more information about using these methods to extend Configuration Manager hardware inventory, see How to Extend Hardware Inventory in Configuration Manager.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for hardware inventory since Configuration Manager 2007: In System Center 2012 Configuration Manager, you can enable custom hardware inventory, and add and import new inventory classes from the Configuration Manager console. The sms_def.mof file is no longer used to customize hardware inventory. You can extend the inventory schema by adding or importing new classes. Different hardware inventory settings can be applied to collections of devices by using client settings.
2028

See Also
Hardware Inventory in Configuration Manager

Planning for Hardware Inventory in Configuration Manager

Review the information in this section to help you plan for hardware inventory in System Center 2012 Configuration Manager.

In this Section
Prerequisites for Hardware Inventory in Configuration Manager Best Practices for Hardware Inventory in Configuration Manager

See Also
Hardware Inventory in Configuration Manager

Prerequisites for Hardware Inventory in Configuration Manager

Hardware inventory in System Center 2012 Configuration Manager contains only dependencies within the product.

Configuration Manager Dependencies

Dependency More information

Hardware inventory must be enabled for clients to collect inventory

For information about how to enable and configure hardware inventory, see How to Configure Hardware Inventory in Configuration Manager. The reporting services point site system role must be installed before you can run reports for hardware inventory. For more information, see Reporting in Configuration Manager.

Reporting services point

2029

See Also
Planning for Hardware Inventory in Configuration Manager

Best Practices for Hardware Inventory in Configuration Manager

Use the following best practices information to help you use hardware inventory in System Center 2012 Configuration Manager.

Enable MIF file collection only when required

MIF files could contain large amounts of data and collecting this data could negatively affect the performance of your site. Enable MIF file collection only when required and configure the option Maximum custom MIF file size (KB) in the hardware inventory client settings. For more information, see How to Configure Hardware Inventory in Configuration Manager.

See Also
Planning for Hardware Inventory in Configuration Manager

Configuring Hardware Inventory in Configuration Manager

Use the following topics to help you configure hardware inventory in System Center 2012 Configuration Manager.

In This Section
How to Configure Hardware Inventory in Configuration Manager How to Extend Hardware Inventory in Configuration Manager

See Also
Hardware Inventory in Configuration Manager

2030

How to Configure Hardware Inventory in Configuration Manager

Use the following steps to configure System Center 2012 Configuration Manager hardware inventory for your site. This procedure configures the default client settings for hardware inventory and will apply to all the clients in your hierarchy. If you want these settings to apply to only some clients, create a custom device client setting and assign it to a collection that contains the devices that you want to use hardware inventory. For more information about how to create custom device settings, see How to Configure Client Settings in Configuration Manager. Note If a client device receives hardware inventory settings from multiple sets of client settings, then the hardware inventory classes from each set of settings will be merged when the client reports hardware inventory. To configure hardware inventory 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties. 5. In the Default Settings dialog box, click Hardware Inventory. 6. In the Device Settings list, configure the following: Enable hardware inventory on clients - From the drop-down list, select True. Hardware inventory schedule Specify the interval at which clients collect hardware inventory. Use the default value of 7 days or click Schedule to configure a custom interval.

7. Configure any other client settings that you require. For a list of hardware inventory client settings that you can configure, see the Hardware Inventory section in the About Client Settings in Configuration Manager topic. 8. Click OK to close the Default Settings dialog box. Client devices will be configured with these settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

See Also
Configuring Hardware Inventory in Configuration Manager

2031

How to Extend Hardware Inventory in Configuration Manager

System Center 2012 Configuration Manager hardware inventory reads information about devices by using Windows Management Instrumentation (WMI). WMI is the Microsoft implementation of web-based Enterprise Management (WBEM), which is an industry standard for accessing management information in an enterprise environment. In previous versions of Configuration Manager, you could extend hardware inventory by modifying the file sms_def.mof on the site server. This file contained a list of WMI classes that could be read by Configuration Manager hardware inventory. If you edited this file, you could enable and disable existing classes, and also create new classes to inventory. The Configuration.mof file is used to define the data classes to be inventoried by hardware inventory on the client and is unchanged from Configuration Manager 2007. You can create data classes to inventory existing or custom WMI repository data classes or registry keys present on client systems. The Configuration.mof file also defines and registers the WMI providers that access device information during hardware inventory. Registering providers defines the type of provider to be used and the classes that the provider supports. When Configuration Manager clients request policy, for example, during their standard client policy polling interval, the Configuration.mof is attached to the policy body. This file is then downloaded and compiled by clients. When you add, modify, or delete data classes from the Configuration.mof file, clients automatically compile these changes that are made to inventoryrelated data classes. No further action is necessary to inventory new or modified data classes on Configuration Manager clients. In System Center 2012 Configuration Manager, you no longer edit the sms_def.mof file as you did in Configuration Manager 2007. Instead, you can enable and disable WMI classes, and add new classes to collect by hardware inventory by using client settings. Configuration Manager provides the following methods to extend hardware inventory.
Method More information

Enable or disable existing inventory classes

You can enable or disable the default inventory classes used by Configuration Manager or you can create custom client settings that allow you to collect different hardware inventory classes from specified collections of clients. For more information, see the To enable or disable existing inventory classes procedure in this topic. You can add a new inventory class from the
2032

Add a new inventory class

Method

More information

WMI namespace of another device. For more information, see the To add a new inventory class procedure in this topic. Import and export hardware inventory classes You can import and export Managed Object Format (MOF) files that contain inventory classes from the Configuration Manager console. For more information, see the To import hardware inventory classes and To export hardware inventory classes procedures in this topic. Use NOIDMIF files to collect information about client devices that cannot be inventoried by Configuration Manager. For example, you might want to collect device asset number information that exists only as a label on the device. NOIDMIF inventory is automatically associated with the client device that it was collected from. For more information, see To create NOIDMIF files in this topic. Use IDMIF files to collect information about assets in your organization that are not associated with a Configuration Manager client, for example, projectors, photocopiers and network printers. For more information, see To create IDMIF files in this topic.

Create NOIDMIF Files

Create IDMIF Files

Procedures to Extend Hardware Inventory

Use the following procedures to extend hardware inventory, as described in the preceding table. These procedures help you to configure the default client settings for hardware inventory and they apply to all the clients in your hierarchy. If you want these settings to apply to only some clients, create a custom client device setting and assign it to a collection that contains the devices that you want to inventory. For more information about how to create custom client settings, see How to Configure Client Settings in Configuration Manager. To enable or disable existing inventory classes 1. In the Configuration Manager console, click Administration.
2033

2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties. 5. In the Default Client Settings dialog box, click Hardware Inventory. 6. In the Device Settings list, click Set Classes. 7. In the Hardware Inventory Classes dialog box, select or clear the classes and class properties to be collected by hardware inventory. You can expand classes to select or clear individual properties within that class. Use the Search for inventory classes field to search for individual classes. Important When you add new classes to Configuration Manager hardware inventory, the size of the inventory file that is collected and sent to the site server will increase. This might negatively affect the performance of your network and Configuration Manager site. Enable only the inventory classes that you want to collect. 8. Click OK to save your changes and close the Hardware Inventory Classes dialog box. To add a new inventory class 1. In the Configuration Manager console, click Administration. Important You can only add inventory classes from the top level server in the hierarchy and by modifying the default client settings. This option is not available when you create custom device settings. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties. 5. In the Default Client Settings dialog box, click Hardware Inventory. 6. In the Device Settings list, click Set Classes. 7. In the Hardware Inventory Classes dialog box, click Add. 8. In the Add Hardware Inventory Class dialog box, click Connect. 9. In the Connect to Windows Management Instrumentation (WMI) dialog box, specify the name of the computer from which you will retrieve the WMI classes and the WMI namespace to use for retrieving the classes. If you want to retrieve all classes below the WMI namespace that you specified, click Recursive. If the computer you are connecting to is not the local computer, supply login credentials for an account that has permission to access WMI on the remote computer. 10. Click Connect. 11. In the Add Hardware Inventory Class dialog box, in the Inventory classes list, select the WMI classes that you want to add to System Center 2012 Configuration Manager hardware inventory. 12. If you want to edit information about the selected WMI class, click Edit, and in the Class
2034

qualifiers dialog box, provide the following information: Display name Specify a friendly name for the class that will be displayed in Resource Explorer. Properties Specify the units in which each property of the WMI class will be displayed.

You can also designate properties as a key property to help uniquely identify each instance of the class. If no key is defined for the class and multiple instances of the class are reported from the client, only the latest instance that is found is stored in the database. When you have finished configuring the properties, click OK to close the Class qualifiers dialog box. 13. Click OK to close the Add Hardware Inventory Class dialog box. 14. Click OK to close the Hardware Inventory Classes dialog box. 15. Click OK to close the Default Client Settings dialog box. To import hardware inventory classes 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. Important You can only import inventory classes when you modify the default client settings. However, you can use custom client settings to import information that does not contain a schema change, such as changing the property of an existing class from True to False. 4. On the Home tab, in the Properties group, click Properties. 5. In the Default Client Settings dialog box, click Hardware Inventory. 6. In the Device Settings list, click Set Classes. 7. In the Hardware Inventory Classes dialog box, click Import. 8. In the Import dialog box, select the Managed Object Format (MOF) file that you want to import, and then click OK. 9. In the Import Summary dialog box, review the items that will be imported, and then click Import. To export hardware inventory classes 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties. 5. In the Default Client Settings dialog box, click Hardware Inventory.
2035

6. In the Device Settings list, click Set Classes. 7. In the Hardware Inventory Classes dialog box, click Export. Note When you export classes, all currently selected classes will be exported. 8. In the Export dialog box, specify the Managed Object Format (MOF) file that you want to export the classes to, and then click Save.

How to Use Management Information Files (MIF Files) to Extend Hardware Inventory
Use Management Information Format (MIF) files to extend hardware inventory information collected from clients by Configuration Manager. During hardware inventory, the information stored in MIF files is added to the client inventory report and stored in the site database, where you can use the data in the same ways that you use default client inventory data. There are two types of MIF files, NOIDMIF and IDMIF. Important Before you can add information from MIF files to the Configuration Manager database, you must create or import class information for them. For more information, see the sections To add a new inventory class and To import hardware inventory classes in this topic.

To create NOIDMIF files

NOIDMIF files can be used to add information to a client hardware inventory that cannot normally be collected by Configuration Manager and is associated with a particular client device. For example, many companies label each computer in the organization with an asset number and then catalogue these by hand. When you create a NOIDMIF file, this information can be added to the Configuration Manager database and be used for queries and reporting. For information about creating NOIDMIF files, see the System Center 2012 Configuration Manager SDK documentation. Important When you create a NOIDMIF file, this must be saved in an ANSI encoded format. NOIDMIF files saved in UTF-8 encoded format cannot be read by Configuration Manager. After you create a NOIDMIF file, store this in the folder %Windir%\System32\CCM\Inventory\Noidmifs folder on each client. Configuration Manager will collect information from NODMIF files in this folder during the next scheduled hardware inventory cycle.

2036

To create IDMIF files

IDMIF files can be used to add information about assets to the System Center 2012 Configuration Manager database that could not normally be inventoried by System Center 2012 Configuration Manager and is not associated with a particular client device. For example, you could use IDMIFS to collect information about projectors, DVD players, photocopiers, or other equipment that does not contain a Configuration Manager client. For information about creating IDMIF files, see the System Center 2012 Configuration Manager SDK documentation. After you create an IDMIF file, store this in the folder %Windir%\System32\CCM\Inventory\Idmifs folder on client computers. Configuration Manager will collect information from this file during the next scheduled hardware inventory cycle. You must declare new classes for information contained in the file by adding or importing them. For more information, see How to Extend Hardware Inventory in Configuration Manager.

See Also
Configuring Hardware Inventory in Configuration Manager

Operations and Maintenance for Hardware Inventory in Configuration Manager

Use the information in this section to find out more about operations and maintenance for hardware inventory in System Center 2012 Configuration Manager.

In This Section
How to Use Resource Explorer to View Hardware Inventory in Configuration Manager

See Also
Hardware Inventory in Configuration Manager

How to Use Resource Explorer to View Hardware Inventory in Configuration Manager

Use Resource Explorer in System Center 2012 Configuration Manager to view information about hardware inventory that has been collected from clients in your hierarchy. Note
2037

Resource Explorer will not display any inventory data until a hardware inventory cycle has run on the client you are connecting to. Resource Explorer in Configuration Manager contains the following sections related to hardware inventory: Hardware - Contains the most recent hardware inventory collected from the specified Configuration Manager client device. You can review the inventory item Workstation Status to discover the time and date when the device last performed a hardware inventory. Hardware History Contains a history of inventoried items that have changed since the last hardware inventory was performed. Each item in the list contains a Current node and one or more <date> nodes. You can compare the information in the current node to one of the historical nodes to discover items that have changed in the client computers hardware inventory. Note Configuration Manager retains hardware inventory history for the number of days you specify in the Delete Aged Inventory History site maintenance task Note For Configuration Manager SP1 only: For information about how to view hardware inventory from clients that run Linux and UNIX, see the How to use Resource Explorer to View Inventory for Linux and UNIX Servers section in the How to Monitor Linux and UNIX Clients in Configuration Manager topic.

Use the following procedure to run Resource Explorer in Configuration Manager. To run Resource Explorer from the Configuration Manager console 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or open any collection that displays devices. 3. Click the computer containing the inventory that you want to view and then, in the Home tab, in the Devices group, click Start and then click Resource Explorer. The Resource Explorer window will open. 4. You can right-click any item in the right-pane of the Resource Explorer window and then click Properties to open the <item name> Properties dialog box which can help you to view the collected inventory information in a more readable format. 5. When you are finished, close the Resource Explorer window.

See Also
Operations and Maintenance for Hardware Inventory in Configuration Manager
2038

Hardware Inventory for Linux and UNIX in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. The Configuration Manager client for Linux and UNIX supports hardware inventory. After you collect hardware inventory you can run view inventory in the resource explorer or Configuration Manager reports, and use this information to create queries and collections that enable the following operations: Software deployment Enforce maintenance windows Deploy custom client settings

Hardware inventory for Linux and UNIX servers uses a standards based Common Information Model (CIM) server. The CIM server runs as a software service (or daemon) and provides a management infrastructure that is based on Distributed Management Task Force (DMTF) standards. The CIM server provides functionality that is similar to the Windows Management Infrastructure (WMI) CIM capabilities that are available on Windows-based computers. The CIM server installs as part of the client for Linux and UNIX. Microsoft developed the CIM server that is now available as open source through the Open Management Infrastructure (OMI) project. For more information about the Open Management Infrastructure project, see The Open Group website. Hardware Inventory on Linux and UNIX servers operates by mapping existing Win32 WMI classes and properties to equivalent classes and properties for Linux and UNIX servers. This one-to-one mapping of classes and properties enables the Linux and UNIX hardware inventory to integrate with Configuration Manager. Inventory data from Linux and UNIX servers displays along with inventory from Windows-based computers in the Configuration Manager console and reports. This provides a consistent heterogeneous management experience. Tip You can use the Caption value for the Operating System class to identify different Linux and UNIX operating systems in queries and collections.

Configuring Hardware Inventory for Linux and UNIX Servers

You can use the default client settings or create custom client device settings to configure hardware inventory. When you use custom client device settings you can configure the classes and properties you want to collect from only your Linux and UNIX servers. You can also specify custom schedules for when to collect full and delta inventories from your Linux and UNIX servers.
2039

The client for Linux and UNIX supports the following hardware inventory classes that are available on Linux and UNIX servers: Win32_BIOS Win32_ComputerSystem Win32_DiskDrive Win32_DiskPartition Win32_NetworkAdapter Win32_NetworkAdapterConfiguration Win32_OperatingSystem Win32_Process Win32_Service Win32Reg_AddRemovePrograms SMS_LogicalDisk SMS_Processor

Not all properties for these inventory classes are enabled for Linux and UNIX computers in Configuration Manager.

Operations for Hardware Inventory

After you collect hardware inventory from your Linux and UNIX servers, you can view and use this information the same way you view inventory you collect from other computers: Use Resource Explorer to view detailed information about the hardware inventory from Linux and UNIX servers Create queries based on specific hardware configurations Create query-based collections that are based on specific hardware configurations Run reports that display specific details about hardware configurations

Hardware inventory on a Linux or UNIX server runs according to the schedule you configure in client settings. By default, this is every seven days. The client for Linux and UNIX supports both full inventory cycles and delta inventory cycles. You can also force the client on a Linux or UNIX server to immediately run hardware inventory. To run hardware inventory, on a client use root credentials to run the following command to start a hardware inventory cycle: /opt/microsoft/configmgr/bin/ccmexec -rs hinv For information about machine policy, see the section Computer Policy for Linux and UNIX Servers in the How to Manage Linux and UNIX Clients in Configuration Manager topic. Actions for hardware inventory are entered into the client log file, scxcm.log.

2040

Security and Privacy for Hardware Inventory in Configuration Manager

This topic contains security and privacy information for hardware inventory in System Center 2012 Configuration Manager.

Security Best Practices for Hardware Inventory

Use the following security best practices for when you collect hardware inventory data from clients:
Security best practice More information

Sign and encrypt inventory data

When clients communicate with management points by using HTTPS, all data that they send is encrypted by using SSL. However, when client computers use HTTP to communicate with management points on the intranet, client inventory data and collected files can be sent unsigned and unencrypted. Make sure that the site is configured to require signing and use encryption. In addition, if clients can support the SHA-256 algorithm, select the option to require SHA-256.

Do not collect IDMIF and NOIDMIF files in high- You can use IDMIF and NOIDMIF file collection security environments to extend hardware inventory collection. When necessary, Configuration Manager creates new tables or modifies existing tables in the Configuration Manager database to accommodate the properties in IDMIF and NOIDMIF files. However, Configuration Manager does not validate IDMIF and NOIDMIF files, so these files could be used to alter tables that you do not want altered. Valid data could be overwritten by invalid data. In addition, large amounts of data could be added and the processing of this data might cause delays in all Configuration Manager functions. To mitigate these risks, configure the hardware inventory client setting Collect MIF files as None.

2041

Security Issues for Hardware Inventory

Collecting inventory exposes potential vulnerabilities. Attackers can perform the following: Send invalid data, which will be accepted by the management point even when the software inventory client setting is disabled and file collection is not enabled. Send excessively large amounts of data in a single file and in lots of files, which might cause a denial of service. Access inventory information as it is transferred to Configuration Manager.

Because a user with local administrative privileges can send any information as inventory data, do not consider inventory data that is collected by Configuration Manager to be authoritative. Hardware inventory is enabled by default as a client setting.

Privacy Information for Hardware Inventory

Note The information in this section also appears in Security and Privacy for Software Inventory in Configuration Manager. Hardware inventory allows you to retrieve any information that is stored in the registry and in WMI on Configuration Manager clients. Software inventory allows you to discover all files of a specified type or to collect any specified files from clients. Asset Intelligence enhances the inventory capabilities by extending hardware and software inventory and adding new license management functionality. Hardware inventory is enabled by default as a client setting and the WMI information collected is determined by options that you select. Software inventory is enabled by default but files are not collected by default. Asset Intelligence data collection is automatically enabled, although you can select the hardware inventory reporting classes to enable.. Inventory information is not sent to Microsoft. Inventory information is stored in the Configuration Manager database. When clients use HTTPS to connect to management points, the inventory data that they send to the site is encrypted during the transfer. If clients use HTTP to connect to management points, you have the option to enable inventory encryption. The inventory data is not stored in encrypted format in the database. Information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Inventory History or Delete Aged Collected Files every 90 days. You can configure the deletion interval. Before you configure hardware inventory, software inventory, file collection, or Asset Intelligence data collection, consider your privacy requirements.

See Also
Hardware Inventory in Configuration Manager

2042

Technical Reference for Hardware Inventory in Configuration Manager

There is currently no technical reference information for hardware inventory in System Center 2012 Configuration Manager.

See Also
Hardware Inventory in Configuration Manager

Software Inventory in Configuration Manager

Use System Center 2012 Configuration Manager software inventory to collect and report information about the files stored on client computers in your organization. You can also use software inventory to collect files from client computers and store them in a folder on the site server.

In This Section
Use the following topics to help you plan, configure, operate and maintain, and troubleshoot software inventory in Configuration Manager. Introduction to Software Inventory in Configuration Manager Planning for Software Inventory in Configuration Manager Configuring Software Inventory in Configuration Manager Operations and Maintenance for Software Inventory in Configuration Manager Security and Privacy for Software Inventory in Configuration Manager Technical Reference for Software Inventory in Configuration Manager

See Also
Inventory in Configuration Manager

Introduction to Software Inventory in Configuration Manager

Use software inventory in System Center 2012 Configuration Manager to collect information about files that are contained on client devices in your organization. Additionally, software inventory can collect files from client devices and store these on the site server. Software
2043

inventory is collected when the Enable software inventory on clients setting is enabled in client settings. After software inventory is enabled and the clients run a software inventory cycle, the client sends the inventory information to a management point in the clients site. The management point then forwards the inventory information to the Configuration Manager site server, which stores the inventory information in the site database. Software inventory runs on clients according to the schedule that you specify in client settings. You can use a number of methods to view the software inventory data that Configuration Manager collects. These include the following: Create queries that return devices that are based on files you specify that are found on devices. For more information, see Queries in Configuration Manager. Create query-based collections that are based on files you specify that are found on devices. Query-based collection memberships automatically update on a schedule. You can use collections for a number of tasks such as software deployment. For more information, see Collections in Configuration Manager. Run reports that display specific details about files on devices in your organization. For more information, see Reporting in Configuration Manager. Use Resource Explorer to examine detailed information about the files that were inventoried and collected from client devices. For more information, see How to Use Resource Explorer to View Hardware Inventory in Configuration Manager.

When software inventory runs on a client device, the first inventory report returned is always a full inventory. Subsequent inventory reports contain only delta inventory information. The site server processes delta inventory information in the order in which it is received. If delta inventory information for a client is missing, the site server rejects further delta inventory information and instructs the client to run a full inventory cycle. Configuration Manager provides limited support for dual-boot computers. Configuration Manager can discover dual-boot computers but only returns inventory information from the operating system that was active at the time of inventory.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. There are no significant changes for software inventory in Configuration Manager since Configuration Manager 2007.

See Also
Software Inventory in Configuration Manager

2044

Planning for Software Inventory in Configuration Manager

Review the information in this section to help you plan for software inventory in System Center 2012 Configuration Manager.

In this Section
Prerequisites for Software Inventory

See Also
Software Inventory in Configuration Manager

Prerequisites for Software Inventory

Software inventory in System Center 2012 Configuration Manager contains only dependencies within the product.

Configuration Manager Dependencies

Dependency More information

Software inventory must be enabled for clients to collect inventory

For information about how to enable and configure software inventory, see How to Configure Software Inventory in Configuration Manager. The reporting services point site system role must be installed before you can run reports for software inventory. For more information, see Reporting in Configuration Manager.

Reporting services point

See Also
Planning for Software Inventory in Configuration Manager

2045

Configuring Software Inventory in Configuration Manager

Use the topics in this section to help you configure software inventory in System Center 2012 Configuration Manager. How to Configure Software Inventory in Configuration Manager How to Exclude Folders from Software Inventory in Configuration Manager

See Also
Software Inventory in Configuration Manager

How to Configure Software Inventory in Configuration Manager

Use the following steps to configure System Center 2012 Configuration Manager software inventory for your site. This procedure configures the default client settings for software inventory and will apply to all the computers in your hierarchy. If you want these settings to apply to only some computers, create a custom device client setting and assign it to a collection that contains the computers that you want to use software inventory. For more information about how to create custom device settings, see How to Create and Assign Custom Client Settings. To configure software inventory 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties. 5. In the Default Settings dialog box, click Software Inventory. 6. In the Device Settings list, configure the following values: Enable software inventory on clients From the drop-down list, select True. Schedule software inventory and file collection schedule Configures the interval at which clients collect software inventory and files. Use the default value of 7 days or click Schedule to configure a custom interval.

7. Configure the client settings that you require. For a list of software inventory client settings that you can configure, see the Software Inventory section in the About Client Settings in Configuration Manager topic. 8. Click OK to close the Configure Client Setting dialog box.
2046

Client computers will be configured with these settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

See Also
Operations and Maintenance for Software Inventory in Configuration Manager

How to Exclude Folders from Software Inventory in Configuration Manager

You can create a hidden file named Skpswi.dat and place it in the root of a client hard drive to exclude it from System Center 2012 Configuration Manager software inventory. You can also place this file in the root of any folder structure you want to exclude from software inventory. This procedure can be used to disable software inventory on a single workstation or server client, such as a large file server. Note Software inventory will not inventory the client drive again unless this file is deleted from the drive on the client computer. To exclude folders from software inventory 1. Using Notepad.exe, create an empty file named Skpswi.dat. 2. Right click the Skpswi.dat file and click Properties. In the file properties for the Skpswi.dat file, select the Hidden attribute. 3. Place the Skpswi.dat file at the root of each client hard drive or folder structure that you want to exclude from software inventory.

See Also
How to Configure Software Inventory in Configuration Manager

Operations and Maintenance for Software Inventory in Configuration Manager

Use the information in this section to find out more about operations and maintenance for software inventory in System Center 2012 Configuration Manager. How to Use Resource Explorer to View Software Inventory in Configuration Manager
2047

See Also
Software Inventory in Configuration Manager

How to Use Resource Explorer to View Software Inventory in Configuration Manager

Use Resource Explorer in System Center 2012 Configuration Manager to view information about software inventory that has been collected from computers in your hierarchy. Note Resource Explorer will not display any inventory data until a software inventory cycle has run on the client you are connecting to. Resource Explorer in Configuration Manager contains the following sections related to software inventory: Software The software section of Resource Explorer contains four sections: Collected Files Displays information about files that were collected during software inventory. File Details Displays information about files that were inventoried during software inventory that are not associated with a specific product or manufacturer. Last Software Scan Displays the date and time of the last software inventory and file collection that was run on the client computer. Product Details Displays information about the software products that were inventoried by software inventory, grouped by manufacturer.

Use the following procedure to run Resource Explorer in Configuration Manager. To run Resource Explorer from the Configuration Manager console 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or open any collection that displays devices. 3. Click the computer containing the inventory that you want to view and then, in the Home tab, in the Devices group, click Start and then click Resource Explorer. The Resource Explorer window will open. 4. You can right-click any item in the right-pane of the Resource Explorer window and then click Properties to open the <item name> Properties dialog box which can help you to view the collected inventory information in a more readable format. 5. When you are finished, close the Resource Explorer window.
2048

See Also
Operations and Maintenance for Software Inventory in Configuration Manager

Security and Privacy for Software Inventory in Configuration Manager

This topic contains security and privacy information for software inventory in System Center 2012 Configuration Manager.

Security Best Practices for Software Inventory

Use the following security best practices for when you collect software inventory data from clients:
Security best practice More information

Sign and encrypt inventory data

When clients communicate with management points by using HTTPS, all data that they send is encrypted by using SSL. However, when client computers use HTTP to communicate with management points on the intranet, client inventory data and collected files can be sent unsigned and unencrypted. Make sure that the site is configured to require signing and use encryption. In addition, if clients can support the SHA-256 algorithm, select the option to require SHA-256. Configuration Manager software inventory uses all the rights of the LocalSystem account, which has the ability to collect copies of critical system files, such as the registry or security account database. When these files are available at the site server, someone with the Read Resource rights or NTFS rights to the stored file location could analyze their contents and possibly discern important details about the client in order to be able to compromise its security. A user with local administrative rights can send invalid data as inventory information.

Do not use file collection to collect critical files or sensitive information

Restrict local administrative rights on client computers

2049

Security Issues for Software Inventory

Collecting inventory exposes potential vulnerabilities. Attackers can perform the following: Send invalid data, which will be accepted by the management point even when the software inventory client setting is disabled and file collection is not enabled. Send excessively large amounts of data in a single file and in lots of files, which might cause a denial of service. Access inventory information as it is transferred to Configuration Manager.

If users know that they can create a hidden file named Skpswi.dat and place it in the root of a client hard drive to exclude it from software inventory, you will not be able to collect software inventory data from that computer. Because a user with local administrative privileges can send any information as inventory data, do not consider inventory data that is collected by Configuration Manager to be authoritative. Software inventory is enabled by default as a client setting.

Privacy Information for Software Inventory

Note The information in this section also appears in Security and Privacy for Hardware Inventory in Configuration Manager. Hardware inventory allows you to retrieve any information that is stored in the registry and in WMI on Configuration Manager clients. Software inventory allows you to discover all files of a specified type or to collect any specified files from clients. Asset Intelligence enhances the inventory capabilities by extending hardware and software inventory and adding new license management functionality. Hardware inventory is enabled by default as a client setting and the WMI information collected is determined by options that you select. Software inventory is enabled by default but files are not collected by default. Asset Intelligence data collection is automatically enabled, although you can select the hardware inventory reporting classes to enable. Inventory information is not sent to Microsoft. Inventory information is stored in the Configuration Manager database. When clients use HTTPS to connect to management points, the inventory data that they send to the site is encrypted during the transfer. If clients use HTTP to connect to management points, you have the option to enable inventory encryption. The inventory data is not stored in encrypted format in the database. Information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Inventory History or Delete Aged Collected Files every 90 days. You can configure the deletion interval. Before you configure hardware inventory, software inventory, file collection, or Asset Intelligence data collection, consider your privacy requirements.

See Also
Software Inventory in Configuration Manager
2050

Technical Reference for Software Inventory in Configuration Manager

There is currently no technical reference information for software inventory in System Center 2012 Configuration Manager.

See Also
Software Inventory in Configuration Manager

Asset Intelligence in Configuration Manager

Asset Intelligence in System Center 2012 Configuration Manager lets you retrieve inventory data and manage software license usage throughout the enterprise by using the Asset Intelligence catalog.

Asset Intelligence Topics

Use the following topics to help you manage Asset Intelligence in Configuration Manager: Introduction to Asset Intelligence in Configuration Manager Prerequisites for Asset Intelligence in Configuration Manager Configuring Asset Intelligence in Configuration Manager Operations for Asset Intelligence in Configuration Manager Security and Privacy for Asset Intelligence in Configuration Manager Technical Reference for Asset Intelligence in Configuration Manager

Other Resources for this Product

Assets and Compliance in System Center 2012 Configuration Manager Inventory in Configuration Manager

Introduction to Asset Intelligence in Configuration Manager

Asset Intelligence in System Center 2012 Configuration Manager lets you inventory and manage software license usage throughout your enterprise by using the Asset Intelligence catalog. Many hardware inventory Windows Management Instrumentation (WMI) classes improve the breadth of information that is collected about hardware and software titles that are being used. Over 60
2051

reports present this information in easy-to-use format. Many of these reports link to more specific reports, where you can query for general information and drill down to more detailed information. You can add custom information to the Asset Intelligence catalog, such as custom software categories, software families, software labels, and hardware requirements. You can also connect to System Center Online to dynamically update the Asset Intelligence catalog with the most current information available. Microsoft customers can reconcile enterprise software license usage with purchased software licenses that are being used by importing software license information into the Configuration Manager site database. The following sections in this topic help you use Asset Intelligence: Asset Intelligence Catalog Software Categories Software Families Software Labels Inventoried Software Titles Hardware Requirements

Asset Intelligence Synchronization Point Asset Intelligence Home Page Asset Intelligence Reports Asset Intelligence Hardware Reports Asset Intelligence License Management Reports Asset Intelligence Software Reports Asset Intelligence Software Identification Tag Reports

Asset Intelligence Validation States Whats New in Configuration Manager Whats New in Configuration Manager SP1

Asset Intelligence Catalog

The Configuration Manager Asset Intelligence catalog is a set of database tables stored in the site database that contain categorization and identification information for over 300,000 software titles and versions. These database tables are also used to manage hardware requirements for specific software titles. The Asset Intelligence catalog provides software license information for software titles that are being used, both of Microsoft and of non-Microsoft software. A predefined set of hardware requirements for software titles is available in the Asset Intelligence catalog, and you can create new user-defined hardware requirement information to meet custom requirements. In addition, you can customize information in the Asset Intelligence catalog, and you can upload software title information to System Center Online for categorization.

2052

Asset Intelligence catalog updates that contain newly released software are available for download periodically to perform bulk catalog updates. Or, the catalog can be dynamically updated by using the Asset Intelligence synchronization point site system role.

Software Categories
Asset Intelligence software categories are used to widely categorize inventoried software titles and are also used as high-level groupings of more specific software families. For example, a software category could be energy companies, and a software family within that software category could be oil and gas or hydroelectric. Many software categories are predefined in the Asset Intelligence catalog, and you can create user-defined categories to additionally define inventoried software. The validation state for all predefined software categories is always Validated, whereas custom software category information added to the Asset Intelligence catalog is User Defined. For more information about how to manage software categories, see the Software Categories section in Configuring Asset Intelligence in Configuration Manager. Note Predefined software category information that is stored in the Asset Intelligence catalog is read-only and cannot be changed or deleted. Administrative users can add, modify, or delete user-defined software categories.

Software Families
Asset Intelligence software families are used to define inventoried software titles within software categories. Many software families are predefined in the Asset Intelligence catalog, and you can create user-defined categories to additionally define inventoried software. The validation state for all predefined software families is always Validated, whereas custom software family information added to the Asset Intelligence catalog is User-Defined. For more information about how to manage software families, see the Software Families section in Configuring Asset Intelligence in Configuration Manager. Note Predefined software family information is read-only and cannot be changed. Administrative users can add, modify, or delete user-defined software families.

Software Labels
Asset Intelligence custom software labels let you create filters that you can use to group software titles and to view them by using Asset Intelligence reports. You can use software labels to create user-defined groups of software titles that share a common attribute. For example, you could create a software label called Shareware, associate that software label with inventoried shareware titles, and run a report to display all software titles with the associated Shareware software label. Software labels are not predefined. The validation state for software labels is always User Defined. For more information about how to manage software labels, see the Software Labels section in Configuring Asset Intelligence in Configuration Manager.
2053

Hardware Requirements
You can use the hardware requirements information to verify that computers meet the hardware requirements for software titles before they are targeted for software deployments. You can manage hardware requirements for software titles in the Assets and Compliance workspace in the Hardware Requirements node under the Asset Intelligence node. Many hardware requirements are predefined in the Asset Intelligence catalog, and you can create new userdefined hardware requirement information to meet custom requirements. The validation state for all predefined hardware requirements is always Validated, whereas user-defined hardware requirements information added to the Asset Intelligence catalog is User Defined. For more information about how to manage hardware requirements, see the Hardware Requirements section in Configuring Asset Intelligence in Configuration Manager. Note The hardware requirements displayed in the Configuration Manager console are retrieved from the Asset Intelligence catalog and are not based on inventoried software title information from System Center 2012 Configuration Manager clients. Hardware requirements information is not updated as part of the synchronization process with System Center Online. You can create user-defined hardware requirements for inventoried software that does not have associated hardware requirements. By default, the following information is displayed for each listed hardware requirement: Software Title: Specifies the software title associated with the hardware requirement. Minimum CPU (MHz): Specifies the minimum processor speed, in megahertz (MHz), required by the software title. Minimum RAM (KB): Specifies the minimum RAM, in kilobytes (KB), required by the software title. Minimum Disk Space (KB): Specifies the minimum free hard disk space, in KB, required by the software title. Minimum Disk Size (KB): Specifies the minimum hard disk size, in KB, required by the software title. Validation State: Specifies the validation state for the hardware requirement.

Predefined hardware requirements stored in the Asset Intelligence catalog are read-only and cannot be deleted. Administrative users can add, modify, or delete user-defined hardware requirements for software titles that are not stored in the Asset Intelligence catalog.

Inventoried Software Titles

You can view inventoried software title information in the Assets and Compliance workspace in the Inventoried Software node under the Asset Intelligence node. The Hardware Inventory Client Agent collects the inventoried software information from Configuration Manager clients based on the software titles that are stored in the Asset Intelligence catalog. Warning
2054

The Hardware Inventory Client Agent collects inventory based on the Asset Intelligence hardware inventory reporting classes that you enable. For more information about how to enable the reporting classes, see Enable Asset Intelligence Hardware Inventory Reporting Classes. By default, the following information is displayed for each inventoried software title: Name: Specifies the name of the inventoried software title. Vendor: Specifies the name of the vendor that developed the inventoried software title. Version: Specifies the product version of the inventoried software title. Category: Specifies the software category that is currently assigned to the inventoried software title. Family: Specifies the software family that is currently assigned to the inventoried software title. Label [1, 2, and 3]: Specifies the custom labels that are associated with the software title. Inventoried software titles can have up to three custom labels associated with them. Count: Specifies the number of Configuration Manager clients that have inventoried the software title. State: Specifies the validation state for the inventoried software title. Note You can change the categorization information (product name, vendor, software category, and software family) for inventoried software only at the top-level site in your hierarchy. After you modify the categorization information for predefined software, the validation state for the software changes from Validated to User Defined.

Asset Intelligence Synchronization Point

The Asset Intelligence synchronization point is a Configuration Manager site system role used to connect to System Center Online (by using TCP port 443) to manage dynamic Asset Intelligence catalog information updates. This site role can be installed only on top-level site of the hierarchy. You must configure all Asset Intelligence catalog customization by using a Configuration Manager console connected to the top-level site. Although all updates must be configured at the top-level site, Asset Intelligence catalog information is replicated to other sites in the hierarchy. The Asset Intelligence synchronization point site role lets you request on-demand catalog synchronization with System Center Online or schedule automatic catalog synchronization. In addition to downloading new Asset Intelligence catalog information, the Asset Intelligence synchronization point can upload custom software title information to System Center Online for categorization. Microsoft treats all software titles uploaded to System Center Online for categorization as public information. Therefore, you should make sure that your custom software titles do not contain confidential or proprietary information. Note After an uncategorized software title is submitted, and there are at least 4 categorization requests from customers for the same software title, System Center Online researchers
2055

identify, categorize, and then make the software title categorization information available to all customers who are using the online service. Software titles that represent the most requests for categorization receive the highest priority to categorize. Custom software and line-of-business applications are unlikely to receive a category, and as a best practice, you should not send these software titles to Microsoft for categorization. Note An Asset Intelligence synchronization point site system role is required to connect to System Center Online. For information about how to install an Asset Intelligence synchronization point, see the Install an Asset Intelligence Synchronization Point section in Configuring Asset Intelligence in Configuration Manager.

Asset Intelligence Home Page

The Asset Intelligence node in the Asset and Compliance workspace is the home page for Asset Intelligence in Configuration Manager. The Asset Intelligence home page displays a summary dashboard view for Asset Intelligence catalog information. Note The Asset Intelligence home page does not automatically update while it is being viewed. The Asset Intelligence home page contains the following sections: Catalog Synchronization: Provides information about whether Asset Intelligence is enabled and the current status of the Asset Intelligence synchronization point. The section also provides the synchronization schedule, whether the customer license statement is imported, when status was last updated and the time for the next scheduled update, and number of changes that occurred after the Asset Intelligence synchronization point site system was installed. Note The Asset Intelligence catalog synchronization section of the Asset Intelligence home page is only displayed if an Asset Intelligence synchronization point site system role was installed. Inventoried Software Status: Provides the count and percentage of inventoried software, software categories, and software families that are identified by Microsoft, identified by an administrator, pending online identification, or unidentified and not pending. The information displayed in table format shows the count for each, and the information displayed in the chart shows the percentage for each.

Asset Intelligence Reports

The Asset Intelligence reports are located in the Configuration Manager console, in the Monitoring workspace, in the Asset Intelligence folder under the Reporting node. The reports

2056

provide information about hardware, license management, and software. For more information about reports in Configuration Manager, see Reporting in Configuration Manager. Note The accuracy of the quantity of installed software titles and license information displayed in Asset Intelligence reports might vary from the actual number of software titles installed or licenses that are used in the environment. This variation is because of the complex dependencies and limitations involved in inventorying software license information for software titles that are installed in enterprise environments. Do not use Asset Intelligence reports as the sole source for determining purchased software license compliance.

Asset Intelligence Hardware Reports

Asset Intelligence hardware reports provide information about hardware assets in the organization. By using hardware inventory information, such as speed, memory, peripheral devices, and more, Asset Intelligence hardware reports can present information about USB devices, about hardware that must be upgraded, and even about computers that are not ready for a specific software upgrade. Note Some user data in Asset Intelligence hardware reports is collected from the System Security Event Log. For better report accuracy, we recommend that you clear this log when you reassign a computer to a new user.

Asset Intelligence License Management Reports

Asset Intelligence license management reports provide data about licenses that are being used. The License Ledger report lists installed Microsoft applications in a format congruent with a Microsoft License Statement (MLS). This provides a convenient method of matching purchased licenses with used licenses. Other License Management reports provide information about computers acting as servers that run the Key Management Service (KMS) for operating system activation statistics. Important Several of the Asset Intelligence License Management reports present information about the function of KMS, a method of administering volume licensing. If a KMS server has not been implemented, some reports might not return any data. For more information about KMS, search for KMS on Microsoft TechNet.

Asset Intelligence Software Reports

Asset Intelligence software reports provide information about software families, categories, and specific software titles that are installed on computers in the organization. The software reports present information about browser helper objects, software that starts automatically, and more.

2057

These reports can be used to identify adware, spyware, and other malware, and identify software redundancy to help streamline software purchasing and support.

Asset Intelligence Software Identification Tag Reports

For Configuration Manager SP1 only: Asset Intelligence software identification tag reports provide information about software that contains a software identification tag that is compliant with ISO/IEC 19770-2. The software identification tags provide authoritative information that is used to identify installed software. When you enable the SMS_SoftwareTag hardware inventory reporting class, Configuration Manager collects information about the software with software identification tags. The following reports provide information about the software: Software 14A Search for software identification tag enabled software: This report provides the count of installed software with a software identification tag enabled. Software 14B Computers with specific software identification tag enabled software installed: This report lists all computers that have installed software with a specific software identification tag enabled. Software 14C Installed software identification tag enabled software on a specific computer: This report lists all installed software with a specific software identification tag enabled on a specific computer.

Asset Intelligence Reporting Limitations

Asset Intelligence reports can provide large amounts of information about installed software titles and purchased software licenses that are being used. However, you should not use this information as the only source for determining purchased software license compliance.

Example Dependencies
The accuracy of the quantity displayed in the Asset Intelligence reports for installed software titles and license information can vary from the actual amounts currently used. This variation is caused by the complex dependencies involved in inventorying software license information for software titles in use in enterprise environments. The following examples show the dependencies involved in inventorying installed software in the enterprise by using Asset Intelligence that might affect the accuracy of Asset Intelligence reports:
Client hardware inventory dependencies Asset Intelligence installed software reports are based on data that is collected from Configuration Manager clients by extending hardware inventory to enable Asset Intelligence reporting. Because of this dependency on hardware inventory reporting, Asset Intelligence reports reflect data only from Configuration Manager clients that successfully complete hardware inventory processes with the required Asset Intelligence WMI reporting classes enabled. In addition, because Configuration Manager clients perform hardware inventory processes on a schedule defined by the administrative user, a delay might occur in data reporting that affects the accuracy of
2058

Asset Intelligence reports. For example, an inventoried licensed software title might be uninstalled after the client finishes a successful hardware inventory cycle. However, the software title is displayed as installed in Asset Intelligence reports until the clients next scheduled hardware inventory reporting cycle.

Software packaging dependencies Because Asset Intelligence reports are based on installed software title data that is collected by using standard Configuration Manager client hardware inventory processes, some software title data might not be collected correctly. For example, software installations that do not comply with standard installation processes or software installations that were changed before installation could cause inaccurate Asset Intelligence reporting.

Legal Limitations
The information displayed in Asset Intelligence reports are subject to many limitations and the information displayed in them does not represent legal, accounting, or other professional advice. The information that is provided by Asset Intelligence reports is for information only and should not be used as the only source of information for determining software license usage compliance. The following are example limitations involved in inventorying installed software and license usage in the enterprise by using Asset Intelligence that might affect the accuracy of Asset Intelligence reports:
Microsoft license usage quantity limitations The quantity of purchased Microsoft software licenses is based on information that administrators supply and should be closely reviewed to ensure that the correct number of software licenses is provided. The reported quantity of Microsoft software licenses contains information only about Microsoft software licenses acquired through volume licensing programs and does not reflect information for software licenses acquired through retail, OEM, or other software license sales channels. Software licenses acquired in the last 45 days might not be included in the quantity of Microsoft software licenses reported because of software reseller reporting requirements and schedules. Software license transfers from company mergers or acquisitions might not be reflected in Microsoft software license quantities. Nonstandard terms and conditions in a Microsoft Volume Licensing (MVLS) agreement might affect the number of software licenses reported and, therefore, might require additional review by a Microsoft representative.

2059

Installed software title quantity limitations Configuration Manager Clients must successfully complete hardware inventory reporting cycles for the Asset Intelligence reports to accurately report the quantity of installed software titles. Additionally, there might be a delay between the installation or uninstallation of a licensed software title after a successful hardware inventory reporting cycle that is not reflected in Asset Intelligence reports run before the client reports its next scheduled hardware inventory.

License reconciliation limitations The reconciliation of the quantity of installed software titles to the quantity of purchased software licenses is calculated by using a comparison of the license quantity specified by the administrator and the quantity of installed software titles collected from Configuration Manager client hardware inventories based on the schedule set by the administrator. This comparison does not represent a final Microsoft conclusion of the license positions. The actual license position depends on the specific software title license and usage rights granted by the license terms.

Asset Intelligence Validation States

Asset Intelligence validation states represent the source and current validation status of Asset Intelligence catalog information. The following table shows possible Asset Intelligence validation states and administrator actions that can cause them.
State Definition Administrator action Comment

Validated

Catalog item was defined by System Center Online researchers. Catalog item has not been defined by System Center Online researchers. Catalog item was not defined by System Center Online researchers, but the item was submitted to System Center Online for

None.

Best state.

User Defined

Customized the local catalog information.

This state is displayed in Asset Intelligence reports.

Pending

Requested categorization from System Center Online.

Catalog item remains in this state until System Center Online researchers categorize the item, and the Asset Intelligence catalog is synchronized. Note
2060

State

Definition

Administrator action

Comment

categorization.

Catalog items submitted to System Center Online for categorization have a validation state of Pending on a central administration site, but continue to be displayed with a validation state of Uncategorized on child primary sites. Customized the local Asset Intelligence catalog to categorize an item as userdefined. You can use the Resolve Conflict action to decide whether to use the new categorization information or the previous userdefined value. For more information about how to resolve conflicts, see Resolve Software Details Conflicts. Note After a categorization conflict is resolved, the item is not validated as conflicting again unless later categorization updates introduce new information about the item.

Updateable

A user-defined catalog item has been categorized differently by System Center Online during subsequent catalog synchronization.

Uncategorized

Catalog item has not been defined by System Center Online researchers,

None.

Request categorization or customize local catalog information. For more information about
2061

State

Definition

Administrator action

Comment

the item has not been submitted to System Center Online for categorization, and the administrator has not assigned a userdefined categorization value.

requesting categorization, see Request a Catalog Update for Uncategorized Software Titles. For more information about how to change the category for the software title, see Modify Categorization Information for Inventoried Software.

For examples of when a validation state might transition from one state to another, see Example Validation State Transitions for Asset Intelligence.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for Asset Intelligence since Configuration Manager 2007: In System Center 2012 Configuration Manager, you can enable Asset Intelligence hardware inventory classes without editing the sms_def.mof file. You can now download the MVLS license statement from the Microsoft Volume Licensing Service Center and import the license statement from the Configuration Manager console. There is a new maintenance task (Check Application Title with Inventory Information) that checks that the software title reported in software inventory is reconciled with the software title in the Asset Intelligence catalog. There is a new maintenance task (Summarize Installed Software Data) that provides the information displayed in the Inventoried Software node under the Asset Intelligence node in the Assets and Compliance workspace. The Client Access License reports have been deprecated.

Whats New in Configuration Manager SP1

The following items are new for Asset Intelligence in Configuration Manager SP1: Asset Intelligence supports the 7 mandatory software identification tags that are defined in ISO/IEC 19770-2. The ISO/IEC 19770-2 standard specifies the structure and basic usage of software identification. Software identification tags provide authoritative information used to identify installed software. If software contains software identification tag information that is
2062

compliant with ISO/IEC 19770-2, then Asset Intelligence collects the software identification tags from the software. Note You must enable the SMS_SoftwareTag Asset Intelligence hardware inventory reporting class before Configuration Manager will collect the software identification tags. Asset Intelligence provides the three new reports that provide information about software with the software identification tags. The report titles start with Software 14A, Software 14B, and Software 14C. Asset Intelligence collects information about Microsoft Application Virtualization (App-V) 5 applications and continues to collect information about App-V 4.

See Also
Asset Intelligence in Configuration Manager

Prerequisites for Asset Intelligence in Configuration Manager

Asset Intelligence in System Center 2012 Configuration Manager has external dependencies and dependencies within the product.

Dependencies External to Configuration Manager

The following table provides the dependencies for Asset Intelligence that are external to Configuration Manager.
Dependency More Information

Auditing of Success Logon Events Prerequisites

Four Asset Intelligence reports display information gathered from the Windows Security event logs on client computers. If the Security event log settings are not configured to log all Success logon events, these reports contain no data even if the appropriate hardware inventory reporting class is enabled. The following Asset Intelligence reports depend on collected Windows Security event log information: Hardware 03A - Primary Computer Users
2063

Dependency

More Information

Hardware 03B - Computers for a Specific Primary Console User Hardware 04A - Shared (Multi-user) Computers Hardware 05A - Console Users on a Specific Computer

To enable the Hardware Inventory Client Agent to inventory the information required to support these reports, you must first modify the Windows Security event log settings on clients to log all Success logon events, and enable the SMS_SystemConsoleUser hardware inventory reporting class. For more information about modifying Security event log settings to log all Success logon events, see Enable Auditing of Success Logon Events. Note The SMS_SystemConsoleUser hardware inventory reporting class retains successful logon event data for only the previous 90 days of the Security event log, regardless of the length of the log. If the Security event log has fewer than 90 days of data, the entire log is read.

Dependencies Internal to Configuration Manager

The following table provides the dependencies for Asset Intelligence that are internal to Configuration Manager.
Dependency More Information

Client Agent Prerequisites

The Asset Intelligence reports depend on client information that is obtained through client hardware and software inventory reports. To obtain the information necessary for all Asset Intelligence reports, the following client agents must be enabled: Hardware Inventory Client Agent
2064

Dependency

More Information

Software Metering Client Agent

Hardware Inventory Client Agent Dependencies To collect inventory data required for some Asset Intelligence reports, the Hardware Inventory Client Agent must be enabled. In addition, some hardware inventory reporting classes that Asset Intelligence reports depend on must be enabled on primary site server computers. For information about enabling the Hardware Inventory Client Agent, see How to Configure Hardware Inventory in Configuration Manager. Software Metering Client Agent Dependencies A number of Asset Intelligence software reports depend on the Software Metering Client Agent for data. For information about enabling the Software Metering Client Agent, see Configuring Software Metering in Configuration Manager. The following Asset Intelligence reports depend on the Software Metering Client Agent to provide data: Asset Intelligence Hardware Inventory Reporting Class Prerequisites Software 07A - Recently Used Executables by Number of Computers Software 07B - Computers that Recently Used a Specified Executable Software 07C - Recently Used Executables on a Specific Computer Software 08A - Recently Used Executables by Number of Users Software 08B - Users that Recently Used a Specified Executable Software 08C - Recently Used Executables by a Specified User

Asset Intelligence reports in Configuration Manager depend on specific hardware inventory reporting classes. Until the hardware inventory reporting classes are enabled and clients have reported hardware inventory based on these classes, the associated Asset Intelligence reports do not contain any data.
2065

Dependency

More Information

You can enable the following hardware inventory reporting classes to support Asset Intelligence reporting requirements:
1

SMS_SystemConsoleUsage SMS_SystemConsoleUser SMS_InstalledSoftware SMS_AutoStartSoftware SMS_BrowserHelperObject Win32_USBDevice SMS_InstalledExecutable SMS_SoftwareShortcut SoftwareLicensingService SoftwareLicensingProduct SMS_SoftwareTag
2 1

By default, the SMS_SystemConsoleUsage and SMS_SystemConsoleUser Asset Intelligence hardware inventory reporting classes are enabled.
2

This hardware inventory reporting class is available starting in Configuration Manager SP1. You can edit the Asset Intelligence hardware inventory reporting classes in the Configuration Manager console, in the Assets and Compliance workspace, when you click the Asset Intelligence node. For more information, see the Enable Asset Intelligence Hardware Inventory Reporting Classes section in the Configuring Asset Intelligence in Configuration Manager topic. Reporting services point The reporting services point site system role must be installed before software updates reports can be displayed. For more information about creating a reporting services point, see Configuring Reporting in Configuration Manager.

2066

See Also
Asset Intelligence in Configuration Manager

Configuring Asset Intelligence in Configuration Manager

You must complete a number of configuration steps before you can use Asset Intelligence in System Center 2012 Configuration Manager to inventory and manage software license usage throughout your enterprise.

Steps to Configure Asset Intelligence

Use the steps in the following table to configure Asset Intelligence in Configuration Manager.
Step Details More Information

Step 1: Enable Asset Intelligence Hardware Inventory Reporting Classes

Asset Intelligence information collection is not enabled when Configuration Manager is first installed. To enable Asset Intelligence, at least one of the required hardware inventory reporting classes that Asset Intelligence reports rely on must be enabled. Note To collect the inventory data required for Asset Intelligence reports, the Hardware Inventory Client Agent must be enabled. For information about enabling the Hardware Inventory Client Agent, see How to Configure Hardware Inventory in Configuration Manager.

For more information, see the following procedure in this topic: Enable Asset Intelligence Hardware Inventory Reporting Classes.

Step 2: Install an Asset Intelligence Synchronization Point

The Asset Intelligence synchronization point site system role is used to connect

For more information, see the following procedure in this topic: Install an Asset
2067

Step

Details

More Information

Configuration Manager sites to System Center Online to synchronize Asset Intelligence catalog information. The Asset Intelligence synchronization point can be installed only on a site system located at the top-level site of the Configuration Manager hierarchy and requires Internet access to synchronize with System Center Online by using TCP port 443. In addition to downloading new Asset Intelligence catalog information, the Asset Intelligence synchronization point can upload custom software title information to System Center Online for categorization. Microsoft treats all software titles uploaded to System Center Online for categorization as public information. Therefore, you should ensure that your custom software titles do not contain confidential or proprietary information. For more information about requesting software title categorization, see Request a Catalog Update for Uncategorized Software Titles. Step 3: Enable Auditing of Success Logon Events Four Asset Intelligence reports display information gathered from the Windows Security event logs on client computers. If the Security event log settings are not configured to log all Success logon events, these reports contain no data even if the appropriate hardware inventory reporting class is enabled. To enable the Hardware Inventory Client Agent to inventory

Intelligence Synchronization Point.

For more information, see the following procedures in this topic: Enable Auditing of Success Logon Events.

2068

Step

Details

More Information

the information required to support these reports, you must first modify the Windows Security event log settings on clients to log all Success logon events, and enable the SMS_SystemConsoleUser hardware inventory reporting class. Step 4: Import Software License Information The Import Software License Wizard is used to import Microsoft Volume Licensing (MVLS) information and general license statements into the Asset Intelligence catalog. The MVLS license statement contains information about the license entitlements, or number of purchased licenses, for Microsoft products. A general license statement contains information about the purchased licenses for any publisher. Step 5: Configure Asset Intelligence Maintenance Tasks The following maintenance tasks are associated with Asset Intelligence. By default, both maintenance tasks are enabled and are configured on a default schedule. Check Application Title with Inventory Information: This maintenance task checks that the software title that is reported in software inventory is reconciled with the software title in the Asset Intelligence catalog. Summarize Installed Software Data: This maintenance task provides the information that is displayed in the Assets and Compliance
2069

For more information, see the following procedures in this topic: Import Software License Information.

For more information, see the following procedures in this topic: Configure Asset Intelligence Maintenance Tasks.

Step

Details

More Information

workspace, in the Inventoried Software node, under the Asset Intelligence node. When the task runs, Configuration Manager gathers a count for all inventoried software titles at the primary site. Note The Summarize Installed Software Data maintenance task is available only on primary sites.

Supplemental Procedures for Configuring Asset Intelligence

Use the following information for the steps in the preceding table.

Enable Asset Intelligence Hardware Inventory Reporting Classes

To enable Asset Intelligence in Configuration Manager sites, you must enable one or more Asset Intelligence hardware inventory reporting classes. You can enable the classes on the Asset Intelligence home page, or, in the Administration workspace, in the Client Settings node, in client settings properties. Use one of the following procedures to enable the Asset Intelligence hardware inventory reporting classes. To enable Asset Intelligence hardware inventory reporting classes from the Asset Intelligence home page 1. In the Configuration Manager console, click Asset and Compliance. 2. In the Asset and Compliance workspace, click Asset Intelligence. 3. On the Home tab, in the Asset Intelligence group, click Edit Inventory Classes. The Edit Inventory Classes dialog box opens. 4. To enable Asset Intelligence reporting, select Enable all Asset Intelligence reporting classes or select Enable only the selected Asset Intelligence reporting classes, and select at least one reporting class from the classes displayed. Note Asset Intelligence reports that depend on the hardware inventory classes that
2070

you enable by using this procedure do not display data until clients have scanned for and returned hardware inventory. 5. Click OK to enable the selected Asset Intelligence hardware inventory reporting classes. To enable Asset Intelligence hardware inventory reporting classes from client settings properties 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings, and then select the Default Client Agent Settings. Note If you have created custom client settings, you can select the custom client settings instead of the default client settings. 3. On the Home tab, in the Properties group, click Properties. The Client Settings Properties dialog box opens. 4. Click Hardware Inventory, and then click Set Classes. The Hardware Inventory Classes dialog box opens. 5. Click Filter by category, and then click Asset Intelligence Reporting Classes. The list of classes is refreshed with only the Asset Intelligence hardware inventory reporting classes. 6. Select at least one reporting class from the list of Asset Intelligence reporting classes. Note Asset Intelligence reports that depend on the hardware inventory classes that you enable by using this procedure do not display data until clients have scanned for and returned hardware inventory. 7. Click OK to enable the selected Asset Intelligence hardware inventory reporting classes.

Install an Asset Intelligence Synchronization Point

Use the following procedure to install an Asset Intelligence synchronization point site system role. To install an Asset Intelligence synchronization point site system role 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles. 3. Add the Asset Intelligence synchronization point site system role to a new or existing site system server by using the associated step: New site system server: On the Home tab, in the Create group, click Create Site System Server. The Create Site System Server Wizard opens. Note By default, when Configuration Manager installs a site system role, the
2071

installation files are installed on the first available NTFS-formatted hard disk drive that has the most available free hard disk space. To prevent Configuration Manager from installing on specific drives, create an empty file named No_sms_on_drive.sms and copy it to the root folder of the drive before you install the site system server. Existing site system server: Click the server on which you want to install the Asset Intelligence synchronization point site system role. When you click a server, a list of the site system roles that are already installed on the server are displayed in the details pane. On the Home tab, in the Server group, click Add Site System Role. The Add Site System Roles Wizard opens. 4. On the General page, specify the general settings for the site system server. When you add the Asset Intelligence synchronization point to an existing site system server, verify the values that were previously configured. 5. On the System Role Selection page, select Asset Intelligence Synchronization Point from the list of available roles, and then click Next. 6. On the Asset Intelligence Synchronization Point Connection Settings page, click Next. By default, the Use this Asset Intelligence Synchronization Point setting is selected and cannot be configured on this page. System Center Online accepts network traffic only over TCP port 443, therefore the SSL port number setting cannot be configured on this page of the wizard. 7. Optionally, you can specify a path to the System Center Online authentication certificate (.pfx) file, and then click Next. Typically, you do not specify a path for the certificate because the connection certificate is automatically provisioned during site role installation. 8. On the Proxy Server Settings page, specify whether the Asset Intelligence synchronization point will use a proxy server when connecting to System Center Online to synchronize the catalog and whether to use credentials to connect to the proxy server, and then click Next. Warning If a proxy server is required to connect to System Center Online, the connection certificate might also be deleted if the user account password expires for the account configured for proxy server authentication. 9. On the Synchronization Schedule page, specify whether to synchronize the Asset Intelligence catalog on a schedule. When you enable the synchronization schedule, you specify a simple or custom synchronization schedule. During scheduled synchronization, the Asset Intelligence synchronization point connects to System Center Online to retrieve the latest Asset Intelligence catalog. You can manually synchronize the Asset Intelligence catalog from the Asset Intelligence node in the Configuration Manager console. For the steps to manually synchronize the Asset Intelligence catalog, see the To manually
2072

synchronize the Asset Intelligence catalog section in the Operations for Asset Intelligence in Configuration Manager. 10. On the Summary page of the New Site Role Wizard, review the settings you have specified to ensure that they are correct before you continue. To make changes to any settings, click Previous until you return to the appropriate page, make the change, and return to the Summary page.

Enable Auditing of Success Logon Events

Use the following procedure to configure computer security policy logon settings to enable auditing of Success logon events. To enable success logon event logging by using a local security policy 1. On a Configuration Manager client computer, click Start, point to Administrative Tools, and then click Local Security Policy. 2. In the Local Security Policy dialog box, under Security Settings, expand Local Policies, and then click Audit Policy. 3. In the results pane, double-click Audit logon events, ensure that the Success check box is selected, and then click OK. To enable success logon event logging by using an Active Directory domain security policy 1. On a domain controller computer, click Start, point to Administrative Tools, and then click Domain Security Policy. 2. In the Local Security Policy dialog box, under Security Settings, expand Local Policies, and then click Audit Policy. 3. In the results pane, double-click Audit logon events, ensure that the Success check box is selected, and then click OK.

Import Software License Information

The following sections describe the procedures necessary to import both Microsoft and general software licensing information into the Configuration Manager site database by using the Import Software License Wizard. When you import software license information into the site database from license statement files, the site server computer account requires Full Control permissions for the NTFS file system to the file share that is used to import software license information. Important When software license information is imported into the site database, existing software license information is overwritten. Ensure that the software license information file that you use with the Import Software License Wizard contains a complete listing of all necessary software license information.

2073

To import software license information into the Asset Intelligence catalog 1. In the Asset and Compliance workspace, click Asset Intelligence. 2. On the Home tab, in the Asset Intelligence group, click Import Software Licenses. The Import Software License Wizard opens. 3. On the Welcome page, click Next. 4. On the Import page, specify whether you are importing a Microsoft Volume Licensing (MVLS) file (.xml or .csv) or a General License Statement file (.csv). For more information about creating a General License Statement file, see Create a General License Statement Information File for Import later in this topic. Warning To download an MVLS file in .csv format that you can import to the Asset Intelligence catalog, see Microsoft Volume Licensing Service Center. To access this information, you must have a registered account on the website. You must contact your Microsoft account representative for information about how to get your MVLS file in .xml format. 5. Enter the UNC path to the license statement file or click Browse to select a network shared folder and file. Note The shared folder should be correctly secured to prevent unauthorized access to the licensing information file, and the computer account of the computer that the wizard is being run on must have Full Control permissions to the share that contains the license import file. 6. On the Summary page, review the information you have specified to ensure that it is correct before continuing. To make any changes, click Previous to return to the Import page.

Create a General License Statement Information File for Import

A general license statement can also be imported into the Asset Intelligence catalog by using a manually created license import file in comma delimited (.csv) file format. Note While only the Name, Publisher, Version, and EffectiveQuantity fields are required to contain data, all fields must be entered on the first row of the license import file. All date fields should be displayed in the following format: Month/Day/Year, for example, 08/04/2008. Asset Intelligence matches the products that you specify in the general license statement by using the product name and product version, but not publisher name. You must use a product name in the general license statement that is an exact match with the product name stored in the site database. Asset Intelligence takes the EffectiveQuantity number given in the general
2074

license statement and compares the number with the number of installed products found in Configuration Manager inventory. Tip To get a complete list of the product names stored in the Configuration Manager site database, you can run the following query on the site database: SELECT ProductName0 FROM v_GS_INSTALLED_SOFTWARE. You can specify exact versions for a product or specify part of the version, such as only the major version. The following examples provide the resulting version matches for a general license statement version entry for a specific product.
General license statement entry Matching site database entries

Name: MySoftware, ProductVersion0: 2

ProductName0: Mysoftware, ProductVersion0: 2.01.1234 ProductName0: MySoftware, ProductVersion0: 2.02.5678 ProductName0: MySoftware, ProductVersion0: 2.05.1234 ProductName0: MySoftware, ProductVersion0: 2.05.5678 ProductName0: MySoftware, ProductVersion0: 2.05.3579.000 ProductName0: MySoftware, ProductVersion0: 2.10.1234

Name: MySoftware, Version 2.05

ProductName0: MySoftware, ProductVersion0: 2.05.1234 ProductName0: MySoftware, ProductVersion0: 2.05.5678 ProductName0: MySoftware, ProductVersion0: 2.05.3579.000

Name: Mysoftware, Version 2 Name: Mysoftware, Version 2.05

Error during import. The import fails when more than one entry matches the same product version.

The following procedure describes the process that can be used to create a general license statement import file by using Microsoft Excel. To create a general license statement import file by using Microsoft Excel 1. Open Microsoft Excel and create a new spreadsheet.
2075

2. On the first row of the new spreadsheet, enter all software license data field names. 3. On the second and subsequent rows of the new spreadsheet, enter software license information as required. Ensure that at least all of the required software license data fields are entered on subsequent rows for each software license to be imported. The software title name entered in the spreadsheet must be the same as the software title that is displayed in Resource Explorer for a client computer after hardware inventory has run. 4. On the File menu, click Save As, and then save the file in .csv format. 5. Copy the .csv file to the file share that is used to import software license information into the Asset Intelligence catalog. 6. In the Configuration Manager console, use the Import Software License Wizard to import the newly created .csv license information file. 7. Run the Asset Intelligence License 15A Third Party Software Reconciliation Report to verify that the licensing information has been successfully imported into the Asset Intelligence catalog. Note For an example of a general software license file that you can use for testing purposes, see Example Asset Intelligence General License Import File.

Sample Table to Describe Software Licenses

When creating a general license statement import file, the information in the following table can be used to describe software licenses to be imported into the Asset Intelligence catalog.
Column name Data type Required Example

Name Publisher Version

Up to 255 characters Up to 255 characters Up to 255 characters

Yes Yes Yes

Software title Software publisher Software title version Software title language Number of licenses purchased Purchase order information Reseller information Date of license purchase

Language

Up to 255 characters

Yes

EffectiveQuantity

Integer value

Yes

PONumber

Up to 255 characters

No

ResellerName DateOfPurchase

Up to 255 characters Date value in the following format:

No No

2076

Column name

Data type

Required

Example

MM/DD/YYYY SupportPurchased Bit value No 0 or 1: Enter 0 for Yes, or 1 for No End date of purchased support

SupportExpirationDate

Date value in the following format: MM/DD/YYYY Up to 255 characters

No

Comments

No

Optional comments

Configure Asset Intelligence Maintenance Tasks

The following maintenance tasks are available for Asset Intelligence: Check Application Title with Inventory Information : This maintenance task checks that the software title that is reported in software inventory is reconciled with the software title in the Asset Intelligence catalog. By default, this task is enabled and scheduled to run on Saturday after 12:00 A.M. and before 5:00 A.M. This maintenance task is only available at the top-level site in your Configuration Manager hierarchy. Summarize Installed Software Data: This maintenance task provides the information that is displayed in the Assets and Compliance workspace, in the Inventoried Software node, under the Asset Intelligence node. When the task runs, Configuration Manager gathers a count for all inventoried software titles at the primary site. By default, this task is enabled and scheduled to run every day after 12:00 A.M. and before 5:00 A.M. This maintenance task is available only on primary sites. To configure Asset Intelligence maintenance tasks 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. Select the site on which to configure the Asset Intelligence maintenance task. Note The Summarize Installed Software Data maintenance task is available only on primary sites. 4. On the Home tab, in the Settings group, click Site Maintenance. A list of all available site maintenance tasks appears. 5. Select the desired maintenance task, and then click Edit to modify the settings. 6. Enable and configure the maintenance task. To minimize interference with the site operation, we recommend that you set the time period to off-peak hours of the site. The time period is the time interval in which the task can run. It is defined by the Start after and Latest start time specified in the Task Properties dialog box. Warning
2077

You can initiate the task right away by selecting the current day and setting the Start after time to a couple minutes after the present time. 7. Click OK to save your settings. The task now runs according to its schedule. Note If a task fails to run on the first attempt, Configuration Manager attempts to rerun the task until either the task runs successfully or until the time period in which the task can run has passed.

See Also
Asset Intelligence in Configuration Manager

Operations for Asset Intelligence in Configuration Manager

Use the following sections in this topic to help you manage typical Asset Intelligence operations in your System Center 2012 Configuration Manager hierarchy: View Asset Intelligence Information Asset Intelligence Home Page Asset Intelligence Reports

Synchronize the Asset Intelligence Catalog Customize the Asset Intelligence Catalog Software Categories Software Families Software Labels Hardware Requirements

Modify Categorization Information for Inventoried Software Request a Catalog Update for Uncategorized Software Titles Resolve Software Details Conflicts

View Asset Intelligence Information

You can view Asset Intelligence information on the Asset Intelligence home page and in Asset Intelligence reports.

Asset Intelligence Home Page

The Asset Intelligence home page displays a summary dashboard for Asset Intelligence catalog information. On the home page, you can view information about catalog synchronization and
2078

inventoried software status. The Asset Intelligence home page is divided into the following sections: Catalog Synchronization: Provides information about whether Asset Intelligence is enabled, the current status of the Asset Intelligence synchronization point, the synchronization schedule, whether the customer license statement is imported, when status was last updated and the time for the next scheduled update, and the number of changes that occurred after the Asset Intelligence synchronization point site system was installed. Note The Asset Intelligence catalog synchronization section of the Asset Intelligence home page is only displayed if an Asset Intelligence synchronization point site system role has been installed. Inventoried Software Status: Provides the count and percentage of inventoried software, software categories, and software families that are identified by Microsoft, identified by an administrative user, pending online identification, or unidentified and not pending. The information displayed in table format shows the count for each, while the information displayed in the chart shows the percentage for each.

Use the following procedure to view Asset Intelligence information on the Asset Intelligence home page. To view Asset Intelligence information on the Asset Intelligence home page 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Asset and Compliance workspace, click Asset Intelligence. The Asset Intelligence reports are displayed.

Asset Intelligence Reports

There are over 60 Asset Intelligence reports that display the information collected by Asset Intelligence. Many of these reports link to more specific reports in which you can query for general information and drill down to more detailed information. The Asset Intelligence reports are located in the Configuration Manager console, in the Monitoring workspace, under the Reporting node. The reports provide information about hardware, license management, and software. For more information about reports in Configuration Manager, see Reporting in Configuration Manager. Note The accuracy of installed software title quantities and license information displayed in Asset Intelligence reports might vary from the actual number of software titles installed or licenses in use in the environment because of the complex dependencies and limitations involved in inventorying software license information for software titles installed in enterprise environments. Asset Intelligence reports should not be used as the sole source for determining purchased software license compliance.

2079

Use the following procedure to view Asset Intelligence information by using the Asset Intelligence reports. To view collected Asset Intelligence information by using Asset Intelligence reports 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting, expand Reports, and click Asset Intelligence. The Asset Intelligence reports are displayed. Warning If no report folders exist under the Reports node, verify that you have configured reporting. For more information, see Configuring Reporting in Configuration Manager. 3. Select the Asset Intelligence report that you want to run, and then on the Home tab, in the Report Group group, click Run.

Synchronize the Asset Intelligence Catalog

You can synchronize the local Asset Intelligence catalog with System Center Online to retrieve the latest software title categorization. When you manually request catalog synchronization with System Center Online, it could take 15 minutes or longer to complete the synchronization process with System Center Online. Configuration Manager updates the Last Successful Update setting on the Asset Intelligence home page with the current time for when synchronization successfully finishes. Note An Asset Intelligence synchronization point site system role must first be installed before by using the procedures. For information about installing an Asset Intelligence synchronization point, see Install an Asset Intelligence Synchronization Point. Use the following procedure to create a synchronization schedule for the Asset Intelligence catalog. To create a synchronization schedule for the Asset Intelligence catalog 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Asset Intelligence. 3. On the Home tab, in the Create group, click Synchronize, and then click Schedule Synchronization. 4. In the Asset Intelligence Synchronization Point Schedule dialog box, select Enable synchronization on a schedule, and then configure a simple or custom schedule. 5. Click OK to save the changes. Note For information about the synchronization schedule, including the next scheduled
2080

synchronization, see the Asset Intelligence node in the Assets and Compliance workspace on the top-level site of the hierarchy. Use the following procedure to manually synchronize the Asset Intelligence catalog. Warning System Center Online accepts only one manual synchronization request in a 12-hour period. To manually synchronize the Asset Intelligence catalog 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Asset Intelligence. 3. On the Home tab, in the Create group, click Synchronize, click Synchronize Asset Intelligence Catalog, and then click OK.

Customize the Asset Intelligence Catalog

Asset Intelligence catalog categorization information received from System Center Online is stored in the site database with read-only permissions and cannot be modified or deleted. However, you can create, modify, and delete custom software categories, software families, software labels, and hardware requirements catalog information. Then you can use custom categorization data instead of the information supplied by System Center Online for existing or user-defined software title information. When you change or add categorization information, the catalog information is considered user-defined. User-defined categorization information is stored in different database tables than validated catalog information.

Software Categories
Asset Intelligence software categories are used to broadly categorize inventoried software titles and are also used as high-level groupings of more specific software families. For example, a software category could be energy companies, and a software family within that software category could be oil and gas or hydroelectric. Many software categories are predefined in the Asset Intelligence catalog, and additional user-defined categories can be created to further define inventoried software. The validation state for all predefined software categories is always Validated, while custom software category information added to the Asset Intelligence catalog is User Defined. Use the following procedure to create a user-defined software category. To create a user-defined software category 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Asset Intelligence, and then click Catalog. 3. On the Home tab, in the Create group, click Create Software Category.
2081

4. On the General page, enter a name for the new software category and, optionally, a description. Note The validation state for all new custom software categories is always set to User Defined. Click Next. 5. On the Summary page, review the settings, and then click Next. 6. On the Completion page, click Close to exit the wizard.

Software Families
Asset Intelligence software families are used to further define inventoried software titles within software categories. For example, a software category could be energy companies, and a software family within that software category could be oil and gas or hydroelectric. Many software families are predefined in the Asset Intelligence catalog, and additional user-defined families can be created to define inventoried software. The validation state for all predefined software families is always Validated, while custom software family information added to the Asset Intelligence catalog is User Defined. Use the following procedure to create a user-defined software family. To create a user-defined software family 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Asset Intelligence, and then click Catalog. 3. On the Home tab, in the Create group, click Create Software Family. 4. On the General page, enter a name for the new software family and, optionally, a description. Note The validation state for all new custom software families is always set to User Defined. 5. On the Summary page, review the settings, and then click Next. 6. On the Completion page, click Close to exit the wizard.

Software Labels
Asset Intelligence custom software labels let you create filters that you can use to group software titles and view them by using Asset Intelligence reports. For example, you can create a software label called shareware, associate it with a number of applications, and then run a report that shows you all titles with the software label of shareware. The validation state is User Defined for all custom software labels that you add to the Asset Intelligence catalog.
2082

Use the following procedure to create a user-defined custom label. To create a user-defined software label 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Asset Intelligence, and then click Catalog. 3. On the Home tab, in the Create group, click Create Software Label. 4. On the General page, enter a name for the new software family and, optionally, a description. Note The validation state for all new custom software labels is always set to User Defined. 5. On the Summary page, review the settings, and then click Next. 6. On the Completion page, click Close to exit the wizard.

Hardware Requirements
Hardware requirements information can help you verify that computers meet the hardware requirements for software titles before they are targeted for software deployments. Many hardware requirements are predefined in the Asset Intelligence catalog, and you can create new user-defined hardware requirement information to meet custom requirements. The validation state for all predefined hardware requirements is always Validated, while user-defined hardware requirements information added to the Asset Intelligence catalog is User Defined. Important The hardware requirements displayed in the Configuration Manager console are retrieved from the Asset Intelligence catalog on the local computer and are not based on inventoried software title information from System Center 2012 Configuration Manager clients. Hardware requirements information is not updated as part of the synchronization process with System Center Online. You can create user-defined hardware requirements for inventoried software that does not have associated hardware requirements. Use the following procedure to create a user-defined hardware requirement. To create a user-defined hardware requirements 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Asset Intelligence, and then click Hardware Requirements. 3. On the Home tab, in the Create group, click Create Hardware Requirements. 4. On the General page, enter the following information: a. Software title: Specifies the software title for which the hardware requirements are associated. The software title cannot already exist in the Asset Intelligence catalog.
2083

b. Validation state: Lists the validation state as User Defined for the hardware requirements. You cannot modify this setting. c. Minimum CPU (MHz): Specifies the minimum processor speed, in megahertz (MHz), required by the software title.

d. Minimum RAM (KB): Specifies the minimum RAM, in kilobytes (KB), required by the software title. e. Minimum Disk Space (KB): Specifies the minimum free disk space, in KB, required by the software title. f. Minimum Disk Size (KB): Specifies the minimum hard disk size, in KB, required by the software title.

Click Next. 5. On the Summary page, review the settings, and then click Next. 6. On the Completion page, click Close to exit the wizard.

Modify Categorization Information for Inventoried Software

Predefined software in the Asset Intelligence catalog is configured with specific categorization information, such as product name, vendor, software category, and software family. When the predefined categorization information does not meet your requirements, you can modify the information in the properties for the software title. When you modify categorization information for predefined software, the validation state for the software changes from Validated to User Defined. Important The categorization information can only be modified at the top-level site. Use the following procedure to modify categorization information for inventoried software. To modify the categorizations for software titles 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Asset Intelligence, and then click Inventoried Software. 3. Select a software title or select multiple software titles for which you want to modify categorizations. 4. On the Home tab, in the Properties group, click Properties. 5. On the General tab, you can modify the following categorization information: Product Name: Specifies the name of the inventoried software title. Vendor: Specifies the name of the vendor that developed the inventoried software title. Category: Specifies the software category that is currently assigned to the inventoried software title. Family: Specifies the software family that is currently assigned to the inventoried
2084

software title. 6. Click OK to save the changes. Use the following procedure to revert software to the original categorization information.

Revert Categorization Information to Original Settings for Software

Configuration Manager stores categorization information obtained from System Center Online in the database. The information cannot be deleted. After the information has been modified, you can revert the categorization information back to the System Center Online categorization. Inventoried software that is not in the Asset Intelligence catalog can also be reverted back to the original settings. Use the following procedure to revert categorization information to the original settings. To revert categorization information to original settings 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Asset Intelligence, and then click Inventoried Software. 3. Select a software title or select multiple software titles that you want to revert to the original settings. Only software that has a User Defined state can be reverted. Tip Click the State column to sort by the validation state. Sorting lets you see all software by validation state and quickly select multiple items to revert to the original settings. 4. On the Home tab, in the Product group, click Revert. 5. Click Yes to revert the software to the original categorization information. 6. When you revert categorization information for software that is in the Asset Intelligence catalog, the validation state changes from User Defined to Validated. When you revert software that is not in the catalog, the validation state changes from User Defined to Uncategorized.

Request a Catalog Update for Uncategorized Software Titles

Uncategorized software title information can be submitted to System Center Online for research and categorization. After an uncategorized software title is submitted, and there are at least 4 categorization requests from customers for the same software title, researchers identify, categorize, and then make the software title categorization information available to all customers that are using the System Center Online service. Microsoft gives the highest priority to software titles that have the most requests for categorization. Custom software and line-of-business
2085

applications are unlikely to receive a category, and as a best practice, you should not send these software titles to Microsoft for categorization. When software title information is submitted to System Center Online for categorization, the following conditions apply: Only basic software title information is transmitted to System Center Online, and software title information to be categorized can be reviewed before submission. Software license information is never transmitted. Any software title that is uploaded becomes publicly available as part of the System Center Online catalog and can be downloaded by other customers. The source of the software title is not stored in the System Center Online catalog. However, application titles containing confidential or proprietary information should not be submitted for categorization by System Center Online. Note For more information about Asset Intelligence privacy information, see Security and Privacy for Asset Intelligence in Configuration Manager. Use the following procedure to request Asset Intelligence catalog software title categorization from System Center Online. To request a catalog update for uncategorized software titles 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Asset Intelligence, and then click Inventoried Software. 3. Select a product name or select multiple product names, to be submitted to System Center Online for categorization. Only uncategorized inventoried software titles can be submitted to System Center Online for categorization. If an inventoried software title has been categorized by an administrator resulting in a user-defined state, you must rightclick the inventoried software title, and then click Revert to revert the software title to the Uncategorized state before it can be submitted to System Center Online for categorization. Note Configuration Manager can process up to 100 software titles for categorization at a time. If you select more than 100 software titles, only the first 100 software titles will be processed. You must select the remaining software titles for categorization in batches of less than 100. Tip Click the State column to sort by the validation state. This lets you see all uncategorized product names and quickly select multiple items to submit for categorization. 4. On Home tab, in the Product group, click Request Catalog Update. 5. Review the System Center Online categorization submission privacy message. Click
2086

Details to view the information that will be sent to System Center Online. 6. Select I have read and understood this message, and then click OK to allow the selected software titles to be submitted for categorization. 7. Verify that the state of the inventoried software product names submitted to System Center Online for categorization has changed from Uncategorized to Pending. Note Software that is submitted to System Center Online for categorization has a validation state of Pending on a central administration site is still displayed with a validation state of Uncategorized on child primary sites.

Resolve Software Details Conflicts

After newly updated software categorization details have been received from System Center Online that conflict with existing software details information, you can choose how to resolve the conflict. Software that has a current conflict has a validation state of Updatable. After a software details conflict has been resolved, the software categorization information is retained in the Asset Intelligence catalog according to the setting that you specify. A software details conflict does not occur for the same software categorization value again unless the System Center Online value changes after the conflict has been resolved. Use the following procedure to resolve a software details conflict. To resolve a software details conflict 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Asset Intelligence, and then click Inventoried Software. 3. Review the State column for software titles in the Updatable state. 4. Select the software title for which you have to resolve a conflict, and then on the Home tab, in the Product group, and click Resolve Conflict. 5. Review the following information: Local value: Specifies the existing software categorization information in the Asset Intelligence catalog that conflicts with newer System Center Online software categorization details. Downloaded value: Specifies the new System Center Online software categorization information for conflicting Asset Intelligence catalog software categorization information. Do not change the locally edited catalog information value: Resolves the software details conflict by retaining the existing Asset Intelligence catalog software categorization information. When you select this setting, the software title state changes from Updatable to User Defined. Overwrite the locally edited catalog information value with the downloaded
2087

6. Select one of the following settings to resolve the software details conflict:

System Center Online value: Resolves the software details conflict by overwriting the existing Asset Intelligence catalog software categorization information with new information obtained from System Center Online. When you select this setting, the software title state changes from Updatable to Validated. Click OK to save the conflict resolution.

See Also
Asset Intelligence in Configuration Manager

Security and Privacy for Asset Intelligence in Configuration Manager

This topic contains security and privacy information for Asset Intelligence in Configuration Manager.

Security Best Practices for Asset Intelligence

Use the following security best practices for when you use Asset Intelligence.
Security best practice More information

When you import a license file (Microsoft Volume Licensing file or a General License Statement file), secure the file and communication channel.

Use NTFS file system permissions to ensure that only authorized users can access the license files and use Server Message Block (SMB) signing to ensure the integrity of the data when it is transferred to the site server during the import process. Use role-based administration to grant the Manage Asset Intelligence permission to the administrative user who imports license files. The built-in role of Asset Manager includes this permission.

Use the principle of least permissions to import the license files.

Privacy Information for Asset Intelligence

Asset Intelligence extends the inventory capabilities of Configuration Manager to provide a higher level of asset visibility in the enterprise. Asset Intelligence information collection is not automatically enabled. You can modify the type of information collected by enabling hardware

2088

inventory reporting classes. For more information, see Enable Asset Intelligence Hardware Inventory Reporting Classes. Asset Intelligence information is stored in the Configuration Manager database in the same manner as inventory information. When clients connect to management points by using HTTPS, the data is always encrypted during transfer to the management point. When clients connect by using HTTP, you can configure the inventory data transfer to be signed and encrypted. Inventory data is not stored in encrypted format in the database. Information is retained in the database, until the site maintenance task Delete Aged Inventory History deletes it in intervals of every 90 days. You can configure the deletion interval. Asset Intelligence does not send information about users and computers or license usage to Microsoft. You can choose to send System Center Online requests for categorization, which means that you can tag one or more software titles that are uncategorized and send them to System Center Online for research and categorization. After a software title is uploaded, Microsoft researchers identify, categorize, and then make that knowledge available to all customers who use the on-line service. You should be aware of the following privacy implications of submitting information to System Center Online: Upload applies only to generic software title information (name, publisher, and so on) that you choose to send to System Center Online. Inventory information is not sent with an upload. Upload never occurs automatically, and the system is not designed for this task to be automated. You must manually select and approve the upload of each software title. A dialog box shows you exactly what data is going to be uploaded, before the upload process starts. License information is not sent to Microsoft. The license information is stored in a separate area of the Configuration Manager database, and it cannot be sent to Microsoft. Any software title that is uploaded becomes public, in the sense that the knowledge of that given application and its categorization become part of the System Center Online Asset Intelligence catalog, and then is downloaded to other consumers of the catalog. The source of the software title is not recorded in the Asset Intelligence catalog, and it is not made available to other customers. However, you must still verify that you do not load any application titles that contain any private information. Uploaded data cannot be recalled.

Before you configure Asset Intelligence data collection and decide whether to submit information to System Center Online, consider the privacy requirements of your organization.

See Also
Asset Intelligence in Configuration Manager

2089

Technical Reference for Asset Intelligence in Configuration Manager

This section contains technical reference information for Asset Intelligence in System Center 2012 Configuration Manager.

Technical Reference
Example Validation State Transitions for Asset Intelligence Example Asset Intelligence General License Import File

Other Resources for this Product

Inventory in Configuration Manager Asset Intelligence in Configuration Manager

Example Validation State Transitions for Asset Intelligence

Asset Intelligence validation states are not static and can change from administrative actions that you take to affect the data that are stored in the Asset Intelligence catalog. This topic provides the following examples for possible validation state transitions: Uncategorized Catalog Item Is Categorized by the Administrative User Categorized Catalog Item Is Re-categorized by the Administrative User User-Defined Catalog Item Is Recategorized by System Center Online Uncategorized Catalog Item Is Submitted to System Center Online for Categorization User-Defined Catalog Item Is Submitted to System Center Online for Categorization

Uncategorized Catalog Item Is Categorized by the Administrative User

State transition State transition description

Uncategorized

An inventoried software title that has not been previously categorized by System Center Online or that the administrative user has entered into the Asset Intelligence catalog. The uncategorized item is categorized by the
2090

Uncategorized to User Defined

State transition

State transition description

administrative user.

Categorized Catalog Item Is Re-categorized by the Administrative User

State transition State transition description

Validated

Catalog item has been defined by System Center Online researchers and is present in the Asset Intelligence catalog. The validated catalog item is re-categorized by the administrative user. Note Because categorization information obtained from System Center Online is stored in the database and cannot be deleted, the administrative user can revert back to the System Center Online categorization later.

Validated to User Defined

User-Defined Catalog Item Is Recategorized by System Center Online

State transition State transition description

Uncategorized

An inventoried software title is entered into the Asset Intelligence catalog that has not been previously categorized by System Center Online or the administrative user. The uncategorized item is categorized by the administrative user. A user-defined catalog item has been categorized differently by System Center Online during subsequent manual bulk updates of the Asset Intelligence catalog.
2091

User Defined

User Defined to Updateable

State transition

State transition description

The administrative user can use the Software Details Conflict Resolution dialog box to decide whether to use the new categorization information or the previous user-defined value. Updateable to Validated The administrative user uses the Software Details Conflict Resolution dialog box to use the new categorization information received from System Center Online during the previous catalog update.

or Updateable to User Defined The administrative user uses the Software Details Conflict Resolution dialog box to use the previous user-defined value. Note Because categorization information obtained from System Center Online is stored in the database and cannot be deleted, the administrative user can revert back to the System Center Online categorization later.

Uncategorized Catalog Item Is Submitted to System Center Online for Categorization

State transition State transition description

Uncategorized

An inventoried software title is entered into the Asset Intelligence database that has not been previously categorized by System Center Online or the administrative user. The uncategorized item is submitted to System Center Online for categorization by the administrative user. The item is categorized by System Center Online. The administrative user imports the item into the Asset Intelligence catalog by using a bulk catalog update or Asset Intelligence
2092

Uncategorized to Pending

Pending to Validated

State transition

State transition description

catalog synchronization. Both are available by using the Asset Intelligence synchronization point site system role.

User-Defined Catalog Item Is Submitted to System Center Online for Categorization

State transition State transition description

Uncategorized

An inventoried software title is entered into the Asset Intelligence database that has not been previously categorized by an administrative user or System Center Online. You categorized the uncategorized item. You submit the user-defined item to System Center Online for categorization. A user-defined catalog item has been categorized differently by System Center Online during subsequent catalog synchronization. You can use the Resolve Conflict action to decide whether to use the new categorization information or the previous user-defined value. For more information about resolving conflicts, see Resolve Software Details Conflicts. You use the Resolve Conflict action and select the new categorization information received from System Center Online during the previous catalog update. For more information about resolving conflicts, see Resolve Software Details Conflicts.

User Defined User Defined to Pending

Pending to Updateable

Updateable to Validated

or Updateable to User Defined You use the Resolve Conflict action and select to use the previous user-defined value. For more information about resolving conflicts, see Resolve Software Details Conflicts. Note
2093

State transition

State transition description

Because categorization information obtained from System Center Online is stored in the database and cannot be deleted, you can revert back to the System Center Online categorization later.

See Also
Technical Reference for Asset Intelligence in Configuration Manager

Example Asset Intelligence General License Import File

The example information in this topic can be used to create a sample general software license file to import software licenses into the Asset Intelligence catalog by using the Import Software License Wizard. You can copy and paste the following table into a new Microsoft Excel spreadsheet and save it with a .csv file name extension to be used as an example general software license import file for testing purposes. When creating the license import file, all header fields are required while only Name, Publisher, Version, and EffectiveQuantity data values are required in the spreadsheet. For more information about importing software licenses to the Asset Intelligence catalog, see Import Software License Information.
Nam e Publi Ver sher sio n Lang uage Effective Quantity PONu mber Reselle rName DateOfP urchase SupportP urchased SupportExpi Com rationDate ment s

Soft war e Title 1 Soft war e title 2 Soft

Soft 1.0 ware 1 publi sher

Engli 1 sh

Purc Resell hase er numb name er

10/10/2 010

10/10/2012

Com ment

Soft 1.0 ware 2 publi sher

Engli 1 sh

Purc Resell hase er numb name er

10/10/2 010

10/10/2012

Com ment

Soft

1.0

Engli 1

Purc

Resell

10/10/2

10/10/2012

Com
2094

Nam e

Publi Ver sher sio n

Lang uage

Effective Quantity

PONu mber

Reselle rName

DateOfP urchase

SupportP urchased

SupportExpi Com rationDate ment s

war e title 3 Soft war e title 4 Soft war e title 5 Soft war e title 6 Soft war e title 7 Soft war e title 8 Soft war e title 9 Soft war

ware 3 publi sher

sh

hase er numb name er

010

ment

Soft 1.0 ware 4 publi sher

Engli 1 sh

Purc Resell hase er numb name er

10/10/2 010

10/10/2012

Com ment

Soft 1.0 ware 5 publi sher

Engli 1 sh

Purc Resell hase er numb name er

10/10/2 010

10/10/2012

Com ment

Soft 1.0 ware 6 publi sher

Engli 1 sh

Purc Resell hase er numb name er

10/10/2 010

10/10/2012

Com ment

Soft 1.0 ware 7 publi sher

Engli 1 sh

Purc Resell hase er numb name er

10/10/2 010

10/10/2012

Com ment

Soft 1.0 ware 8 publi sher

Engli 1 sh

Purc Resell hase er numb name er

10/10/2 010

10/10/2012

Com ment

Soft 1.0 ware 9 publi sher

Engli 1 sh

Purc Resell hase er numb name er

10/10/2 010

10/10/2012

Com ment

Soft 1.1 ware 0

Engli 1 sh

Purc hase

Resell er

10/10/2 010

10/10/2012

Com ment
2095

Nam e

Publi Ver sher sio n

Lang uage

Effective Quantity

PONu mber

Reselle rName

DateOfP urchase

SupportP urchased

SupportExpi Com rationDate ment s

e title 10

publi sher

numb name er

See Also
Technical Reference for Asset Intelligence in Configuration Manager

Power Management in Configuration Manager

Power management in System Center 2012 Configuration Manager provides a set of tools and resources that you can use to manage and monitor the power consumption of client computers in the enterprise.

Power Management Topics

Use the following topics to help you find information about power management. Introduction to Power Management in Configuration Manager Planning for Power Management in Configuration Manager Configuring Power Management in Configuration Manager Operations and Maintenance for Power Management in Configuration Manager Security and Privacy for Power Management in Configuration Manager Technical Reference for Power Management in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Assets and Compliance in System Center 2012 Configuration Manager

2096

Introduction to Power Management in Configuration Manager

Power Management in System Center 2012 Configuration Manager addresses the need that many organizations have to monitor and reduce the power consumption of their computers. The feature takes advantage of the power management features built into Windows to apply relevant and consistent settings to computers in the organization. You can apply different power settings to computers during business hours and nonbusiness hours. For example, you might want to apply a more restrictive power plan to computers during nonbusiness hours. In cases where computers must always remain turned on, you can prevent power management settings from being applied. Power management in Configuration Manager includes several reports to help you analyze power consumption and computer power settings in your organization. You can also use the reports to help you troubleshoot problems with power management. For a detailed workflow about how to configure and use power management, see Administrator Checklist for Power Management in Configuration Manager. Important Configuration Manager power management is not supported on virtual machines. You cannot apply power plans to virtual machines, nor can you or report power data from them.

The Power Management Workflow

Use the following three phases to plan and implement power management in Configuration Manager.

Monitoring and Planning Phase

Power Management uses Configuration Manager hardware inventory to collect data about computer usage and power settings for computers in the site. There are a number of reports that you can use to analyze this data and determine the optimal power management settings for computers. For example, during the monitoring and planning phase of the power management workflow, you can create collections that are based on the data that is included in the Power Capabilities report and use that data to identify the computers that are not capable of power management. Then, you can exclude those computers from power management. Important Do not apply power plans to computers in your site until you collect and analyze the power data from client computers. If you apply new power management settings to computers without first examining the existing settings, you might experience an increase in power consumption.
2097

Enforcement Phase
Power management lets you create power plans that you can apply to collections of computers in your site. These power plans configure Windows power management settings on computers. You can use the power plans that are included with Configuration Manager, or you can configure your own custom power plans. You can use the power data that is collected during the monitoring and planning phase as a baseline to help you evaluate power savings after you apply a power plan to computers. For more information, see Administrator Checklist for Power Management in Configuration Manager.

Compliance Phase
In the compliance phase, you can run reports that help you to evaluate power usage and power cost savings in your organization. You can also run reports that describe the improvements in the amount of CO2 generated by computers. Reports are also available that help you validate that power settings were correctly applied to computers and that help you troubleshoot problems with the power management feature.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for power management since Configuration Manager 2007: If an administrative user enables this option, users can exclude computers from power management. Virtual machines are excluded from power management. Administrative users can copy power management settings from another collection. A new Computers Excluded report is now available. It displays the computers that are excluded from power management.

See Also
Power Management in Configuration Manager

Planning for Power Management in Configuration Manager

Use the following topics in this section to help you plan for power management in System Center 2012 Configuration Manager.
2098

In This Section
Prerequisites for Power Management in Configuration Manager Best Practices for Power Management in Configuration Manager Administrator Checklist for Power Management in Configuration Manager

See Also
Power Management in Configuration Manager

Prerequisites for Power Management in Configuration Manager

Power management in System Center 2012 Configuration Manager has external dependencies and dependencies within the product.

Dependencies External to Configuration Manager

The following table lists the dependencies external to Configuration Manager for using power management.
Dependency More information

Client computers must be able to support the required power states

To use all features of power management, client computers must be able to support the sleep, hibernate, wake from sleep, and wake from hibernate actions. You can use the Power Capabilities report to determine if computers can support these actions. For more information, see Power Capabilities Report in the topic How to Monitor and Plan for Power Management in Configuration Manager.

Configuration Manager Dependencies

The following table lists the dependencies within Configuration Manager for using power management.
Dependency More Information

Power management must be enabled before

For information about how to enable and

2099

Dependency

More Information

you can create and monitor power plans.

configure power management, see Configuring Power Management in Configuration Manager. You must configure a reporting services point before you can view power management reports. For more information, see Reporting in Configuration Manager.

Reporting services point

See Also
Planning for Power Management in Configuration Manager

Best Practices for Power Management in Configuration Manager

Use the following best practices for power management in System Center 2012 Configuration Manager.

Perform the monitoring phase at a representative time

The monitoring phase of power management provides you with information about the power consumption, activity, power management capabilities, and environmental impact of computers in your organization. Ensure that you choose a representative time to perform the monitoring phase. For example, performing the monitoring phase over a public holiday does not provide a realistic report on computer power usage.

Create a control collection of computers with no power plans applied

Create two collections of computers to help you monitor the effects of applying power plans to computers. The first collection should contain the majority of the computers to which you want to apply power settings and the other collection (the control collection) should contain the remaining computers. Apply the required power management plan to the collection containing the majority of computers. You can then run reports to compare the power cost, power usage and environmental impact of the computers to which you have applied power settings with the control collection that you have not applied power settings to.

2100

Run the Power Settings report before you apply a power management plan
Before you apply a power management plan to a collection of computers, run the Power Settings report to help you understand the power management settings that are already configured on computers in the collection. If you apply new power management settings to computers without first examining the existing settings, this might lead to an increase in power consumption.

Exclude computers that you do not want to manage

If you have computers that you do not want to manage with power management, add these to a collection and ensure that the collection is excluded from power management. Examples of computers you might want to exclude from power management include: Computers that must remain turned on. Computers that users need to connect to by using Remote Desktop Connection. Computers that cannot use power management. Server computers that must remain available at all times. Computers that have the distribution point site system role. Public computers such as kiosk computers, information displays or monitoring consoles where the computer and the monitor must always be turned on.

For more information, see Configuring Power Management in Configuration Manager.

First, apply power plans to a test collection of computers

Always test the effect of applying a power management plan on a test collection of computers before you apply the power plan to a larger collection of computers. Power settings applied to computers running Windows XP or Windows Server 2003 are not reverted to their original values even if you exclude the computer from power management. On later versions of Windows, excluding a computer from power management causes all power settings to be reverted to their original values. You cannot revert individual power settings to their original values.

Apply power plan settings individually

Monitor the effect of applying each power setting before you apply the next one to ensure each setting has the required effect. For more information about power plan settings, see Available Power Management Plan Settings in the topic How to Create and Apply Power Plans in Configuration Manager.
2101

Regularly monitor computers to see if they have multiple power plans applied
Power management includes a report that displays computers that have more than one power plan applied. If a computer is a member of multiple collections, each applying different power plans, then the following actions will be taken: Power plan: If multiple values for power settings are applied to a computer, the least restrictive value is used. Wakeup time: If multiple wakeup times are applied to a desktop computer, the time closest to midnight will be used. For more information, see Computers with Multiple Power Plans in the topic How to Monitor and Plan for Power Management in Configuration Manager. For more information about how power management resolves conflicts, see How to Create and Apply Power Plans in Configuration Manager.

Save or export power management information during the monitoring and planning phase of power management
Power management information used by daily reports is retained in the Configuration Manager site database for 31 days. Power management information used by monthly reports is retained in the Configuration Manager site database for 13 months. When you run reports during the monitoring and planning and compliance phases of power management, save or export the results from any reports for which you want to retain the data for later comparison in case they are later removed by Configuration Manager.

See Also
Planning for Power Management in Configuration Manager

Administrator Checklist for Power Management in Configuration Manager

This administrator checklist provides the recommended steps for using System Center 2012 Configuration Manager power management in your organization.

2102

Configuring Power Management

Use these steps to help you configure your hierarchy to collect power management information from client computers. Important Do not apply power plans to computers in your hierarchy until you have collected and analyzed power data from client computers. If you apply new power management settings to computers without first examining the existing settings, this might lead to an increase in power consumption.
Task Details

Review the power management concepts in the See Introduction to Power Management in Configuration Manager documentation library. Configuration Manager. Review the power management prerequisites in See Prerequisites for Power Management in the Configuration Manager documentation Configuration Manager. library. Review the best practices information for power See Best Practices for Power Management in management. Configuration Manager. Configure the following collections for power management: Collection for reporting of baseline data. Collection of computers to be excluded from power management. Collection of computers incapable of power management. Collections of computers to which power plans will be applied. Collections of computers that are running Windows Server. Before you can begin to use power management, you must enable it and configure the required client settings. For more information, see Configuring Power Management in Configuration Manager. Power management data is reported by clients through Configuration Manager hardware inventory. Depending on the hardware inventory schedule that you have configured, it might take some time to retrieve inventory from
2103

Use the collections listed to help you manage power settings for computers in your hierarchy. You can create multiple collections and apply different power plans to each collection.

Enable power management.

Collect power management information from client computers.

Task

Details

all client computers.

Monitoring and Planning Phase

Task Details

Run the report Computer Activity.

The Computer Activity report displays a graph showing monitor, computer, and user activity for a specified collection over a specified time period. This report links to the Computer Activity Details report which displays the sleep and wake capabilities of computers in the specified collection. For more information, see Computer Activity Report and Computer Activity Details Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. The Energy Consumption and Energy Consumption by Day reports display the total monthly power consumption in kilowatt per hour (kWh) for a specified collection over a specified time period. For more information, see Energy Consumption Report and Energy Consumption by Day Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. The Environmental Impact and Environmental Impact by Day reports display a graph showing carbon dioxide (CO2) emissions saved by a specified collection of computers for a specified period of time. For more information, see Environmental Impact Report and Environmental Impact by Day Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. The Energy Cost and Energy Cost by Day reports display the total power consumption cost for a specified period of time. For more
2104

Run the report Energy Consumption or Energy Consumption by Day.

Run the report Environmental Impact or Environmental Impact by Day.

Run the report Energy Cost or Energy Cost by Day.

Task

Details

information, see Energy Cost Report and Energy Cost by Day Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. Run the report Power Capabilities. The Power Capabilities report displays the power management capabilities of computers in the specified collection. For more information, see Power Capabilities Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. The Power Settings report displays an aggregated list of the current power settings used by computers in a specified collection. For more information, see Power Settings Report in the topic How to Monitor and Plan for Power Management in Configuration Manager.. See Configuring Power Management in Configuration Manager.

Run the report Power Settings.

Exclude any required collections of computers from power management.

Important Ensure that you save the information from power management reports generated during the monitoring and planning phase. You can compare this data to power management information generated during the enforcement and compliance phases to help you evaluate, the power usage, power cost and environmental impact savings from applying a power plan to computers in your hierarchy.

Enforcement Phase
Task Details

Select existing power plans or create new See How to Create and Apply Power Plans in power plans for collections of computers in your Configuration Manager. organization. Apply these power plans to computers. See How to Create and Apply Power Plans in Configuration Manager.

2105

Compliance Phase
Task Details

Run the report Computer Activity.

The Computer Activity report displays a graph showing monitor, computer, and user activity for a specified collection over a specified time period. This report links to the Power Computer Activity Details report which displays the sleep and wake capabilities of computers in the specified collection. For more information, see Computer Activity Report and Computer Activity Details Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. The Energy Consumption and Energy Consumption by Day reports display the total monthly power consumption in kilowatt per hour (kWh) for a specified collection over a specified time period. For more information, see Energy Consumption Report and Energy Consumption by Day Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. The Environmental Impact and Environmental Impact by Day reports display a graph showing carbon dioxide (CO2) emissions saved by a specified collection of computers for a specified period of time. For more information, see Environmental Impact Report and Environmental Impact by Day Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. The Energy Cost and Energy Cost by Day reports display the total power consumption cost for a specified period of time. For more information, see Energy Cost Report and Energy Cost by Day Report in the topic How to Monitor and Plan for Power Management in Configuration Manager.
2106

Run the report Energy Consumption or Energy Consumption by Day.

Run the report Environmental Impact or Environmental Impact by Day.

Run the report Energy Cost or Energy Cost by Day.

Troubleshooting
Use these steps to help you troubleshoot problems with power management.
Task Details

If computers in your hierarchy have not entered sleep or hibernate, run the report Insomnia Report to display possible causes.

The Insomnia Report displays a list of common causes that prevented computers from entering sleep or hibernate and the number of computers affected by each cause for a specified time period. For more information, see Insomnia Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. See Computers with Multiple Power Plans in the topic How to Monitor and Plan for Power Management in Configuration Manager.

If multiple power plans are applied to one computer, then the least restrictive power plan is applied. Run the report Computers with Multiple Power Plans to see computers with multiple power plans applied.

See Also
Planning for Power Management in Configuration Manager

Configuring Power Management in Configuration Manager

Before you can use power management in System Center 2012 Configuration Manager, you must perform the following configuration steps.

Enable and Configure Power Management Client Settings

This procedure configures the default client settings for power management and will apply to all the computers in your hierarchy. If you want these settings to apply to only some computers, create a custom device client setting and assign it to a collection that contains the computers that you want to use power management. For more information about how to create custom device settings, see How to Create and Assign Custom Client Settings. To enable power management and configure client settings
2107

1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties. 5. In the Default Client Settings dialog box, click Power Management. 6. Configure the following value for the power management client settings: Allow power management of devices From the drop-down list, select True to enable power management.

7. Configure the client settings that you require. For a list of power management client settings that you can configure, see the Power Management section in the About Client Settings in Configuration Manager topic. 8. Click OK to close the Default Client Settings dialog box. Client computers will be configured with these settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

Exclude Computers from Power Management

You can prevent collections of computers from receiving power management settings. If a computer is a member of any collection that is excluded from power management settings, that computer does not apply power management settings, even if it is a member of another collection that applies power management settings. You might want to exclude computers from power management for any of the following reasons: You have a business requirement for computers to be turned on at all times. You have created a control collection of computers on which you do not want to apply power management settings. Some of your computers are incapable of applying power management settings. You want to exclude computers that run Windows Server from power management. Note If the option Allow users to exclude their device from power management is configured in client settings, users can exclude their own computers from power management by using Software Center. To find out which computers have been excluded from power management, run the report Computers Excluded. For more information about this report see Computers Excluded in the topic How to Monitor and Plan for Power Management in Configuration Manager. Important Power settings that are applied to computers that run Windows XP or Windows Server 2003 are not reverted to their original values, even if you exclude the computer from
2108

power management. On later versions of Windows, excluding a computer from power management causes all power settings to be reverted to their original values. You cannot revert individual power settings to their original values. To exclude a collection of computers from power management 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Device Collections. 3. In the Device Collections list, select the collection that you want to exclude from power management and then, in the Home tab, in the Properties group, click Properties. 4. In the Power Management tab of the <Collection Name> Properties dialog box, select Never apply power management settings to computers in this collection . 5. Click OK to close the <Collection Name> Properties dialog box and to save your settings.

See Also
Power Management in Configuration Manager

Operations and Maintenance for Power Management in Configuration Manager

Use the information in this section to find out more about operations and maintenance for power management in System Center 2012 Configuration Manager.

In This Section
How to Monitor and Plan for Power Management in Configuration Manager How to Create and Apply Power Plans in Configuration Manager

See Also
Power Management in Configuration Manager

How to Monitor and Plan for Power Management in Configuration Manager

Use the following information to help you monitor and plan for power management in System Center 2012 Configuration Manager.
2109

How to Use Reports for Power Management

Power management in Configuration Manager includes several reports to help you analyze power consumption and computer power settings in your organization. The reports can also be used to help you troubleshoot problems. Before you can use the power management reports, you must configure reporting for your hierarchy. For more information about reporting in Configuration Manager, see Reporting in Configuration Manager. Note Power management information used by daily reports is retained in the Configuration Manager site database for 31 days. Power management information used by monthly reports is retained in the Configuration Manager site database for 13 months. When you run reports during the monitoring and planning and compliance phases of power management, save or export the results from any reports for which you want to retain the data for later comparison in case they are later removed by Configuration Manager.

List of Power Management Reports

The following lists details the power management reports that are available in Configuration Manager. Note Power management reports display the number of physical computers and the number of virtual computers in a selected collection. However, only power management information from physical computers is displayed in power management reports.

Computer Activity Report

The Computer Activity report displays a graph showing the following activity for a specified collection over a specified period: Computer On The computer has been turned on. Monitor On The monitor has been turned on. User Active Activity has been detected from the computer mouse, computer keyboard, or from a Remote Desktop connection to the computer

This report is used during the monitoring and planning and enforcement stages to help you understand the alignment between computer activity, monitor activity and user activity over a 24 hour period. If you run the report over a number of days then the data is aggregated over this
2110

period. This report can help you to determine typical business (peak) and nonbusiness (nonpeak) hours for a selected collection to help you decide when to apply configured power management plans. The graph shows time periods where a computer might be turned on, but there is no user activity. Consider applying more restrictive power settings during these times to save on the power costs of computers that are turned on, but are not being used. A computer is counted as being active if there has been computer, user or monitor activity for one minute or more for a displayed hour on the graph. If a computer is not reporting power management data, it will not be included in the Computer Activity report. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Start date

From the drop-down list, select the start date for this report. From the drop-down list, select an optional end date for this report. From the drop-down list, select a collection to use for this report. From the drop-down list, select the type of computer for which you want a report. Valid values are: All Reports on both desktop and portable computers. Desktop - Reports on desktop computers only. Laptop Reports on portable computers only.

End date (Optional)

Collection name

Device type

Hidden Report Parameters

This report has no hidden parameters that you can set.

Report Links
If a value for End date (optional) is not specified, this report contains a link to the following report which provides further information.

2111

Report Name

Details

Computer Activity Details

Click the Click for detailed information link to see a list of active, inactive and non-reporting computers for the specified date. For more information, see Computer Activity Details Report in this topic.

Computer Activity by Computer Report

The Computer Activity by Computer report displays a graph showing the following activity for a specified computer on a specified date: Computer On The computer has been turned on. Monitor On The monitor has been turned on. User Active Activity has been detected from the computer mouse, computer keyboard, or from a Remote Desktop connection to the computer.

This report can be run independently or called by the Computer Activity Details report. Note Information about computer activity is collected from client computers during hardware inventory. Depending on the time at which hardware inventory runs, activity during an applied peak or non-peak power plan might be collected. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Report date

From the drop-down list, select a date for this report. Enter a computer name for which you want a report.

Computer name

Hidden Report Parameters

This report has no hidden parameters that you can set.

Report Links
This report contains links to the following report which provides further information about the selected item.
2112

Report Name

Details

Computer Details

Click the Click for detailed information link to see the power capabilities, power settings, and applied power plans for the selected computer.

Computer Activity Details Report

The Computer Activity Details report displays a list of active or inactive computers with their sleep and wake capabilities. This report is called by the Computer Activity Report and is not designed to be run directly by the site administrator. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection name

From the drop-down list, select a collection to use for this report. From the drop-down list, select a date to use for this report. From the drop-down list, select an hour from the specified date for which to run this report. Valid values are between 12am and 11pm. From the drop-down list, select the computer state for which to run this report. Valid values are: All Displays computers that were turned on or turned off during the reporting period. On Displays only computers that were turned on during the reporting period. Off Displays only computers that were turned off, in sleep, or in hibernate during the reporting period.

Report date

Report hour

Computer state

Device type

From the drop-down list, select the type of computer for which you want a report. Valid values are:
2113

Parameter Name

Description

Sleep capable

All Reports on both desktop and portable computers. Desktop - Reports on desktop computers only. Laptop Reports on portable computers only.

From the drop-down list, select if you want to display computers capable of sleep in the report. Valid values are: All Report both computers that are capable of sleep and computers not capable of sleep. No Report only computers that are not capable of sleep. Yes Report only computers that are capable of sleep.

Wake from sleep capable

From the drop-down list, select if you want to display computers capable of wake from sleep in the report. Valid values are: All Report both computers that are capable of wake from sleep and computers that are not capable of wake from sleep. No Report only computers that are not capable of wake from sleep. Yes Report only computers that are capable of wake from sleep.

Power plan

From the drop-down list, select the power plan types you want to display in the report. Valid values are: All Displays computers that do not have any power management plans applied, computers that have a power management plan applied, and computers that have been excluded from power management. Not specified Displays only computers that do not have a power management plan applied. Defined Displays only computers that have a power management plan applied. Excluded Displays only computers that
2114

Parameter Name

Description

have been excluded from power management. Operating system From the drop-down list, select the computer operating systems that you want to display in the report or select All to display all operating systems.

Hidden Report Parameters

This report has no hidden parameters that you can set.

Report Links
This report contains links to the following report which provides further information about the selected item.
Report Name Details

Computer Activity by Computer

Click a computer name to see the following activity for the specified computer over a specified period: Computer On The computer has been turned on. Monitor On The monitor has been turned on. User Active Activity has been detected from the computer mouse, computer keyboard, or from a remote desktop connection to the computer.

For more information, see Computer Activity by Computer Report in this topic.

Computer Details Report

The Computer Details report displays detailed information about the power capabilities, power settings, and power plans applied to a specified computer. This report is called by the Computer Activity by Computer report, the Computers with Multiple Power Plans report, the Power Capabilities report and the Power Settings Details report. It is not designed to be run directly by the site administrator.
2115

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Computer name

Enter a computer name for which you want a report. From the drop down list, select the type of power settings you want to display in the report results. Select Plugged In to view the power settings configured for when the computer is plugged in and On Battery to view the power settings configured for when the computer is running on battery power.

Power mode

Hidden Report Parameters

This report has no hidden parameters you can set.

Report Links
This report does not link to any other power management reports.

Computer Not Reporting Details Report

The Computer Not Reporting Details report displays a list of computers in a specified collection that have not reported any power activity on a specified date and time. This report is called by the Computer Activity Report and is not designed to be run directly by the site administrator. Note Computers report power management information as part of their hardware inventory schedule. Before you consider a computer to not be reporting, ensure it has reported hardware inventory. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection name

From the drop-down list, select a collection to use for this report.

2116

Parameter Name

Description

Report date

From the drop-down list, select a date for this report. From the drop-down list, select an hour from the specified date for which to run this report. Valid values are between 12am and 11pm. From the drop-down list, select the type of computer for which you want a report. Valid values are: All Reports on both desktop and portable computers. Desktop - Reports on desktop computers only. Laptop Reports on portable computers only.

Report hour

Device type

Hidden Report Parameters

This report has no hidden parameters that you can set.

Report Links
This report does not link to any other power management reports.

Computers Excluded
The Computers Excluded report displays a list of computers in a specified collection that have been excluded from Configuration Manager power management. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection

From the drop-down list, select a collection for this report. From the drop-down list, select the reason why the computers were excluded from power management. You can select from the following:
2117

Reason

Parameter Name

Description

All Display all excluded computers. Excluded by administrator Display only computers that were excluded by an administrative user. Excluded by user Display only computers that were excluded by a user of Software Center.

Hidden Report Parameters

This report has no hidden parameters that you can set.

Report Links
This report contains links to the following report which provides further information about the selected item.
Report Name Details

Power Computer Details

Click a computer name to see the power capabilities, power settings, and applied power plans for the selected computer. For more information, see Computer Details Report in this topic.

Computers with Multiple Power Plans

The Computers with Multiple Power Plans report displays a list of computers that are members of multiple collections, each applying different power plans. For each computer with potentially conflicting power settings, the report displays the computer name and the power plans being applied for each collection that the computer is a member of. Important If a computer is a member of multiple collections, each applying different power plans, then the following actions are taken: Power plan: If multiple values for power settings are applied to a computer, the least restrictive value is used. Wakeup time: If multiple wakeup times are applied to a computer, the time closest to midnight is used.

Use the following parameters to configure this report.

2118

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection name

From the drop-down list, select a collection for this report.

Hidden Report Parameters

This report has no hidden parameters that you can set.

Report Links
This report contains links to the following report which provides further information about the selected item.
Report Name Details

Power Computer Details

Click a computer name to see the power capabilities, power settings, and applied power plans for the selected computer. For more information, see Computer Details Report in this topic.

Energy Consumption Report

The Energy Consumption report displays the following information: A graph showing the total monthly power consumption of computers in kiloWatt per hour (kWh) in the specified collection for the specified time period. A graph showing the average power consumption in kiloWatt per hour (kWh) of each computer in the specified collection for the specified time period. A table showing the total monthly power consumption in kiloWatt per hour (kWh) and the average power consumption of computers in the specified collection for the specified time period.

This information can be used to help you to understand power consumption trends in your environment. After applying a power plan to computers in the selected collection, the power consumption of computers should decrease. Note If you add or remove members to the collection after you have applied a power plan, this will affect the results shown by the Energy Consumption report and might make it more

2119

difficult to compare the results from the monitoring and planning phase and the enforcement phase. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Start date

From the drop-down list, select a start date for this report. From the drop-down list, select an end date for this report. From the drop-down list, select a collection for this report. From the drop-down list, select the type of computer for which you want a report. Valid values are: All Reports on both desktop and portable computers. Desktop - Reports on desktop computers only. Laptop Reports on portable computers only.

End date

Collection name

Device type

Hidden Report Parameters

The following hidden parameters can optionally be specified to change the behavior of this report.
Parameter Name Description

Desktop computer on

Specify the power consumption of a desktop computer when it is turned on. The default value is 0.07 kW per hour. Specify the power consumption of a portable computer when it is turned on. The default value is 0.02 kW per hour. Specify the power consumption of a desktop computer that has entered sleep. The default value is 0.003 kW per hour.
2120

Laptop computer on

Desktop computer sleep

Parameter Name

Description

Laptop computer sleep

Specify the power consumption of a portable computer that has entered sleep. The default value is 0.001 kW per hour. Specify the power consumption of a desktop computer when it is turned off. The default value is 0 kW per hour. Specify the power consumption of a portable computer when it is turned off. The default value is 0 kW per hour. Specify the power consumption of a desktop computer monitor when it is turned on. The default value is 0.028 kW per hour. Specify the power consumption of a portable computer monitor when it is turned on. The default value is 0 kW per hour.

Desktop computer off

Laptop computer off

Desktop monitor on

Laptop monitor on

Report Links
This report does not link to any other power management reports.

Energy Consumption by Day Report

The Energy Consumption by Day report displays the following information: A graph showing the total daily power consumption of computers in kiloWatt per hour (kWh) in the specified collection for the last 31 days. A graph showing the average daily power consumption in kiloWatt per hour (kWh) of each computer in the specified collection for last 31 days. A table showing the total daily power consumption in kiloWatt per hour (kWh) and the average daily power consumption of computers in the specified collection for the last 31 days.

This information can be used to help you to understand power consumption trends in your environment. After applying a power plan to computers in the selected collection, the power consumption of computers should decrease. Note If you add or remove members to the collection after you have applied a power plan, this will affect the results shown by the Energy Consumption report and might make it more difficult to compare the results from the monitoring and planning phase and the enforcement phase. Use the following parameters to configure this report.
2121

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection

From the drop-down list, select a collection for this report. From the drop-down list, select the type of computer for which you want to report. Valid values are: All Reports on both desktop and portable computers. Desktop - Reports on desktop computers only. Laptop Reports on portable computers only.

Device Type

Hidden Report Parameters

The following hidden parameters can optionally be specified to change the behavior of this report.
Parameter Name Description

Desktop computer on

Specify the power consumption of a desktop computer when it is turned on. The default value is 0.07 kW per hour. Specify the power consumption of a portable computer when it is turned on. The default value is 0.02 kW per hour. Specify the power consumption of a desktop computer that has entered sleep. The default value is 0.003 kW per hour. Specify the power consumption of a portable computer that has entered sleep. The default value is 0.001 kW per hour. Specify the power consumption of a desktop computer when it is turned off. The default value is 0 kW per hour. Specify the power consumption of a portable computer when it is turned off. The default
2122

Laptop computer on

Desktop computer sleep

Laptop computer sleep

Desktop computer off

Laptop computer off

Parameter Name

Description

value is 0 kW per hour. Desktop monitor on Specify the power consumption of a desktop computer monitor when it is turned on. The default value is 0.028 kW per hour. Specify the power consumption of a portable computer monitor when it is turned on. The default value is 0 kW per hour.

Laptop monitor on

Report Links
This report does not link to any other power management reports.

Energy Cost Report

The Energy Cost report displays the following information: A graph showing the total monthly power cost for computers in the specified collection for specified time period. A graph showing the average monthly power cost for each computer in the specified collection for the specified time period. A table showing the total monthly power cost and the average monthly power cost for computers in the specified collection for the last 31 days.

This information can be used to help you to understand power cost trends in your environment. After applying a power plan to computers in the selected collection, the power cost for computers should decrease. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Start date

From the drop-down list, select a start date for this report. From the drop-down list, select an end date for this report. Specify the cost per kWh of electricity. The default value is 0.09. Note
2123

End date

Cost of KwH

Parameter Name

Description

You can modify the unit of currency used by this report in the hidden parameters section. Collection name From the drop-down list, select a collection to use for this report. From the drop-down list, select the type of computer for which you want to report. Valid values are: All Reports on both desktop and portable computers. Desktop - Reports on desktop computers only. Laptop Reports on portable computers only.

Device type

Hidden Report Parameters

The following hidden parameters can optionally be specified to change the behavior of this report.
Parameter Name Description

Desktop computer on

Specify the power consumption of a desktop computer when it is turned on. The default value is 0.07 kW per hour. Specify the power consumption of a portable computer when it is turned on. The default value is 0.02 kW per hour. Specify the power consumption of a desktop computer that has entered sleep. The default value is 0.003 kW per hour. Specify the power consumption of a portable computer that has entered sleep. The default value is 0.001 kW per hour. Specify the power consumption of a desktop computer when it is turned off. The default value is 0 kW per hour. Specify the power consumption of a portable computer when it is turned off. The default
2124

Laptop computer on

Desktop computer sleep

Laptop computer sleep

Desktop computer off

Laptop computer off

Parameter Name

Description

value is 0 kW per hour. Desktop monitor on Specify the power consumption of a desktop computer monitor when it is turned on. The default value is 0.028 kW per hour. Specify the power consumption of a portable computer monitor when it is turned on. The default value is 0 kW per hour. Specify the currency label to use for this report. The default value is USD ($).

Laptop monitor on

Currency

Report Links
This report does not link to any other power management reports.

Energy Cost by Day Report

The Energy Cost by Day report displays the following information: A graph showing the total daily power cost for computers in the specified collection for the last 31 days. A graph showing the average daily power cost for each computer in the specified collection for the last 31 days. A table showing the total daily power cost and the average daily power cost for computers in the specified collection for the last 31 days.

This information can be used to help you to understand power cost trends in your environment. After applying a power plan to computers in the selected collection, the power cost for computers should decrease. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection name

From the drop-down list, select a collection to use for this report. From the drop-down list, select the type of computer you want to report about. Valid values are: All Reports on both desktop and portable
2125

Device type

Parameter Name

Description

computers. Cost of KwH Desktop - Reports on desktop computers only. Laptop Reports on portable computers only.

Specify the cost per kWh of electricity. The default value is 0.09. Note You can modify the unit of currency used by this report in the hidden parameters section.

Hidden Report Parameters

The following hidden parameters can optionally be specified to change the behavior of this report.
Parameter Name Description

Desktop computer on

Specify the power consumption of a desktop computer when it is turned on. The default value is 0.07 kW per hour. Specify the power consumption of a portable computer when it is turned on. The default value is 0.02 kW per hour. Specify the power consumption of a desktop computer that has entered sleep. The default value is 0.003 kW per hour. Specify the power consumption of a portable computer that has entered sleep. The default value is 0.001 kW per hour. Specify the power consumption of a desktop computer when it is turned off. The default value is 0 kW per hour. Specify the power consumption of a portable computer when it is turned off. The default value is 0 kW per hour. Specify the power consumption of a desktop
2126

Laptop computer on

Desktop computer sleep

Laptop computer sleep

Desktop computer off

Laptop computer off

Desktop monitor on

Parameter Name

Description

computer monitor when it is turned on. The default value is 0.028 kW per hour. Laptop monitor on Specify the power consumption of a portable computer monitor when it is turned on. The default value is 0 kW per hour. Specify the currency label to use for this report. The default value is USD ($).

Currency

Report Links
This report does not link to any other power management reports.

Environmental Impact Report

The Environmental Impact report displays the following information: A graph showing the total monthly CO2 generated (in tons) for computers in the specified collection for the specified time period. A graph showing the average monthly CO2 generated (in tons) for each computer in the specified collection for the specified time period. A table showing the total monthly CO2 generated and the average monthly CO2 generated for computers in the specified collection for specified time period.

The Environmental Impact report calculates the amount of CO2 generated (in tons) by using the time that a computer or monitor was turned on in a 24 hour period. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Report start date

From the drop-down list, select a start date for this report. From the drop-down list, select an end date for this report. From the drop-down list, select a collection for this report. From the drop-down list, select the type of computer for which you want a report. Valid
2127

Report end date

Collection name

Device type

Parameter Name

Description

values are: All Reports on both desktop and portable computers. Desktop - Reports on desktop computers only. Laptop Reports on portable computers only.

Hidden Report Parameters

The following hidden parameters can optionally be specified to change the behavior of this report.
Parameter Name Description

Desktop computer on

Specify the power consumption of a desktop computer when it is turned on. The default value is 0.07 kW per hour. Specify the power consumption of a portable computer when it is turned on. The default value is 0.02 kW per hour. Specify the power consumption of a desktop computer that has entered sleep. The default value is 0.003 kW per hour. Specify the power consumption of a portable computer that has entered sleep. The default value is 0.001 kW per hour. Specify the power consumption of a desktop computer when it is turned off. The default value is 0 kW per hour. Specify the power consumption of a portable computer when it is turned off. The default value is 0 kW per hour. Specify the power consumption of a desktop computer monitor when it is turned on. The default value is 0.028 kW per hour. Specify the power consumption of a portable computer monitor when it is turned on. The default value is 0 kW per hour.
2128

Laptop computer on

Desktop computer sleep

Laptop computer sleep

Desktop computer off

Laptop computer off

Desktop monitor on

Laptop monitor on

Parameter Name

Description

Carbon Factor (tons/kWh) (CO2Mix)

Specify the value for carbon factor (in tons/kWh) that you typically can obtain from your power company. The default value is 0.0015 tons per kWh.

Report Links
This report does not link to any other power management reports.

Environmental Impact by Day Report

The Environmental Impact by Day report displays the following information: A graph showing the total daily CO2 generated (in tons) for computers in the specified collection for the last 31 days. A graph showing the average daily CO2 generated (in tons) for each computer in the specified collection for the last 31 days. A table showing the total daily CO2 generated and the average daily CO2 generatedfor computers in the specified collection for the last 31 days.

The Environmental Impact by Day report calculates the amount of CO2 generated (in tons) by using the time that a computer or monitor was turned on in a 24 hour period.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection name

From the drop-down list, select a collection for this report. From the drop-down list, select the type of computer you want to report about. Valid values are: All Reports on both desktop and portable computers. Desktop - Reports on desktop computers only. Laptop Reports on portable computers only.

Device type

2129

Hidden Report Parameters

The following hidden parameters can optionally be specified to change the behavior of this report.
Parameter Name Description

Desktop computer on

Specify the power consumption of a desktop computer when it is turned on. The default value is 0.07 kWh. Specify the power consumption of a portable computer when it is turned on. The default value is 0.02 kWh. Specify the power consumption of a desktop computer when it is turned off. The default value is 0 kWh. Specify the power consumption of a portable computer when it is turned off. The default value is 0 kWh. Specify the power consumption of a desktop computer that has entered sleep. The default value is 0.003 kWh. Specify the power consumption of a portable computer has entered sleep. The default value is 0.001 kWh. Specify the power consumption of a desktop computer monitor when it is turned on. The default value is 0.028 kWh. Specify the power consumption of a portable computer monitor when it is turned on. The default value is 0 kWh. Specify a value for the carbon factor (in tons/kWh) that you typically can obtain from your power company. The default value is 0.0015 tons per kWh.

Laptop computer on

Desktop computer off

Laptop computer off

Desktop computer sleep

Laptop computer sleep

Desktop monitor on

Laptop monitor on

Carbon Factor (tons/kWh) (CO2Mix)

Report Links
This report does not link to any other power management reports.

2130

Insomnia Computer Details Report

The Insomnia Computer Details report displays a list of computers that did not sleep or hibernate for a specific reason within a specified time period. This report is called by the Insomnia Report and is not designed to be run directly by the site administrator. The Insomnia Report displays computers as Not sleep capable when they are not capable of sleep and have been turned on during the entire specified report interval. The report displays computers as Not hibernate capable when they are not capable of hibernate and have been turned on during the entire specified report interval. Note Power management can only collect causes that prevented computers from entering sleep or hibernate from computers running Windows 7 or Windows Server 2008 R2. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection name

From the drop-down list, select a collection to use for this report. Specify the number of days to report. The default value is 7 days. From the drop-down list, select one of the causes that can prevent computers from entering sleep or hibernate.

Report interval (days)

Cause of Insomnia

Hidden Report Parameters

This report has no hidden parameters that you can set.

Report Links
This report contains links to the following report which provides further information about the selected item.
Report Name Details

Computer Details

Click the Click for detailed information link to see the power capabilities, power settings, and applied power plans for the selected computer. For more information, see Computer Details
2131

Report Name

Details

Report in this topic.

Insomnia Report
The Insomnia Report displays a list of common causes that prevented computers from entering sleep or hibernate and the number of computers affected by each cause for a specified time period. There are a number of causes that might prevent a computer from entering sleep or hibernate such as a process running on the computer, an open Remote Desktop session, or that the computer is incapable of sleep or hibernate. From this report, you can open the Insomnia Computer Details report which displays a list of computers affected by each cause of computers not sleeping or hibernating. The Power Insomnia report displays computers as Not sleep capable when they are not capable of sleep and have been turned on during the entire specified report interval. The report displays computers as Not hibernate capable when they are not capable of hibernate and have been turned on during the entire specified report interval. Note Power management can only collect causes that prevented computers from entering sleep or hibernate from computers running Windows 7 or Windows Server 2008 R2. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection name

From the drop-down list, select a collection to use for this report. Specify the number of days to report. The default value is 7 days. The maximum value is 365 days. Specify 0 to run the report for today.

Report interval (days)

Hidden Report Parameters

This report has no hidden parameters that you can set.

Report Links
This report contains links to the following report which provides further information about the selected item.
2132

Report Name

Details

Insomnia Computer Details

Click a number in the Affected Computers column to see a list of computers that could not sleep or hibernate because of the selected cause. For more information, see Insomnia Computer Details Report in this topic.

Power Capabilities Report

The Power Capabilities report displays the power management hardware capabilities of computers in the specified collection. This report is typically used in the monitoring phase of power management to determine the power management capabilities of computers in your organization. The information displayed in the report can then be used to create collections of computers to apply power plans to, or to exclude from power management. The power management capabilities displayed by this report are: Sleep Capable - Indicates whether the computer has the capability to enter sleep if it is configured to do so. Hibernate Capable Indicates whether the computer can enter hibernate if it is configured to do so. Wake from Sleep Indicates whether the computer can wake from sleep if it is configured to do so. Wake from Hibernate Indicates whether the computer can wake from hibernate if it is configured to do so.

The values reported by the Power Capabilities report indicate the sleep and hibernate capabilities of computers as reported by Windows. However, the reported values do not reflect cases where Windows or BIOS settings prevent these functions from working. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection

From the drop-down list, select a collection for this report. From the drop-down list, select one of the following values: Not Supported - Displays only computers in the specified collection that are not
2133

Display Filter

Parameter Name

Description

capable of sleep, hibernate, wake from sleep, or wake from hibernate. Show All - Displays all computers in the specified collection.

Hidden Report Parameters

This report has no hidden parameters that you can set.

Report Links
This report contains links to the following report which provides further information about the selected item.
Report Name Details

Computer Details

Click a computer name to see the power capabilities, power settings, and applied power plans for the selected computer. For more information, see Computer Details Report in this topic.

Power Settings Report

The Power Settings report displays an aggregated list of power settings used by computers in the specified collection. For each power setting, the possible power modes, values, and units are displayed, together with a count of the number of computers that use those values. This report can be used during the monitoring phase of power management to help the administrator understand the existing power settings used by computers in the site and to help plan optimal power settings to be applied by using a power management plan. The report is also useful when troubleshooting to validate that power settings were correctly applied. Note The settings displayed are collected from client computers during hardware inventory. Depending on the time at which hardware inventory runs, settings from applied peak or non-peak power plans might be collected. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.

2134

Parameter Name

Description

Collection name

From the drop-down list, select a collection for this report.

Hidden Report Parameters

The following hidden parameters can optionally be specified to change the behavior of this report.
Parameter Name Description

numberOfLocalizations

Specify the number of languages in which you want to view power setting names reported by client computers. If you only want to view the most popular language, leave this setting at the default of 1. To view all languages, set this value to 0.

Report Links
This report contains links to the following report which provides further information about the selected item.
Report Name Details

Power Settings Details

Click the number of computers in the Computers column to see a list of all computers that use the power settings in that row. For more information, see Power Settings Details Report in this topic.

Power Settings Details Report

The Power Settings Details report displays further information about computers selected in the Power Settings report. This report is called by the Power Settings report and is not designed to be run directly by the site administrator.

Required Report Parameters

The following parameters must be specified to run this report.
2135

Parameter Name

Description

Collection

From the drop-down list, select a collection to use for this report. From the drop-down list, select the power setting GUID on which you want to report. For a list of all power settings and their uses, see Available Power Management Plan Settings in the topic How to Create and Apply Power Plans in Configuration Manager. From the drop down list, select the type of power settings you want to display in the report results. Select Plugged In to view the power settings configured for when the computer is plugged in and On Battery to view the power settings configured for when the computer is running on battery power. From the drop-down list, select the value for the selected power setting name on which you want to report. For example, if you want to display all computers with the turn off hard disk after setting set to 10 minutes, select turn off hard disk after for Power Setting Name and 10 for Setting Index.

Power Setting GUID

Power Mode

Setting Index

Hidden Report Parameters

The following hidden parameters can optionally be specified to change the behavior of this report.
Parameter Name Description

numberOfLocalizations

Specify the number of languages in which you want to view power setting names reported by client computers. If you only want to view the most popular language, leave this setting at the default of 1. To view all languages, set this value to 0.

2136

Report Links
This report contains links to the following report which provides further information about the selected item.
Report Name Details

Computer Details

Click a computer name to see the power capabilities, power settings, and applied power plans for the selected computer. For more information, see Computer Details Report in this topic.

See Also
Operations and Maintenance for Power Management in Configuration Manager

How to Create and Apply Power Plans in Configuration Manager

Power management in System Center 2012 Configuration Manager enables you to apply power plans that are supplied with Configuration Manager to collections of computers in your hierarchy, or to create your own custom power plans. Use the procedure in this topic to apply a built-in or custom power plan to computers. Important You can only apply Configuration Manager power plans to device collections. If a computer is a member of multiple collections, each applying different power plans, then the following actions will be taken: Power plan: If multiple values for power settings are applied to a computer, the least restrictive value is used. Wakeup time: If multiple wakeup times are applied to a desktop computer, the time closest to midnight is used.

Use the Computers with Multiple Power Plans report to display all computers that have multiple power plans applied to them. This can help you discover computers that have power conflicts. For more information about power management reports, see How to Monitor and Plan for Power Management in Configuration Manager. Important Power settings configured by using Windows Group Policy will override settings configured by Configuration Manager power management.
2137

Use the following procedure to create and apply a Configuration Manager power plan. To create and apply a power plan 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Device Collections. 3. In the Device Collections list, click the collection to which you want to apply power management settings and then, in the Home tab, in the Properties group, click Properties. 4. In the Power Management tab of the <Collection Name> Properties dialog box, select Specify power management settings for this collection. Note You can also click Browse and then copy the power management settings from a selected collection to the selected collection. 5. In the Start and End fields, specify the start and end time for peak (or business) hours. 6. Enable Wakeup time (desktop computers) to specify a time when a desktop computer will wake from sleep or wake from hibernate to install scheduled updates or software installations. Important Power management uses the internal Windows wakeup time feature to wake computers from sleep or hibernate. Wakeup time settings are not applied to portable computers to prevent scenarios in which they might wake when not plugged in. The wake up time is randomized and computers will be woken over a one hour period from the specified wakeup time. 7. If you want to configure a custom power plan for peak (or business) hours, select Customized Peak (ConfigMgr) from the Peak plan drop-down list, and then click Edit. If you want to configure a power plan for non-peak (or nonbusiness) hours, select Customized Non-Peak (ConfigMgr) from the Non-peak plan drop-down list, and then click Edit. Note You can use the Computer Activity report to help you decide the schedules to use for peak and non-peak hours when you apply power plans to collections of computers. For more information, see Computer Activity Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. You can also select from the built-in power plans, Balanced (ConfigMgr), High Performance (ConfigMgr) and Power Saver (ConfigMgr), and then click View to display the properties of each power plan. Note You cannot modify the built-in power plans. 8. In the <power plan name> Properties dialog box, configure the following settings:
2138

Name: Specify a name for this power plan or use the supplied default value. Description: Specify a description for this power plan or use the supplied default value. Specify the properties for this power plan: Configure the power plan properties. To disable a property, clear its check box. For information about the available settings, see Available Power Management Plan Settings in this topic. Important Enabled settings are applied to computers when the power plan is applied. If you clear a power setting check box, the value on the client computer is not changed when the power plan is applied. Clearing a check box does not restore the power setting to its previous value before a power plan was applied.

9. Click OK to close the <power plan name> Properties dialog box. 10. Click OK to close the <Collection Name> Settings dialog box and to apply the power plan.

Available Power Management Plan Settings

The following table lists the power management settings available in Configuration Manager. You can configure separate settings for when the computer is plugged in or running on battery power. Depending on the version of Windows you are using, some settings might not be configurable. Note Power settings that you do not configure will retain their current value on client computers.
Name Description

Turn off display after (minutes)

Specifies the length of time, in minutes, that the computer must be inactive before the display is turned off. Note Specify a value of 0 if you do not want power management to turn off the display.

Sleep after (minutes)

Specifies the length of time, in minutes, that the computer must be inactive before it enters sleep. Note Specify a value of 0 if you do not want power management to enter sleep on
2139

Name

Description

the computer. Require a password on wakeup Specifies whether a password is required to unlock the computer when it enters wake from sleep. Yes No Note Computers that are running Windows XP with this setting configured as Yes for On battery or Plugged in require a password on wakeup whether or not they are using battery power. Power button action Specifies the action that is taken when the computers power button is pressed. Possible values include the following: Do nothing Sleep Hibernate Shut down Note On computers that are running Windows XP, the value specified for On battery is applied, whether the computer is running on battery or is plugged in. On this version of Windows, select the Hibernate setting to enable entering hibernate on the computer. Start menu power button Specifies the action that occurs when you press the computers Start menu power button. Possible values include the following: Sleep Hibernate Shut down Note This setting is only applicable on computers running Windows Vista.
2140

Name

Description

Sleep button action

Specifies the action that occurs when you press the computers Sleep button. Possible values include the following: Do nothing Sleep Hibernate Shut down Note On computers that are running Windows XP, the value specified for On battery is applied, whether the computer is running on battery or is plugged in. On this version of Windows, select the Hibernate setting to enable entering hibernate on the computer.

Lid close action

Specifies the action that occurs when the user closes the lid of a portable computer. Possible values include the following: Do nothing Sleep Hibernate Shut down Note On computers that are running Windows XP, the value specified for On battery is applied, whether the computer is running on battery or is plugged in. On these versions of Windows, the Shut down option is not implemented. If you select the Shut down option, the current lid close action setting on the computer will not be changed. On this version of Windows, select the Hibernate setting to enable entering hibernate on the computer.

Turn off hard disk after (minutes)

Specifies the length of time, in minutes, that the computers hard disk must be inactive before it
2141

Name

Description

is turned off. Note Specify a value of 0 if you do not want power management to turn off the computers hard disk. Hibernate after (minutes) Specifies the length of time, in minutes, that the computer must be inactive before it enters hibernate. Note Specify a value of 0 if you do not want power management to enter hibernate on the computer. Low battery action Specifies the action that occurs when the computers battery reaches the specified low battery notification level. Possible values include the following: Do nothing Sleep Hibernate Shut down Note On computers that are running Windows XP, the value specified for On battery is applied, whether the computer is running on battery or is plugged in. On this version of Windows, select the Hibernate setting to enable entering hibernate on the computer. Critical battery action Specifies the action that is taken when the computers battery reaches the specified critical battery notification level. Possible values include the following: Do nothing This option is not available for the On battery setting. Sleep Hibernate Shut down
2142

Name

Description

Note On computers that are running Windows XP, the value specified for On battery is applied, whether the computer is running on battery or is plugged in. On this version of Windows, select the Hibernate setting to enable entering hibernate on the computer. Allow hybrid sleep Specifies whether Windows saves a hibernation file when entering sleep, which can be used to restore the computer's state in the event of power loss while it has entered sleep. On Off Note Hybrid sleep is designed for desktop computers and, by default, is not enabled on portable computers. On computers that are running Windows 7, enabling hybrid sleep disables the hibernate functionality. This setting is not supported on computers running Windows XP. Allow standby state when sleeping action Enables the computer to be on standby, which still consumes some power, but enables the computer to wake faster. Possible values are: On Off Note If this setting is set to Off, the computer can only hibernate or turn off. The Off setting is not supported on computers running Windows XP. Required idleness to sleep (%) Specifies the percentage of idle time on the computer processor time required for the computer to enter sleep. Note
2143

Name

Description

This setting only applies to computers that are running Windows Vista. On computers that are running Windows 7, this value is always set to 0. Enable Windows wake up timer for desktop computers Enables the built-in Windows timer which can be used by power management to wake a desktop computer. When a desktop computer is woken by using the Windows wake up timer, it will remain awake for 10 minutes by default to allow time for the computer to install any updates or to receive policy. Possible values are: Enable Disable Important Wakeup timers are not supported on portable computers to prevent scenarios in which they might wake when they are not plugged in. The Disable setting is not supported on computers running Windows XP.

See Also
Operations and Maintenance for Power Management in Configuration Manager

Security and Privacy for Power Management in Configuration Manager

This section contains security and privacy information for power management in System Center 2012 Configuration Manager.

Security Best Practices for Power Management

There are no security-related best practices for power management.

2144

Privacy Information for Power Management

Power management uses features that are built into Windows to monitor power usage and to apply power settings to computers during business hours and nonbusiness hours. Configuration Manager collects power usage information from computers, which includes data about when a user is using a computer. Although Configuration Manager monitors power usage for a collection rather than for each computer, a collection can contain just one computer. Power management is not enabled by default and must be configured by an administrator. The power usage information is stored in the Configuration Manager database and is not sent to Microsoft. Detailed information is retained in the database for 31 days and summarized information is retained for 13 months. You cannot configure the deletion interval. Before you configure power management, consider your privacy requirements.

See Also
Power Management in Configuration Manager

Technical Reference for Power Management in Configuration Manager

There is currently no technical reference information for power management in System Center 2012 Configuration Manager.

See Also
Power Management in Configuration Manager

Remote Control in Configuration Manager

Use the following topics to help you find information about remote control in System Center 2012 Configuration Manager.

Remote Control Topics

Introduction to Remote Control in Configuration Manager Planning for Remote Control in Configuration Manager Configuring Remote Control in Configuration Manager Operations and Maintenance for Remote Control in Configuration Manager Security and Privacy for Remote Control in Configuration Manager
2145

Technical Reference for Remote Control in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Assets and Compliance in System Center 2012 Configuration Manager

Introduction to Remote Control in Configuration Manager

Use remote control in System Center 2012 Configuration Manager to remotely administer, provide assistance, or view any client computer in the hierarchy. You can use remote control to troubleshoot hardware and software configuration problems on client computers and to provide help desk support when access to the users computer is required. Configuration Manager supports the remote control of workgroup computers and computers that are joined to an Active Directory domain. In addition, Configuration Manager lets you configure client settings to run Windows Remote Desktop and Remote Assistance from the Configuration Manager console. Note You cannot establish a Remote Assistance session from the Configuration Manager console to a client computer in the following scenarios: The client computer is in a workgroup. The computer running the Configuration Manager console is running Windows XP Service Pack 3, but the host computer is not running Windows XP Service Pack 3. For more information, see your Windows Remote Assistance documentation.

You can start a remote control session from any device collection in the Configuration Manager console, from the Windows Command Prompt window, or from the Windows Start menu.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for remote control since Configuration Manager 2007: Remote control now supports sending the CTRL+ALT+DEL command to computers. You can apply different remote control settings to collections of computers by using client settings.

2146

You can lock the keyboard and mouse of the computer that is being administered during a remote control session. The copy and paste functionality between the host computer and the computer that is being administered has been improved. If the remote control network connection is disconnected, the desktop of the computer that is being administered will be locked. You can start the remote control viewer from the Windows Start menu. Remote control client settings can automatically configure the Windows Firewall on client computers to allow remote control to operate. Remote control supports connecting to computers with multiple monitors. A high visibility notification bar is visible on client computers to inform the user that a remote control session is active. By default, members of the local Administrators group are granted the Remote Control permission as a client setting. The account name of the administrative user who starts the remote control session is automatically displayed to users during the remote control session. This display helps users to verify who is connecting to their computer. If Kerberos authentication fails when you make a remote control connection to a computer, you are prompted to confirm that you want to continue before Configuration Manager falls back to using the less secure authentication method of NTLM. Only TCP port 2701 is required for remote control packets; ports TCP 2702 and TCP 135 are no longer used. Responsiveness for low-bandwidth connections supports the following improvements: Elimination of mouse trails by using single mouse cursor design. Full support for Windows Aero. Elimination of mirror driver.

See Also
Remote Control in Configuration Manager

Planning for Remote Control in Configuration Manager

Use the following topics in this section to help you plan for remote control in System Center 2012 Configuration Manager.

2147

In this Section
Prerequisites for Remote Control in Configuration Manager

See Also
Remote Control in Configuration Manager

Prerequisites for Remote Control in Configuration Manager

Remote control in System Center 2012 Configuration Manager has external dependencies and dependencies in the product.

Dependencies External to Configuration Manager

Dependency More information

Computer video card driver

Ensure that the most up-to-date video driver is installed on client computers to ensure optimal remote control performance.

Devices that run Windows Embedded, Windows Embedded for Point of Service (POS), and Windows Fundamentals for Legacy PCs do not support the remote control viewer, but they do support the remote control client. System Center 2012 Configuration Manager remote control cannot be used to administer Systems Management Server 2003 or Configuration Manager 2007 client computers.

Supported Operating Systems for the Remote Control Viewer

The following table provides information about the supported operating systems for the remote control viewer. For information about supported client operating systems, see Supported Configurations for Configuration Manager.
Operating system Viewer support More information

Windows XP (32-bit)

Yes

To run the remote control viewer on this operating system, you must first download and install the Remote Desktop Connection (RDC) client update
2148

Operating system

Viewer support

More information

7.0 (KB969084) from the Microsoft Download Center. Windows XP (64-bit) Windows Vista (32-bit) No Yes No additional information. To run the remote control viewer on this operating system, you must first download and install the Remote Desktop Connection (RDC) client update 7.0 (KB969084) from the Microsoft Download Center. To run the remote control viewer on this operating system, you must first download and install the Remote Desktop Connection (RDC) client update 7.0 (KB969084) from the Microsoft Download Center. No additional information. No additional information. No additional information. No additional information. No additional information. No additional information. No additional information.

Windows Vista (64-bit)

Yes

Windows 7 (32-bit) Windows 7 (64-bit) Windows Server 2003 (32-bit) Windows Server 2003 (64-bit) Windows Server 2008 (32-bit) Windows Server 2008 (64-bit) Windows Server 2008 R2 (64bit)

Yes Yes No No No No Yes

Configuration Manager Dependencies

Dependency More information

Remote control must be enabled for clients.

By default, remote control is not enabled when you install Configuration Manager. For information about how to enable and configure remote control, see Configuring Remote Control in Configuration Manager.
2149

Dependency

More information

Reporting services point.

The reporting services point site system role must be installed before you can run reports for remote control. For more information, see Reporting in Configuration Manager. You must have the following security permissions to use remote control: To access collection resources and to initiate a remote control session from the Configuration Manager console: Control AMT, Read, Read Resource, and Remote Control permission for the Collection object.

Security permissions to manage remote control.

The Remote Tools Operator security role includes these permissions that are required to manage remote control in Configuration Manager. For more information, see the Configure RoleBased Administration section in the Configuring Security for Configuration Manager topic. Additionally, you must add users whom you want to give permission to use remote control and remote assistance to the remote control permitted views list by using the option Permitted viewers of Remote Control and Remote Assistance in the Remote Tools client settings.

See Also
Remote Control in Configuration Manager

Configuring Remote Control in Configuration Manager

Before you can use remote control in System Center 2012 Configuration Manager, you must perform the following configuration steps.

2150

How to Enable Remote Control and Configure Client Settings

This procedure describes configuring the default client settings for remote control and applies to all computers in your hierarchy. If you want these settings to apply to only some computers, create a custom device client setting and assign it to a collection that contains the computers that you want to use in a remote control session. For more information about how to create custom device settings, see How to Create and Assign Custom Client Settings. To enable remote control and configure client settings 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties. 5. In the Default dialog box, click Remote Tools. 6. Configure the remote control, Remote Assistance and Remote Desktop client settings that you require. For a list of remote tools client settings that you can configure, see the section Remote Tools in the topic About Client Settings in Configuration Manager. Note You can change the company name that appears in the ConfigMgr Remote Control dialog box by configuring a value for Organization name displayed in Software Center in the Computer Agent client settings. Important To use Remote Assistance or Remote Desktop, it must be installed and configured on the computer that runs the Configuration Manager console. For more information about how to install and configure Remote Assistance or Remote Desktop, see your Windows documentation. 7. Click OK to close the Default Settings dialog box. Client computers are configured with these settings the next time they download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

See Also
Configuring Remote Control in Configuration Manager

2151

Operations and Maintenance for Remote Control in Configuration Manager

Use the information in this section to find out more about operations and maintenance for remote control in System Center 2012 Configuration Manager.

In This Section
How to Remotely Administer a Client Computer by Using Configuration Manager How to Audit Remote Control Usage in Configuration Manager

See Also
Remote Control in Configuration Manager

How to Remotely Administer a Client Computer by Using Configuration Manager

Use the following procedure to remotely administer a computer in System Center 2012 Configuration Manager. Before you begin to use remote control, ensure that you have reviewed the information in the following topics: Planning for Remote Control in Configuration Manager Configuring Remote Control in Configuration Manager By using the Configuration Manager console. At the Windows command prompt. On the Windows Start menu on a computer that runs the Configuration Manager console from the Microsoft System Center 2012 program group. To remotely administer a client computer from the Configuration Manager console 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or Device Collections. 3. Select the computer that you want to remotely administer and then, in the Home tab, in the Device group, click Start, and then click Remote Control. Important If the client setting Prompt user for Remote Control permission is set to True, the connection does not initiate until the user at the remote computer agrees to
2152

You can start the Configuration Manager remote control viewer by using one of three methods:

the remote control prompt. For more information, see Configuring Remote Control in Configuration Manager. 4. After the Configuration Manager Remote Control window opens, you can remotely administer the client computer. Use the following options to configure the connection. Note If the computer that you connect to has multiple monitors, the display from all these monitors is shown in the remote control window. File - Connect Connect to another computer. This option is unavailable when a remote control session is active. File - Disconnect Disconnects the active remote control session but does not close the Configuration Manager Remote Control window. File - Exit Disconnects the active remote control session and closes the Configuration Manager Remote Control window. Note When you disconnect a remote control session, the contents of the Windows Clipboard on the computer that you are viewing is deleted. View - Full Screen Maximizes the Configuration Manager Remote Control window to fill all the available display space. Note To exit full screen mode, press Ctrl+Alt+Break. View - Scale to Fit Scales the display of the remote computer to fit the size of the Configuration Manager Remote Control window. View - Status Bar Toggles the display of the Configuration Manager Remote Control window status bar. Action - Send Ctrl+Alt+Del Key Sends a Ctrl+Alt+Del key combination to the remote computer. Action - Enable Clipboard Sharing Lets you copy and paste items to and from the remote computer. If you change this value, you must restart the remote control session for the change to take effect. Note If you do not want clipboard sharing to be enabled in the Configuration Manager console, on the computer running the console, set the value of the registry key, HKEY_CURRENT_USER\Software\Microsoft\ConfigMgr10\Remote Control\Clipboard Sharing to 0. Action - Lock Remote Keyboard and Mouse Locks the remote keyboard and mouse to prevent the user from operating the remote computer. Help - About Remote Control Displays information about the current version of the remote control viewer.
2153

5. Users at the remote computer can view more information about the remote control

session when they click the Configuration Manager Remote Control icon in the Windows notification area or the icon on the remote control session bar. 6. When you no longer require the remote control session, use one of the methods detailed earlier to end the remote control session. To start the remote control viewer from the Windows command line At the Windows command prompt, type <Configuration Manager Installation Folder>\AdminConsole\Bin\x64\CmRcViewer.exe Note CmRcViewer.exe supports the following command-line options: <Address> - Specifies the NetBIOS name, the fully qualified domain name (FQDN), or the IP address of the client computer that you want to connect to. <Site Server Name> - Specifies the name of the System Center 2012 Configuration Manager site server to which you want to send status messages that are related to the remote control session. /? Displays the command-line options for the remote control viewer. Example: CmRcViewer.exe <Address> <\\Site Server Name>

See Also
Operations and Maintenance for Remote Control in Configuration Manager

How to Audit Remote Control Usage in Configuration Manager

You can use System Center 2012 Configuration Manager reports to view audit information for remote control. For more information about how to configure reporting in Configuration Manager, see Reporting in Configuration Manager. The following two reports are available with the category Status Messages - Audit: Remote Control All computers remote controlled by a specific user Displays a summary of remote control activity that a specific user initiated. Remote Control All remote control information Displays a summary of status messages about remote control of client computers. To run the report Remote Control All computers remote controlled by a specific user 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting, and then click Reports.
2154

3. In the Reports node, click the Category column to sort the reports so that you can more easily find the reports in the category Status Messages - Audit. 4. Select the report Remote Control - All computers remote controlled by a specific user, and then, on the Home tab, in the Report Group, click Run. 5. In the User Name list of the Remote Control - All computers remote controlled by a specific user, specify the user that you want to report audit information for, and then click View Report. 6. When you have finished viewing the data in the report, close the report window. To run the report Remote Control All remote control information 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting, and then click Reports. 3. In the Reports node, click the Category column to sort the reports so that you can more easily find the reports in the category Status Messages - Audit. 4. Select the report Remote Control - All remote control information, and then, on the Home tab, in the Report Group, click Run to open the Remote Control - All remote control information window. 5. When you have finished viewing data in the report, close the report window.

See Also
Operations and Maintenance for Remote Control in Configuration Manager

Security and Privacy for Remote Control in Configuration Manager

This topic contains security and privacy information for remote control in System Center 2012 Configuration Manager.

Security Best Practices for Remote Control

Use the following security best practices when you manage client computers by using remote control.
Security best practice More information

When you connect to a remote computer, do not continue if NTLM instead of Kerberos authentication is used.

When Configuration Manager detects that the remote control session is authenticated by using NTLM instead of Kerberos, you see a prompt that warns you that the identity of the remote computer cannot be verified. Do not
2155

Security best practice

More information

continue with the remote control session. NTLM authentication is a weaker authentication protocol than Kerberos and is vulnerable to replay and impersonation. Do not enable Clipboard sharing in the remote control viewer. The Clipboard supports objects such as executable files and text and could be used by the user on the host computer during the remote control session to run a program on the originating computer. Software that observes keyboard input could capture the password. Or, if the program that is being run on the client computer is not the program that the remote control user assumes, the program might be capturing the password. When accounts and passwords are required, the end user should enter them. If Configuration Manager detects that the remote control connection is terminated, Configuration Manager automatically locks the keyboard and mouse so that a user cannot take control of the open remote control session. However, this detection might not occur immediately and does not occur if the remote control service is terminated. Select the action Lock Remote Keyboard and Mouse in the ConfigMgr Remote Control window. Do not let users configure remote control settings in Software Center. Do not enable the client setting Users can change policy or notification settings in Software Center to help prevent users from being spied on. Note This setting is for the computer and not the logged-on user. Enable the Domain Windows Firewall profile. Enable the client setting Enable remote control on clients Firewall exception profiles and then select the Domain Windows Firewall for intranet computers.
2156

Do not enter passwords for privileged accounts when remotely administering a computer.

Lock the keyboard and mouse during a remote control session.

Security best practice

More information

If you log off during a remote control session If you do not log off in this scenario, the session and log on as a different user, ensure that you remains open. log off before you disconnect the remote control session. Do not give users local administrator rights. When you give users local administrator rights, they might be able to take over your remote control session or compromise your credentials. You can use Configuration Manager and Group Policy to make configuration changes to the Remote Assistance settings. When Group Policy is refreshed on the client, by default, it optimizes the process by changing only the policies that have changed on the server. Configuration Manager changes the settings in the local security policy, which might not be overwritten unless the Group Policy update is forced. Setting policy in both places might lead to inconsistent results. Choose one of these methods to configure your Remote Assistance settings. Enable the client setting Prompt user for Remote Control permission. Although there are ways around this client setting that prompts a user to confirm a remote control session, enable this setting to reduce the chance of users being spied upon while working on confidential tasks. In addition, educate users to verify the account name that is displayed during the remote control session and disconnect the session if they suspect that the account is unauthorized. Limit the Permitted Viewers list. Local administrator rights are not required for a user to be able to use remote control.

Use either Group Policy or Configuration Manager to configure Remote Assistance settings, but not both.

Security Issues for Remote Control

Managing client computers by using remote control has the following security issues: Do not consider remote control audit messages to be reliable.
2157

If you start a remote control session and then log on by using alternative credentials, the original account sends the audit messages, not the account that used the alternative credentials. Audit messages are not sent if you copy the binary files for remote control rather than install the Configuration Manager console, and then run remote control at the command prompt.

Privacy Information for Remote Control

Remote control lets you view active sessions on Configuration Manager client computers and potentially view any information stored on those computers. By default, remote control is not enabled. Although you can configure remote control to provide prominent notice and get consent from a user before a remote control session begins, it can also monitor users without their permission or awareness. You can configure View Only access level so that nothing can be changed on the remote control, or Full Control. The account of the connecting administrator is displayed in the remote control session, to help users identify who is connecting to their computer. By default, Configuration Manager grants the local Administrators group Remote Control permissions. Before you configure remote control, consider your privacy requirements.

See Also
Remote Control in Configuration Manager

Technical Reference for Remote Control in Configuration Manager

Use the following topics in this section for technical reference information for remote control in System Center 2012 Configuration Manager.

In This Section
Keyboard Shortcuts for the Remote Control Viewer in Configuration Manager

See Also
Remote Control in Configuration Manager

2158

Keyboard Shortcuts for the Remote Control Viewer in Configuration Manager

When you use the System Center 2012 Configuration Manager remote control viewer, you can use the following keyboard shortcuts to control the client computer that is being administered.
Keyboard shortcut Description

Alt+Page Up

Switches between running programs from left to right. Switches between running programs from right to left. Cycles through running programs in the order that they were opened. Displays the Start menu. Displays the Windows Security dialog box (Ctrl+Alt+Del). Displays the Windows menu. Copies the active window of the local computer to the remote computer Clipboard. Copies the entire local computer's window area to the remote computer Clipboard.

Alt+Page Down

Alt+Insert

Alt+Home Ctrl+Alt+End

Alt+Delete Ctrl+Alt+Minus Sign (on the numeric keypad)

Ctrl+Alt+Plus Sign (on the numeric keypad)

See Also
Technical Reference for Remote Control in Configuration Manager

Software Metering in Configuration Manager

Use software metering in System Center 2012 Configuration Manager to monitor and collect software usage data from Configuration Manager clients.

Software Metering Topics

Use the following topics to help you find information about planning, configuring, and managing software metering in Configuration Manager. Introduction to Software Metering in Configuration Manager
2159

Planning for Software Metering in Configuration Manager Configuring Software Metering in Configuration Manager Operations and Maintenance for Software Metering in Configuration Manager Security and Privacy for Software Metering in Configuration Manager Technical Reference for Software Metering in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Assets and Compliance in System Center 2012 Configuration Manager

Introduction to Software Metering in Configuration Manager

Use software metering in System Center 2012 Configuration Manager to monitor and collect software usage data from Configuration Manager clients. To collect this usage data, configure software metering rules or use the Configuration Manager inventory to generate these rules automatically. Client computers evaluate these rules and collect metering data to send to the site. The Configuration Manager client continues to collect usage data when there is no connection to the Configuration Manager site and sends this information when the connection is re-established. After you collect usage data from Configuration Manager clients, you can view the data in different ways, which includes using collections, queries, and reporting. This data, combined with data from software inventory, can help your organization to determine the following: How many copies of a particular software program have been deployed to the computers in your organization. Among those computers, you can determine how many users actually run the program. How many licenses of a particular software program you have to purchase when you renew your license agreement with the software vendor. Whether users are still running a particular software program. If the program is not being used, you might retire the program. Which times of the day a software program is most frequently used.

For an example scenario that shows how you might use software metering in your environment, see Example Scenario for Software Metering in Configuration Manager.

Whats New in Configuration Manager

Note

2160

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. There are no significant changes for software metering in Configuration Manager since Configuration Manager 2007.

See Also
Software Metering in Configuration Manager

Planning for Software Metering in Configuration Manager

Use the following topics in this section to help you plan for software metering in System Center 2012 Configuration Manager.

In This Section
Prerequisites for Software Metering in Configuration Manager

See Also
Software Metering in Configuration Manager

Prerequisites for Software Metering in Configuration Manager

Software metering in System Center 2012 Configuration Manager has the following dependencies within the product.

Configuration Manager Dependencies

Dependency More information

Client settings for software metering.

To use software metering, the client setting Enable software metering on clients must be enabled and deployed to computers. You can deploy software metering settings to all computers in the hierarchy, or you can deploy custom settings to groups of computers. For
2161

Dependency

More information

more information, see How to Configure Software Metering in Configuration Manager. The reporting services point. You must configure a reporting services point before you can view software metering reports. For more information, see Reporting in Configuration Manager.

See Also
Planning for Software Metering in Configuration Manager

Configuring Software Metering in Configuration Manager

Use the following topics in this section to help you configure software metering in System Center 2012 Configuration Manager.

In This Section
How to Configure Software Metering in Configuration Manager

See Also
Software Metering in Configuration Manager

How to Configure Software Metering in Configuration Manager

Use the following steps to configure software metering for System Center 2012 Configuration Manager. This procedure configures the default client settings for software metering and applies to all computers in your hierarchy. If you want these settings to apply to only some computers, create a custom device client setting and deploy it to a collection that contains the computers on which you want to use software metering. For more information about how to create custom device settings, see How to Configure Client Settings in Configuration Manager.

2162

To configure software metering 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings, and then click Default Client Settings. 3. On the Home tab, in the Properties group, click Properties. 4. In the Default Settings dialog box, click Software Metering. 5. In the Device Settings list, configure the following: Enable software metering on clients: In the list, select True if you want to enable software metering. Schedule data collection: Configure how often software metering data is collected from client computers. Use the default value of every 7 days or click Schedule to specify a custom schedule.

6. Click OK to close the Default Settings dialog box. Client computers are configured with these settings the next time they download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

See Also
Configuring Software Metering in Configuration Manager

Operations and Maintenance for Software Metering in Configuration Manager

Use the information in this section to find out more about operations and maintenance for software metering in System Center 2012 Configuration Manager.

In This Section
How to Create Software Metering Rules in Configuration Manager How to Configure Automatic Software Metering Rule Generation in Configuration Manager How to Manage Software Metering Rules in Configuration Manager How to Monitor Software Metering in Configuration Manager

See Also
Software Metering in Configuration Manager
2163

How to Create Software Metering Rules in Configuration Manager

Use the Create Software Metering Rule Wizard to create a new software metering rule for your System Center 2012 Configuration Manager site. The following procedure provides the necessary steps to create a new software metering rule. To create a software metering rule 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Software Metering. 3. On the Home tab, in the Create group, click Create Software Metering Rule. 4. On the General page of the Create Software Metering Rule Wizard, specify the following information: Name - The name of the software metering rule. This should be unique and descriptive. Note Software metering rules can share the same name if the file name contained in the rules is different. File Name - The name of the program file that you want to meter. You can click Browse to display the Open dialog box, in which you can select the program file to use. Note If you type the executable file name in the File name box, no checks are carried out to determine whether this file exists or whether it contains the necessary header information. When possible, click Browse and select the executable file to be metered. Wildcard characters are not permitted in the file name. This box is optional if a value for Original file name is specified. Original File Name - The name of the executable file that you want to meter. This name matches information in the header of the file, not the file name itself so that it can be useful in cases where the executable file has been renamed but you want to meter it by the original name. Note Wildcard characters are not permitted in the original file name. This box is optional if a value for File Name is specified. Version - The version of the executable file you that want to meter. You can use the wildcard character (*) to represent any string of characters or the wildcard character (?) to represent any single character. If you want to meter for all versions of an
2164

executable file, use the default value (*). Language - The language of the executable file to meter. The default value is the current locale of the operating system you are using. If you select an executable file to be metered by clicking the Browse button, this box is automatically filled if language information is present in the header of the file. To meter all language versions of a file, select Any in the drop-down list. Description - An optional description for the software metering rule. Apply this software metering rule to the following clients Select whether you want to apply the software metering rule to all clients in the hierarchy or to the clients that are assigned to the site specified in the Site list.

5. To continue, click Next. 6. Review and confirm the settings and then complete the wizard to create the software metering rule. The new software metering rule is displayed in the Software Metering node in the Assets and Compliance workspace.

See Also
Operations and Maintenance for Software Metering in Configuration Manager

How to Configure Automatic Software Metering Rule Generation in Configuration Manager

You can configure software metering in System Center 2012 Configuration Manager to automatically generate disabled software metering rules from recent usage inventory data held in the site database. You can configure this inventory data so that only for applications that are used on a specified percentage of computers metering rules are created. You can also specify the maximum number of automatically generated software metering rules allowed on the site. Note By default, software metering rules that are automatically created are disabled. Before you can begin to collect usage data from these rules, you must enable them. The following procedure provides the necessary steps to configure automatic software metering rule generation. To configure automatic software metering rule generation 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Software Metering, and then, in the Home tab, in the Settings group, click Software Metering Properties. 3. In the Software Metering Properties dialog box, configure the following:
2165

Data retention (in days) - Specifies the amount of time that data generated by software metering rules are kept in the site database. The default value is 90 days. Enable the option Automatically create disabled metering rules from recent usage inventory data. Specify the percentage of computers in the hierarchy that must use a program before a software metering rule is automatically created - The default value is 10 percent. Specify the number of software metering rules that must be exceeded in the hierarchy before the automatic creation of rules is disabled - The default value is 100 rules.

4. Click OK to close the Software Metering Properties dialog box.

See Also
Operations and Maintenance for Software Metering in Configuration Manager

How to Manage Software Metering Rules in Configuration Manager

Use the information in this topic to help you manage software metering rules in System Center 2012 Configuration Manager. For information about how to create software metering rules, see How to Create Software Metering Rules in Configuration Manager.

How to Manage Software Metering Rules

In the Assets and Compliance workspace, select Software Metering, select the software metering rule to manage, and then select a management task. Use the following table for more information about the management tasks that might require some information before you select them.
Management Task Details More Information

Enable

Enables a disabled software metering rule. This setting is downloaded to client computers according to the Client policy polling interval in the Client Policy section of client settings (by default, every 60 minutes).

How to Configure Client Settings in Configuration Manager

2166

Management Task

Details

More Information

Disable

Disables an enabled software metering rule. This setting is downloaded to client computers according to the Client policy polling interval in the Client Policy section of client settings (by default, every 60 minutes).

How to Configure Client Settings in Configuration Manager

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

How to Monitor Software Metering in Configuration Manager

Software metering in System Center 2012 Configuration Manager includes a number of built-in reports which allow you to monitor information about software metering operations. These reports have the report category of Software Metering. For more information about how to configure reporting in Configuration Manager, see Reporting in Configuration Manager. Additionally, you can create queries and collections based on the data stored in the Configuration Manager database by software metering. For more information about collections in Configuration Manager, see Collections in Configuration Manager. For more information about queries in Configuration Manager, see Queries in Configuration Manager.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

2167

Security and Privacy for Software Metering in Configuration Manager

This topic contains security and privacy information for software metering in System Center 2012 Configuration Manager.

Security Best Practices for Software Metering

There are currently no security-related best practices for software metering.

Security Issues for Software Metering

An attacker could send invalid software metering information to Configuration Manager, which will be accepted by the management point even when the software metering client setting is disabled. This might result in a large number of metering rules that are replicated throughout the hierarchy, causing a denial of service on the network and to Configuration Manager site servers. Because an attacker can create invalid software metering data, do not consider software metering information to be authoritative. Software metering is enabled by default as a client setting.

Privacy Information for Software Metering

Software metering monitors the usage of applications on client computers. Software metering is enabled by default. You must configure which applications to meter. Metering information is stored in the Configuration Manager database. The information is encrypted during transfer to a management point but it is not stored in encrypted form in the Configuration Manager database. This information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Software Metering Data (every five days) and Delete Aged Software Metering Summary Data (every 270 days). You can configure the deletion interval. Metering information is not sent to Microsoft. Some additional metering information is collected through hardware inventory. For more information, see Security and Privacy for Hardware Inventory in Configuration Manager. Before you configure software metering, consider your privacy requirements.

See Also
Software Metering in Configuration Manager

2168

Technical Reference for Software Metering in Configuration Manager

Use the following topics in this section for technical reference information related to software metering in System Center 2012 Configuration Manager.

In This Section
Example Scenario for Software Metering in Configuration Manager Maintenance Tasks for Software Metering in Configuration Manager

See Also
Software Metering in Configuration Manager

Example Scenario for Software Metering in Configuration Manager

Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. This topic provides an example scenario of how software metering in System Center 2012 Configuration Manager can be implemented to solve the following business requirements: Determine how many copies of a specified software application are in use on the company network. Determine whether there are any unused copies of a specified software application on the network. Determine which users regularly use a specified software application.

Woodgrove Bank has deployed Microsoft Office 2010 as its standard office productivity suite. However, to support a legacy application, some computers must continue to run Microsoft Office Word 2003. The IT department wants to reduce support and licensing costs by removing these copies of Word 2003 if the legacy application is no longer used. The help desk also wants to identify which users use the legacy application. John is Woodgrove Bank's IT Systems Manager who uses software metering in Configuration Manager to achieve these business objectives. He performs the actions in the following table:

2169

Process

Reference

John checks the prerequisites for software metering and confirms that the reporting services point is installed and operational. John configures the default client settings for software metering:

Prerequisites for Software Metering in Configuration Manager

How to Configure Software Metering in Configuration Manager

He enables software metering and uses the How to Create Software Metering Rules in default data collection schedule of once Configuration Manager every seven days. He configures software inventory to inventory files that have the extension .exe by configuring the software inventory client setting Inventory these file types. He adds a new software metering rule, named woodgrove.exe, to monitor the legacy application. No additional information.

John waits for seven days, after which the client computers begin to report usage data for the woodgrove.exe executable. John uses the Configuration Manager report Install base for all metered software programs to see which computers have the application woodgrove.exe loaded.

How to Monitor Software Metering in Configuration Manager

After six months, John runs the report How to Monitor Software Metering in Computers that have a metered program Configuration Manager installed, but have not run the program since a specified date, specifying the software metering rule and a date six months in the past. This report identifies 120 computers that have not run the program in the past six months. John makes some further checks to confirm that the legacy application is not required on the identified computers. He then uninstalls the legacy application and the copy of Word 2003 from these computers. John runs the report Users that have run a specific metered software program to provide the help desk with a list of users who continue to use the legacy application. No additional information.

2170

Process

Reference

John continues to check the software metering reports weekly and takes remedial action if necessary.

How to Monitor Software Metering in Configuration Manager

As a result of this course of action, IT support and licensing costs are reduced by removing the applications that are no longer required. In addition, the help desk now has the list that it wanted of the users who run the legacy application.

See Also
Technical Reference for Software Metering in Configuration Manager

Maintenance Tasks for Software Metering in Configuration Manager

System Center 2012 Configuration Manager includes a number of maintenance tasks to help you manage the usage data collected by software metering: Delete Aged Software Metering Data Delete Aged Software Metering Summary Data Summarize Software Metering File Usage Data Summarize Software Metering Monthly Usage Data

Use the following sections to learn more about these maintenance tasks. By default, all four tasks are enabled in Configuration Manager. Use the following procedure to configure these maintenance tasks. To configure maintenance tasks 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. In the Sites list, select the site that you want to configure maintenance tasks for and then, in the Home tab, in the Settings group, click Site Maintenance. 4. In the Site Maintenance dialog box, configure the site maintenance tasks you require and then click OK.

Tasks that Delete Software Metering Data

The following maintenance tasks remove old software metering data and summarized data from the site database:
2171

Delete Aged Software Metering Data

Use the Delete Aged Software Metering Data task to delete all software metering data that is older than the number of days specified. By default, the task is scheduled to run every day and to delete software metering data that is older than five days. You can configure the number of days to be any number from 2 through 255.

Delete Aged Software Metering Summary Data

Use the Delete Aged Software Metering Summary Data task to delete summarized software metering summary data that is older than the number of days specified. By default, the task is scheduled to run every Sunday and to delete software metering summary data that is older than 270 days.

Tasks that Summarize Software Metering Data

The summarize software metering tasks perform the data summarization to compress the amount of data in the site database.

Summarize Software Metering File Usage Data

The Summarize Software Metering File Usage Data task condenses software metering file usage data from multiple records into one general record. This record provides information about the program name, version, language, and number of distinct users over intervals of 15 minutes and one hour. This process compresses and optimizes the amount of data stored in the site database. By default, the Summarize Software Metering File Usage Data task runs daily. For every hour and every 15-minute interval within the hour, the task calculates the total number of distinct user/computer combinations that are running the matching program. Within the 15-minute intervals, this approximates the number of concurrent users. For example: If the same user is using a software program and is logged on to three different computers simultaneously, this counts as three usages. If three users are logged on to a computer running Terminal Services and all three are running the software program, this counts as three usages. If the same user starts and stops the software program on the same computer three separate times during the hour, this counts as one usage for that user.

When replicated up hierarchy, the software metering summary data from each site remains separated from data from the other sites. When the data reaches a parent site, each record is marked with the site code of the site where the usage data was generated. These records can be added together to estimate concurrent program usage in the network.

2172

Summarize Software Metering Monthly Usage Data

The Summarize Software Metering Monthly Usage Data task condenses detailed software metering usage data from multiple records into one general record. This record provides information about the program name, program version and language, program running times, number of usages, last usage, user name, and computer name. Data summarization helps compress the amount of data in the site database. Monthly software usage data is sent to the central administration site. The summarization information includes the number of times each matching software program ran on a particular computer and by a particular user during the month. By default, the task is scheduled to run daily and the summarization period is one month. Software monthly usage data is replicated to the parent site.

See Also
Technical Reference for Software Metering in Configuration Manager

Out of Band Management in Configuration Manager

System Center 2012 Configuration Manager integrates with Intel Active Management Technology (Intel AMT), which lets you manage desktop and laptop computers independently from the Configuration Manager client or the computer operating system.

Out of Band Management Topics

Use the following topics to help you manage AMT-based computers out of band. Introduction to Out of Band Management in Configuration Manager Planning for Out of Band Management in Configuration Manager Configuring Out of Band Management in Configuration Manager Operations and Maintenance for Out of Band Management in Configuration Manager Security and Privacy for Out of Band Management in Configuration Manager Technical Reference for Out of Band Management in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Assets and Compliance in System Center 2012 Configuration Manager Intels application offerings on the Microsoft Pinpoint site

2173

Introduction to Out of Band Management in Configuration Manager

Out of band management in System Center 2012 Configuration Manager provides a powerful management control for computers that have the Intel vPro chip set and a version of Intel Active Management Technology (Intel AMT) that Configuration Manager supports. Out of band management lets an administrative user connect to a computer's AMT management controller when the computer is turned off, in hibernation, or otherwise unresponsive through the operating system. In contrast, in-band management is the classic approach that Configuration Manager and its predecessors use, whereby an agent runs in the full operating system on the managed computer, and the management controller accomplishes tasks by communicating with the management agent. Out of band management supplements in-band management. While in-band management supports a wider range of operations because its environment is the full operating system, inband management might not be functional if the operating system is not present or is not operational. In these situations, by using the supplementary capabilities of out of band management, administrative users can manage these computers without requiring local access to the computer. Out of band management tasks include the following: Powering on one or many computers (for example, for maintenance on computers outside business hours). Powering off one or many computers (for example, the operating system stops responding). Restarting a nonfunctioning computer or booting from a locally connected device or known good boot image file. Re-imaging a computer by booting from a boot image file that is located on the network or by using a PXE server. Reconfiguring the BIOS settings on a selected computer (and bypassing the BIOS password if this is supported by the BIOS manufacturer). Booting to a command-based operating system to run commands, repair tools, or diagnostic applications (for example, upgrading the firmware or running a disk repair tool). Configuring scheduled software deployments to wake up computers before the computers are running.

These out of band management tasks are supported on an unauthenticated, wired connection, and an authenticated 802.1X wired connection, and wireless connection. Out of band management also has the following additional features: Auditing for selected AMT features. Support for different power states, to help conserve power consumption and adherence to IT policy. Data storage in AMT, where up to 4096 bytes in ASCII characters can be saved in the nonvolatile random access memory (NVRAM) of the management controller.
2174

For example scenarios of how out of band management can be used, see Example Scenarios for Using Out of Band Management in Configuration Manager. Some of the preceding tasks are performed from the Configuration Manager console, while others require running the out of band management console that is supplied with Configuration Manager. Out of band management uses Windows remote management technology (WS-MAN) to connect to the AMT management controller on a computer. Note Out of band management is not supported for clients that are managed over the Internet with Internet-based client management. Configuration Manager clients that are blocked or unapproved by Configuration Manager cannot be managed out of band. The following table outlines the options and features that out of band management provides in Configuration Manager.
Feature or scenario More information

Security-based management

Out of band management integrates with an internal public key infrastructure (PKI) by using the following certificates: A provisioning certificate that is installed on the out of band service point, which allows computers to be configured for out of band management. A web server certificate that is installed on the enrollment point for secured communication with the out of band service point during the provisioning process. A web server certificate that is installed on each computer that is managed out of band so that communication is authenticated and is encrypted by using Transport Layer Security (TLS). Client certificates, if required for 802.1X authentication.

For more information about these certificates, see PKI Certificate Requirements for Configuration Manager. Administrators must be authenticated by using Kerberos before they can manage computers by using the out of band management console. Out of band management activity is recorded and auditable by using an audit log on the AMT-based computers.
2175

Feature or scenario

More information

Support for 802.1X authenticated wired networks and wireless networks: Authenticated wired 802.1X support: client authentication options of EAP-TLS or EAPTTLS/MSCHAPv2 or PEAPv0/EAPMSCHAPv2. Wireless support: WPA and WPA2 security, AES or TKIP encryption, client authentication options of EAP-TLS or EAPTTLS/MSCHAPv2 or PEAPv0/EAPMSCHAPv2.

AMT provisioning

Enables and configures Intel AMT-based computers that are running the Configuration Manager client. Provides hardware inventory data from the AMT chip, such as asset tag, BIOS UUID, power state, processor, memory, and drive information. Identifies computers with an AMT management controller and its provisioning status. This information can be used to build querybased collections to group computers for out of band management activities, such as provisioning and power control.

Enhanced inventory data

Identify AMT management controllers

Power control

Enables power on, power off, and restart capabilities for a single computer, selected computers, or a collection of computers. Computers can also be woken up by scheduled software deployments that have a scheduled deadline.

Out of band management console

A dedicated management console that is run from the Configuration Manager console, or at a command prompt, to initiate out of band management tasks, including IDE redirection and serial-over-LAN sessions. Note Capabilities might vary depending on the manufacturer of the managed
2176

Feature or scenario

More information

computer. For example, IDE redirection and serial-over-LAN capability can be disabled by the manufacturer. IDE redirection Enables the computer to boot from a boot image file or locally connected device rather than from its disk IDE interface. This is useful for diagnosing, repairing, or imaging a hard disk drive. Serial-over-LAN technology encapsulates the data from a virtual serial port and sends it over the existing network connection that the out of band management console established. Serial-over-LAN technology lets you run a terminal emulation session for the managed computer, in which you can run commands and character-based applications. For example, this might include reconfiguring the BIOS, or working in conjunction with IDE redirection, you can update the firmware or run diagnostic tools.

Serial over LAN

Extending Out of Band Management in Configuration Manager

For additional technical information to support and extend out of band management in Configuration Manager, see Intels application offerings on the Microsoft Pinpoint site.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for out of band management since Configuration Manager 2007: System Center 2012 Configuration Manager no longer supports provisioning out of band, which could be used in Configuration Manager 2007 when the Configuration Manager client was not installed, or the computer did not have an operating system installed. To provision computers for AMT in System Center 2012 Configuration Manager, they must belong to an Active Directory domain, have the System Center 2012 Configuration Manager client installed, and be assigned to a System Center 2012 Configuration Manager primary site.

2177

To provision computers for AMT, you must install the new site system role, the enrollment point, in addition to the out of band service point. You must install both these site system roles on the same primary site. There is a new account, the AMT Provisioning Removal Account, which you specify on the Out of Band Management Component Properties: Provisioning tab. When you specify this account and use the same Windows account that is specified as an AMT User Account, you can use this account to remove the AMT provisioning information, if you have to recover the site. You might also be able to use it when the client was reassigned and the AMT provisioning information was not removed on the old site. Configuration Manager no longer generates a status message to warn you that the AMT provisioning certificate is about to expire. You must check the remaining validity period yourself and ensure that you renew this certificate before it expires. AMT discovery no longer uses port TCP 16992; only port TCP 16993 is used. Port TCP 9971 is no longer used to connect the AMT management controller to the out of band service point to provision computers for AMT. The out of band service point uses HTTPS (by default, port TCP 443) to connect to the enrollment point. The WS-MAN translator is no longer supported. The maintenance task Reset AMT Computer Passwords has been removed. You no longer select individual permissions for each AMT User Account. Instead, all AMT User Accounts are automatically configured for the PT Administration (Configuration Manager 2007 SP1) or Platform Administration (Configuration Manager 2007 SP2) right, which grants permissions to all AMT features. You must specify a universal security group in the Out Of Band Management Component Properties to contain the AMT computer accounts that Configuration Manager creates during the AMT provisioning process. The site server computer no longer requires Full Control to the organizational unit (OU) that is used during AMT provisioning. Instead, it grants Read Members and Writer Members (this object only) permissions. The enrollment point rather than the primary site server computer now requires the Issue and Manage Certificates permission on the issuing certification authority (CA). This permission is required to revoke AMT certificates. As in Configuration Manager 2007, this computer account requires DCOM permissions to communicate with the issuing CA. To configure this, ensure that for Windows Server 2008, the computer account of the enrollment point site system server is a member of the security group Certificate Service DCOM Access, or, for Windows Server 2003 SP1 and later, a member of the security group CERTSVC_DCOM_ACCESS in the domain where the issuing CA resides. The certificate templates for the AMT web server certificate and the AMT 802.1X client certificate no longer use Supply in the request, and the site server computer account no longer requires permissions to the following certificate templates: For the AMT web server certificate template: On the Subject tab, select Build from this Active Directory information, and then select Common name for the Subject name format. On the Security tab, grant Read and Enroll permissions to the universal security group that you specify in the Out Of Band Management Component Properties.
2178

For the AMT 802.1X client certificate template: On the Subject tab, select Build from this Active Directory information, and then select Common name for the Subject name format. Clear the DNS name check box, and then select User principal name (UPN) as the alternate subject name. On the Security tab, grant Read and Enroll permissions to the universal security group that you specify in Out Of Band Management Point Component Properties.

The AMT provisioning certificate no longer requires that the private key can be exported. By default, the out of band service point checks the AMT provisioning certificate for certificate revocation. This occurs when the site system first runs, and when the AMT provisioning certificate is changed. You can disable this option in the Out Of Band Service Point Properties. You can enable or disable CRL checking for the AMT web server certificate in the out of band management console. To change the settings, click the Tools menu, and then click Options. The new setting is used when you next connect to an AMT-based computer. When a certificate for an AMT-based computer is revoked, the revocation reason is now Cease of Operation instead of Superseded. AMT-based computers that are assigned to the same Configuration Manager site must have a unique computer name, even when they belong to different domains and therefore have a unique FQDN. When you reassign an AMT-based computer from one Configuration Manager site to another, you must first remove the AMT provisioning information, reassign the client, and then provision the client again for AMT. The security rights View management controllers and Manage management controllers in Configuration Manager 2007 are now named Provision AMT and Control AMT, respectively. The Control AMT permission is automatically added to the Remote Tools Operator security role. If an administrative user is assigned to the Remote Tools Operator security role, and you want this administrative user to provision AMT-based computers or control the AMT audit log, you must add the Provision AMT permission to this security role, or ensure that the administrative user belongs to another security role that includes this permission.

See Also
Out of Band Management in Configuration Manager

Planning for Out of Band Management in Configuration Manager

Use the following topics in this section to help you plan how to manage Intel AMT-based computers out of band by using System Center 2012 Configuration Manager.

2179

In This Section
Prerequisites for Out of Band Management in Configuration Manager Best Practices for Out of Band Management in Configuration Manager Determine Whether to Use a Customized Firmware Image From Your Computer Manufacturer

See Also
Out of Band Management in Configuration Manager

Prerequisites for Out of Band Management in Configuration Manager

Out of band management in System Center 2012 Configuration Manager has external dependencies and dependencies within the product. Important Out of band management in Configuration Manager has external dependencies on Intel Active Management Technology (Intel AMT) and on Microsoft public key infrastructure (PKI) technologies. For authoritative information about configuration or technical details about these external dependencies, see the product documentation for the related technologies. For information about Intel AMT, see the Intel documentation or the documentation from your computer manufacturer. For additional information, see Intel vPro Expert Center: Microsoft vPro Manageability. For information about Microsoft public key infrastructure (PKI) technologies, see Windows Server 2008 Active Directory Certificate Services.

Dependencies External to Configuration Manager

The following table lists the external dependencies for running out of band management.
Dependency More information

A Microsoft enterprise certification authority (CA) with certificate templates to deploy and manage the certificates required for out of band management. The issuing CA must automatically approve certificate requests from the AMT computer

The out of band service point and each desktop or laptop computer that is managed out of band must have specific PKI certificates that are managed independently from Configuration Manager. For more information about the certificate
2180

Dependency

More information

accounts that Configuration Manager creates in Active Directory Domain Services during the AMT provisioning process. To revoke AMT certificates, the issuing CA must be configured with the Issue and Manage Certificates permission for the server where the enrollment point site system role is installed. Important AMT cannot support CA certificates with a key length greater than 2048 bits.

requirements, see PKI Certificate Requirements for Configuration Manager. For step-by-step instructions, see Deploying the Certificates for AMT. The computer account for the enrollment point site system server must have DCOM permissions to revoke AMT certificates from the issuing CA. Ensure that this site system computer is a member of the security group Certificate Service DCOM Access (for Windows Server 2008) or CERTSVC_DCOM_ACCESS (for Windows Server 2003 SP1 and later) in the domain where the issuing CA resides. For information about the AMT versions that Configuration Manager supports, see the Out of Band Management section in the Supported Configurations for Configuration Manager topic. Download the latest HECI driver from the Intel website and consult your computer manufacturer's documentation for the Intel requirements. During the AMT provisioning process, Configuration Manager creates computer accounts in this Active Directory container or organizational unit (OU) and adds the accounts to the universal security group.

Desktop or laptop computers with the following configuration: Intel vPro Technology or Intel Centrino Pro Technology A supported version of Intel AMT that is configured for Enterprise mode, with the provision mode of PKI Intel HECI driver

An Active Directory container and a universal security group:

The Active Directory container must be configured with the correct security permissions for the domain in which the AMT-based computers reside. If the site The site server computer requires the following manages AMT-based computers from permissions: multiple domains, the same container name For the OU that is used during the AMT and path must be used for all domains. provisioning process: Allow Create all A universal security group that contains child objects and Delete all child objects computer accounts for the AMT-based and apply to This object only. computers. For the universal security group that is used during the AMT provisioning process: Note Allow Read and Write, and apply to This You do not have to extend the Active object only. Directory schema for out of band management.

The following network services: DHCP server with an active scope

For DHCP, ensure that the DHCP scope options include DNS servers (006) and Domain
2181

Dependency

More information

DNS servers for name resolution

name (015), and that the DHCP server dynamically updates DNS with the computer resource record. WINS cannot be used for resolving computer names, and DNS is required for all connections that are use out of band management. This includes connecting to AMT-based computers from the out of band management console, in addition to AMT provisioning. Note AMT cannot register a host record in DNS, so you must ensure that either DHCP or the operating system updates DNS with a host record for the AMTbased computers fully qualified domain name (FQDN). Alternatively, you can manually create these records in DNS as needed. For wireless support, ensure that DNS contains records with the wireless IP address for the AMTbased computers fully qualified domain name.

Site system role dependencies for the computers that will run the enrollment point and the out of band service point site system roles. Windows Remote Management (WinRM) 1.1 or later must be installed on computers that are running Windows XP if they run the out of band management console. MSXML 6.0 is required on computers that run the out of band management console.

See the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic. For more information about WinRM versions, see Versions of Windows Remote Management.

The Setup Prerequisites checker for Configuration Manager includes the check for Microsoft MSXML 6.0. Serial over LAN uses the Telnet protocol to run a terminal emulation session for the managed computer, in which you can run commands and character-based applications. For more information, see Introduction to Out of Band Management in Configuration Manager.

The Windows feature, Telnet Client, must be installed on computers that run Windows 7, Windows Vista, or Windows Server 2008 if the computers run the out of band management console and perform serial-over-LAN commands.

2182

Dependency

More information

Computers to be managed out of band must belong to the same Active Directory forest as the site system servers that run the out of band service point and the enrollment point. In addition, computers must share the same namespace; disjoint namespaces are not supported.

The following scenarios identify computers that are not supported for out of band management. AMT should be disabled on these computers: Workgroup computers. Computers that reside in a different Active Directory forest from the computers that run the out of band service point site system role and the enrollment point. Computers that reside in the same Active Directory forest as the site system servers that run the out of band service point and the enrollment point but do not share the same namespace (noncontiguous namespace). For example, an AMT-based computer with the FQDN of computer1.northwindtraders.com cannot be provisioned by the out of band service point site system with the FQDN of contoso.com, even if they belong to the same Active Directory forest. Computers that reside in the same Active Directory forest as the out of band service point site system server but have a disjoint namespacefor example, an AMT-based computer that has a DNS name of computer1.corp.fabrikam.com and resides in an Active Directory domain named na.corp.fabrikam.com.

Intervening network devices such as routers and firewalls, and Windows Firewall if applicable, must allow the traffic associated with out of band management activity.

The following ports are used by out of band management: From the out of band service point to the enrollment point: HTTPS (by default, port TCP 443). From the out of band service point site system server to AMT management controllers for power control initiated from the Configuration Manager console and scheduled activities, provisioning, and discovery: TCP 16993. From computers running the out of band
2183

Dependency

More information

management console to AMT management controllers for all management tasks initiated from the out of band management console (including power-on commands): TCP 16993. From computers running the out of band management console to AMT management controllers for serial over LAN and IDE redirection: TCP 16995.

IPv4.

IPv6 is not supported. Out of band management uses IPv4 only. Do not configure IPsec policies for the AMT communication between the out of band service point site system server and computers that will be managed out of band.

Full IPsec environments are not supported.

Infrastructure support for 802.1X authenticated wired networks and wireless networks:

To manage AMT-based computers out of band on an 802.1X authenticated wired network or a Authenticated wired 802.1X support: Client wireless connection, you must have a authentication options of EAP-TLS or EAP- supporting infrastructure for these environments. These networks can be TTLS/MSCHAPv2 or PEAPv0/EAPMSCHAPv2. configured by using a Microsoft RADIUS Wireless support: WPA and WPA2 security, solution, such as Network Policy Server on Windows Server 2008. Other RADIUS solutions AES or TKIP encryption, client authentication options of EAP-TLS or EAP- can be used if they are 802.1X-compliant and TTLS/MSCHAPv2 or PEAPv0/EAPsupport the configuration options listed for MSCHAPv2. authenticated wired 802.1X support and wireless support. Note For more information about Network Policy If you use client authentication Server on Windows Server 2008, see Network methods of EAP-TLS or EAPPolicy Server. TTLS/MSCHAPv2 with a client For more information about other RADIUS certificate, the RADIUS solution must solutions, see Intel vPro Expert Center: support authentication by using the Microsoft vPro Manageability. following format: domain\computer_account.

Configuration Manager Dependencies

The following table lists the dependencies within Configuration Manager for running out of band management.
2184

Dependency

More information

The primary site must be running System Center 2012 Configuration Manager and have installed the out of band service point and the enrollment point. The out of band service point must in the same Active Directory forest as the site server, and you can install only one out of band service point in each primary site. Computers that you want to manage out of band must have the Configuration Manager client installed and must be assigned to a primary site. Important Intel AMT-based computers that are assigned to the same Configuration Manager site must have a unique computer name, even when they belong to different domains and therefore have a unique FQDN. To configure out of band management, you must have the following security permissions: Site: Read and Modify Mobile Device Enrollment Profile: Read, Create, Modify, Meter Site, and Manage Certificates for Operating System Deployment

Configuring the Enrollment Point and Out of Band Service Point for AMT Provisioning

How to Install Clients on Windows-Based Computers in Configuration Manager

For more information about how to configure security permissions, see Configure RoleBased Administration.

The Full Administrator security role includes these permissions. To manage computers out of band, you must have the following security permissions for the collections that contain the computers: Provision AMT: This security permission allows you to manage AMT computers from the Configuration Manager console, which includes discovering the status of AMT management controllers, provisioning computers for AMT and the auditing actions of enabling and applying audit log settings, disabling auditing, and clearing the audit
2185

Dependency

More information

log. Control AMT: This security permission allows you to view and manage computers by using the out of band management console, and initiate power control actions in the Configuration Manager console. The Remote Tools security role includes the Control AMT permission. Read and Modify Collection Setting to enable AMT provisioning for the collection. Provision AMT, Read, and Read Resource to remove provisioning information and update AMT management controllers. To use Configuration Manager reports for out of band management, you must install and configure a reporting services point. For more information, see Reporting in Configuration Manager.

Reporting services point.

See Also
Planning for Out of Band Management in Configuration Manager

Best Practices for Out of Band Management in Configuration Manager

Use the following best practices information to help you manage Intel AMT-based computers by using System Center 2012 Configuration Manager.

Verify AMT capability for your Intel AMT-based computers

Conduct an inventory of Intel AMT-based computers and then for each model, search online for their system management specifications. In these specifications, look for vPro capable devices. If Intel standard manageability is listed or management is not listed these computers, the computer cannot be managed out of band by Configuration Manager.

2186

After you have confirmed that the AMT-based computers support out of band management, verify that the version of AMT is supported by System Center 2012 Configuration Manager. For more information about the AMT versions that are supported, see Supported Configurations for Configuration Manager.

Ensure that AMT is enabled in the BIOS by using a defined process

Before Configuration Manager can provision an Intel AMT-based computer for out of band management, the BIOS must be configured such that AMT is enabled. You can request this configuration from your computer manufacture. Or, you can use your own internal processes to ensure that computers are configured appropriately before they are made available to users.

Define a process for laptop computers to connect to a wired Ethernet connection during the AMT provisioning period
Laptop computers must be connected to a wired Ethernet connection before they can be provisioned for AMT. Define a process so that laptop users connect their AMT-based computers to a wired Ethernet network when you plan to provision them for AMT. For example, you might create separate collections for these AMT-based laptops and email the users to inform them when their laptops must be connected to the wired Ethernet network. Then monitor the AMT provisioning process and email these users to confirm when AMT provisioning is complete for their laptop. Contact the users when their laptops fail to provision for AMT and confirm connectivity to the wired Ethernet network during a defined period.

Review the available management tasks for AMTbased computers and train your help desk
For a list of out of band management tasks that Configuration Manager supports, see Introduction to Out of Band Management in Configuration Manager. For some example scenarios for how you might use out of band management, see Example Scenarios for Using Out of Band Management in Configuration Manager. Ensure that your help desk is trained how to manage computers out of band to support your selected scenarios.

Plan ahead before you rename computers that are provisioned for AMT
If you will rename AMT-based computers or reinstall the operating system on these computers and specify a different FQDN, plan ahead so that you can remove AMT provisioning information
2187

from these computers before you rename or reinstall them. Then provision them for AMT again after the rename or reinstallation of the operation system is complete. For more information about this scenario, see the Renaming AMT-Based Computers and Domain Changes section in the How to Manage AMT Provisioning Information in Configuration Manager topic.

See Also
Planning for Out of Band Management in Configuration Manager

Determine Whether to Use a Customized Firmware Image From Your Computer Manufacturer
Before you purchase the computers that you want to manage out of band by using System Center 2012 Configuration Manager, decide whether you require a customized firmware image from your computer manufacturer. Computers that can be managed out of band have BIOS extensions that can include options such as enabling serial over LAN and IDE redirection and set values such as a certificate thumbprint of a root certification authority that is used during the AMT provisioning process. Check which BIOS extension settings are available from your computer manufacturer, and then decide whether you require a customized image to enable or disable options and specify your choice of values. Some typical examples for requiring customized firmware image include the following: You want to specify an alternative external certification authority to issue the AMT provisioning certificate, or you want to use your own internal certification authority to issue the AMT provisioning certificate. Note If you want to use your own internal certification authority, you have to supply the certificate thumbprint of your root certification authority. The default firmware image enables serial over LAN and IDE redirection, but to comply with your internal security policies, computers on your company network cannot support these highly privileged management options. For more information about serial over LAN and IDE redirection, see Introduction to Out of Band Management in Configuration Manager. The default firmware image does not enable bypassing the BIOS password, and you want to be able to use this option when powering on or restarting computers out of band with the out of band management console. You want your AMT-based computers to use a MEBx password that is different from the default value of admin.
2188

If you think you might benefit from a customized firmware image, discuss the available BIOS extensions with your computer manufacturer or supplier.

See Also
Planning for Out of Band Management in Configuration Manager

Configuring Out of Band Management in Configuration Manager

Use the following topics in this section to help you configure System Center 2012 Configuration Manager to manage Intel AMT-based computers out of band:

In This Section
Administrator Checklist: Out of Band Management in Configuration Manager How to Provision and Configure AMT-Based Computers in Configuration Manager How to Manage AMT Provisioning Information in Configuration Manager

See Also
Out of Band Management in Configuration Manager

Administrator Checklist: Out of Band Management in Configuration Manager

Use the following checklist to help you configure out of band management in System Center 2012 Configuration Manager.
Step Reference

Check the prerequisites for using out of band management with Configuration Manager, and make any required changes to your network infrastructure and computers. Ensure that the appropriate public key infrastructure (PKI) certificates are in place. Configure AMT provisioning.

Prerequisites for Out of Band Management in Configuration Manager

PKI Certificate Requirements for Configuration Manager How to Provision and Configure AMT-Based
2189

Step

Reference

Computers in Configuration Manager If you have configured AMT auditing, enable auditing on selected Intel AMT-based computers and manage the audit log entries. How to Manage the Audit Log for AMT-Based Computers in Configuration Manager

See Also
Configuring Out of Band Management in Configuration Manager

How to Provision and Configure AMT-Based Computers in Configuration Manager

Before you can manage Intel AMT-based-computers out of band in System Center 2012 Configuration Manager, you must provision them after the Configuration Manager client is installed. AMT provisioning requires Microsoft Certificate Services with an enterprise certification authority (CA) and the Configuration Manager enrollment point and out of band service point site system roles. During and after the provisioning process, public key infrastructure (PKI) certificates secure the communication between the AMT-based computers and the Configuration Manager site. Use the following steps and the supplemental procedures in this topic to provision and configure AMT-based computers for out of band management. This information includes the optional configuration to manage AMT-based computers out of band when these computers are connected to an authenticated wired network or a wireless network. You can also configure these optional settings after the AMT-based computer is provisioned, and then update the AMT management controller.

Steps to Provision and Configure AMT-based Computers

Use the following table for the steps, details, and more information about how to provision and configure AMT-based computers. Important Before you perform these steps, ensure that you have all the prerequisites to provision and configure AMT-based computers. For more information, see Prerequisites for Out of Band Management in Configuration Manager.

2190

If you manage AMT-based computers on 801.1X and wireless networks, check the configuration of your RADIUS server so that you know which 802.1X settings to configure for AMT. Additionally, when the AMT-based computer host is configured for wireless networking, either natively in the operating system or by using another solution, ensure that the settings that you specify in the out of band management wireless profile for the Network name (SSID), Security type, and Encryption method match the configuration of your host wireless configuration.
Steps Details More information

Step 1: Prepare Active Directory Domain Services by creating security groups and an organization unit (OU).

Create two security groups: A security group that contains the computer accounts of the primary site servers. A universal security group that will contain accounts for the provisioned AMTbased computers. Grant the first security group the following security permissions to This object only: Read Members and Writer Members.

For more information about how to create security groups and OUs, see the Active Directory documentation.

Create an OU in each domain that will contain AMT-based computers. Grant the first security group the following security permissions to This object only: Create Computer Objects and Delete Computer Objects. Step 2: Confirm DHCP configuration. Ensure that you have an active scope and configure the following DHCP options: 006 (DNS Servers) 015 (DNS Domain Name) For more information about how to configure DHCP, see the DHCP documentation.

Additionally, ensure that the DHCP server is configured to dynamically update DNS with the computer resource records.
2191

Steps

Details

More information

Step 3: Create and issue the PKI certificates.

Ensure that you have configured the following: The web server certificate for the enrollment point. The AMT provisioning certificate. The AMT web server certificate template. For wireless management only: The AMT client authentication certificate template.

To configure the web server certificate for the enrollment point, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. To configure the certificates for AMT, see the Deploying the Certificates for AMT section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. See the following procedure Step 4: Configuring the Enrollment Point and Out of Band Service Point for AMT Provisioning in this topic. See the following procedure Step 5: Configuring the Out of Band Management Component in this topic.

Step 4: Configure the site system roles for AMT.

Install and configure the following site system roles: The enrollment point. The out of band service point.

Step 5: Configure the out of band management component.

Specify settings such as the OU and security group that you configured in step 1, the certificate templates that you configured in step 3, and AMT User Accounts if you want to run the out of band management console. Powering on computers by using out of band management allows computers assigned to the site to come out of hibernation so that they can respond to scheduled

Step 6: Optional: Configure the site to send power on commands for scheduled wake-up activities.

See the following procedure Step 6: Configuring the Site to Send Power on Commands for Scheduled Wake-Up Activities in this topic.

2192

Steps

Details

More information

management tasks. Step 7: Display the AMT Status and enable AMT provisioning. If necessary, create a new collection to contain the AMTbased computers that you want to provision. Optional but recommended: Add the AMT Status to the Configuration Manager console. Select Enable AMT provisioning for AMT-based computers in the collection properties. Step 8: Monitor the AMT provisioning process. When the Configuration Manager client next downloads client policy, it sends a provisioning request to the out of band service point. If provisioning fails, it automatically retries according to the provisioning schedule that is configured in the out of band management component properties. See the following procedure Step 8: Monitoring AMT Provisioning in this topic. See the following procedure Step 7: Displaying the AMT Status and Enabling AMT provisioning in this topic.

Supplemental Procedures to Provision and Configure AMT-based Computers

Use the following information when the steps in the preceding table require supplemental procedures.

Step 4: Configuring the Enrollment Point and Out of Band Service Point for AMT Provisioning
These procedures configure the site system roles for AMT provisioning. Choose one of these procedures according to whether you install a new site system server for AMT provisioning or use an existing site system server: To install and configure the AMT provisioning site systems: New site system server To install and configure the AMT provisioning site systems: Existing site system server
2193

To install and configure the AMT provisioning site systems: New site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and click Servers and Site System Roles 3. On the Home tab, in the Create group, click Create Site System Server. 4. On the General page, specify the general settings for the site system, and then click Next. 5. On the System Role Selection page, select Out of band service point and Enrollment point from the list of available roles, and then click Next. Note The roles are not available for secondary sites. In addition, the out of band service point cannot be installed on more than one site system in the primary site. 6. On the Out of band service point page, do not change the default settings for the scheduled power Power on commands unless you have to fine-tune these for your network infrastructure. Click Next. 7. On the AMT Provisioning Certificate page, click Browse to select the AMT provisioning certificate that you created in step 3 in the preceding table. Or, type in the certificate thumbprint. 8. Decide whether you have to clear the Enable CRL checking for the AMT provisioning certificate check box, and then click Next. Note Although the option to check the certificate revocation list (CRL) is more secure, if the out of band service point cannot access the CRL when you enable this option, the out of band service point does not provision computers for AMT. If your AMT provisioning certificate is from an external CA, the out of band service point must have direct Internet access when you enable CRL checking, because this option does not support web proxy access. 9. On the Enrollment Point Settings page, review the settings. Keep the default settings unless you must change them for your environment. Click Next. 10. Complete the wizard. To install and configure the AMT provisioning site systems: Existing site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that you want to use for AMT provisioning. 3. On the Home tab, in the Create group, click Add Site System Roles. 4. On the General page, specify the general settings for the site system, and then click Next.
2194

5. On the System Role Selection page, select Out of band service point and Enrollment point from the list of available roles, and then click Next. Note The roles are not available for secondary sites. In addition, the out of band service point cannot be installed on more than one site system in the primary site. 6. On the Out of band service point page, do not change the default settings for the scheduled power on commands unless you have to fine-tune these for your network infrastructure. Click Next. 7. On the AMT Provisioning Certificate page, click Browse to select the AMT provisioning certificate that you created in step 3 in the preceding table. Or, type the certificate thumbprint. 8. Decide whether you must clear the Enable CRL checking for the AMT provisioning certificate check box, and then click Next. Note Although the option to check the CRL is more secure, if the out of band service point is unable to access the CRL, AMT provisioning will fail. If your AMT provisioning certificate is from an external CA, the out of band service point must have Internet access. 9. On the Enrollment Point Settings page, review the settings. Keep the default settings unless you need to change them for your environment. Click Next. 10. Complete the wizard.

Step 5: Configuring the Out of Band Management Component

This procedure configures the out of band management component. To configure the Out of Band Management component 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration and then click Sites. 3. On the Home tab, in the Settings group, click Configure Site Components, and then click Out of Band Management. 4. Select the enrollment point that you configured in the preceding procedure. 5. Specify the OU and then the universal group that you configured in step 1 in the preceding table. 6. Specify the AMT web server certificate that you configured in step 3 in the preceding table. 7. Decide whether to clear the check box for CRL checking. Note When this option is selected, computers that manage AMT-based computers out
2195

of band must be able to check the CRL for the AMT web server certificate before they can make a successful connection. By default, the CRL is published on the issuing CA. Although checking the CRL is more secure, if the CRL is not available, the connection fails. Computers that manage AMT-based computers include the site server and computers that run the out of band management console. 8. Click Set to specify a strong password for the account in the Management Engine BIOS extension (MEBx) that is used for the initial authenticated access to manage AMT-based computers. Note The password is case sensitive and must be at least 8 characters, with a maximum of 32 characters, together with at least one each of an uppercase, a lowercase, a numeric, and a symbol character. Symbol characters include ! @ # $ % ^ & * and exclude : (colon) (double quotes) _ (underscore). 9. Click the AMT Settings tab. 10. Click the New icon to specify AMT User Accounts that will run the out of band management console. As a best practice, specify security groups rather than individual user accounts. 11. Decide whether you must change the default manageability setting of Always on to Host is on. Note The setting Host is on can help to save power consumption for when the AMTbased computer is in standby or the operating system is shut down. It might also be required by your company policy. However, if you select Host is on and the AMT-based computer is in a power state that does not allow out of band communication, the AMT-based computer does not respond to out of band communication. In this scenario, there is no indication that you cannot connect to the AMT-based computer because it is configured for a power state that does not support manageability. 12. Click Advanced settings and decide whether to change any of the default settings, and then click OK. Note More information about the advanced settings: Enable web interface: Enables or disables the ability for the AMT-based computer to display firmware information in the AMT Web browser. This option is not enabled by default. Enable serial over LAN and IDE redirection: Enables or disables the options for serial over LAN and IDE redirection on the AMT-based computer. This option is enabled by default. Allow ping responses: Enables or disables the AMT management controller to respond to network ping requests when it is sent ICMP datagrams. This option is not
2196

enabled by default. Enable BIOS password bypass for power on and restart commands: Enables or disables the ability to bypass a BIOS prompt for a configured password when powering on an AMT-based computer or restarting it. By default, this option is enabled. Kerberos clock tolerance (minutes): Specifies the allowed clock tolerance between the management controller and the timestamp in received messages. Having a shorter value helps eliminate replay attacks, but too short a value might result in valid connections being rejected. The default setting is 5 minutes.

13. Click Audit Log Settings. Review the AMT features to audit, decide whether to change any of the default settings, and then click OK. Note Selecting the features to audit does not enable auditing. You can enable auditing on selected AMT-based computers after they are provisioned. For more information, see To enable auditing and update audit settings on AMT-based computers. 14. Click the Provisioning tab. 15. If you have to specify an AMT Discovery and Provisioning Account, click the New icon specify one or more accounts. Note Specify an AMT Provisioning and Discovery Account if any one of the following conditions applies: The AMT-based computer has never been provisioned, and your manufacturer delivered the computer with a customized MEBx password. (It is not admin.) When this is the case, add an AMT Provisioning and Discovery Account named admin and specify the password that was provided by the manufacturer. The AMT-based computer has never been provisioned, and your manufacturer delivered the computer with the default MEBx password of admin, but you have configured the MEBx password in the computers BIOS extensions. When this is the case, add an AMT Provisioning and Discovery Account named admin and specify the password that you configured in the BIOS extensions. The AMT-based computer has been previously provisioned by another AMT management solution, and the provisioning information has been partially removed (either by that management solution or by locally configuring the BIOS extensions). When this is the case, and you want to discover or provision these computers by using Configuration Manager, add an AMT Provisioning and Discovery Account named admin and specify the password for the AMT Remote Admin Account that was configured by the other management solution. to

16. Configure the AMT provisioning schedule. 17. Click Set to specify the AMT Provisioning Removal Account. Specify a Windows account that is specified as an AMT User Account in step 10. You must also add this account to the local Administrators group on the out of band service point computer.
2197

Note If you must recover the site, you can use this account to remove the AMT provisioning information from computers, and then reprovision them. For more information about how to remove AMT provisioning information, see How to Remove AMT Information. 18. If you want to manage AMT-based computers when they are connected to authenticated wired and wireless 802.1X networks, click the 802.1X and Wireless tab; otherwise, click OK to close the Out of Band Management Component Properties dialog box. 19. To configure 802.1X authentication for wired networks, select Enable 802.1X authentication for wired network access, and then click Configure. 20. In the 802.1X Wired Network Access Control dialog box, click Select to select the Trusted root certificate. 21. In the Trusted Root Certificate for RADIUS Authentication dialog box, specify the trusted root certificate by using one of the following methods, and then click OK: To specify the trusted root certificate by selecting an enterprise CA from the forest, ensure that From certification authority (CA) is selected, and select the CA from the list. To specify the trusted root certificate by selecting a DER encoded binary X.509 (.cer) or base-64 encoded X.509 (.cer) file that contains the exported trusted root certificate, click From file, click Browse, select the .cer file, and then click Open.

22. In the drop-down box, select the client authentication method to use. 23. If you selected the client authentication method of EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2, click Use client certificate if you also want to use a client certificate for authentication. 24. If Use client certificate is selected, click Select, specify the Issuing CA to use for the client certificate and the RADIUS client certificate template that you created in step 3 in the preceding table, and then click OK. 25. If you do not have to configure wireless settings, click OK to close the Out of Band Management Component Properties dialog box. 26. To create and configure a wireless profile, click the New icon . 27. In the Wireless Profile dialog box, type a display name for the Profile name. 28. Type the name of the wireless network in the Network name (SSID). 29. Specify the security type in the Security type box. 30. Specify the encryption method in the Encryption method box. 31. Click Select to specify the trusted root certificate for the RADIUS server. 32. In the Trusted Root Certificate for RADIUS Authentication dialog box, specify the trusted root certificate by using one of the following methods, and then click OK: To specify the trusted root certificate by selecting an enterprise CA from the forest, ensure that From certification authority (CA) is selected, and select the CA from the list. To specify the trusted root certificate by selecting a DER encoded binary X.509 (.cer)
2198

or base-64 encoded X.509 (.cer) file that contains the exported trusted root certificate, click From file, click Browse, select the .cer file, and then click Open. 33. In the drop-down box, select the client authentication method to use. 34. If you selected the client authentication method of EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2, click Use client certificate if you also want to use a client certificate for authentication. 35. If Use client certificate is selected, click Select, specify the Issuing CA to use for the client certificate and the RADIUS client certificate template that you created in step 3 in the preceding table, and then click OK. 36. Create additional wireless profiles as required. 37. To change the order of the wireless profiles, select a wireless profile, and then click the Move Item Down icon or Move Item Up icon . The AMT-based computers try each wireless profile in turn until a connection is successfully made, and they continue to use this profile for the duration of the connection. 38. If you must change the settings of a wireless profile, select the wireless profile, and then click the Properties icon . 39. Click OK to close the Out of Band Management Component Properties dialog box.

Step 6: Configuring the Site to Send Power on Commands for Scheduled Wake-Up Activities
This procedure enables the primary site server to send power on commands to AMT-based computers when they have scheduled deployments and these computers are in hibernation or are turned off. To configure the site to send power on commands for scheduled wake-up activities 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and select the primary site to configure. 3. On the Home tab, click Properties, and then click the Wake On LAN tab. 4. Select the Enable Wake On LAN for this site check box, and then select one of the following options: Use AMT power on commands if the computer supports this technology; otherwise, use wake-up packets Use AMT power on commands only Warning After configuring the wake-up option for the site, all deployments that are configured for Wake On LAN use the same setting. You cannot configure which deployments to use on an individual basis; for example, you cannot configure only software update deployments to use wake-up packets only or a specific task sequence to use power Power on commands only.
2199

5. Click OK. Note Because of the additional overhead involved in establishing, maintaining, and terminating an out of band management session, conduct your own tests so that you can accurately judge how long it takes to wake up multiple computers by using AMT power on commands in your environment, for example, across slow WAN links to computers in secondary sites. This knowledge helps you determine whether waking up multiple computers for scheduled activities by using power on commands with out of band communication is practical when you have a high number of computers to wake up within a short period of time.

Step 7: Displaying the AMT Status and Enabling AMT provisioning

This procedure adds the AMT Status column to the Configuration Manager console and enables AMT provisioning. To display the AMT status column in the Configuration Manager console and enable AMT provisioning for a collection 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Devices, and select the device collection that contains the AMT-based computers. 3. In the results pane, right-click any column title, and select AMT Status. 4. On the Home tab, in the Collection group, click Manage out of Band, and then click Discover AMT Status. Click OK to confirm the action. 5. On the Home tab, click Properties. 6. In the collection properties dialog box, click the Out of Band Management tab. 7. Select Enable provisioning for AMT-based computers, and then click OK. 8. If you have configured out of band management for 802.1X authenticated wired connections or 802.1X wireless connections: Ensure that one of the following network connections are in operation for the AMT-based computers: The computer is connected to an Ethernet port on which 802.1X authentication is not required. The computer is connected to an 802.1X authenticated network through the operating system.

In addition, for out of band management on wireless networks, check that your DNS servers have a host record for the AMT-based computer, which contains the wireless IP address. AMT cannot register a host record in DNS, so you must ensure that either DHCP or the operating system on the host computer updates DNS so that the wireless IP address of the AMT-based computers can be resolved to its fully qualified domain name (FQDN). Alternatively, you can manually create these records in DNS as required.
2200

Step 8: Monitoring AMT Provisioning

Although you can manually discover the current status by using the Discover AMT Status option, the value also updates automatically after the AMT provisioning process. Monitor the AMT status by using any of the following methods: View the AMT Status column in the Configuration Manager console. Create query-based collections by using the AMT Status value. View the report Computers with out of band management controllers.

For more information about the AMT status, see About the AMT Status and Out of Band Management in Configuration Manager.

How to Verify That Computers are Provisioned for 802.1X Network Connections
Because the settings for 802.1X are applied after the AMT-based computer is provisioned on an unauthenticated Ethernet connection, the AMT Status of Provisioned does not confirm that the computer can be managed out of band on a wireless or wired 802.1X network connection. Use the following procedure to verify that the settings for 802.1X are successfully applied. To verify whether AMT-based computers are configured for authenticated wired and wireless network connections 1. On the out of band service point, locate and open the file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log. 2. Search for one of the following text strings, where <wireless_profile> is the specified name of the wireless profile: To confirm that the authenticated wired settings were successfully configured, search for Begin to set Wired 8021x Profile..., and then Set Wired 8021x Profile Success.... To confirm that the wireless profile settings were successfully configured, search for Set wireless profile: <wireless_profile>, and then Successfully add wireless profile <wireless_profile>. To identify a failure in configuring a wireless profile because a specified configuration element failed (for example, a client certificate was specified but could not be issued), search for Set wireless profile: <wireless_profile>, the reason for the failure (for example, No client Certificate), and then The wireless profile: <wireless_profile> is invaid. Skip adding.... To identify a failure in updating wireless profiles because the AMT-based computer is currently on a wireless connection, search for The wireless connection is active, skip setting wifi profiles.

3. Close the log file and take corrective action if the settings were not successfully applied.

2201

See Also
Configuring Out of Band Management in Configuration Manager

How to Manage AMT Provisioning Information in Configuration Manager

After you have provisioned Intel AMT-based computers for System Center 2012 Configuration Manager, you might have to update the AMT settings or remove the provisioning data. Use the following sections to manage the AMT provisioning information on AMT-based computers: How to Update Computers for New AMT Settings How to Remove AMT Information

How to Update Computers for New AMT Settings

After AMT-based computers are provisioned by Configuration Manager, you must update their AMT management controller if you change any of the AMT settings or configurations. For example, you might want to add support for wireless networks after a successful trial period on the Ethernet. Computers that are already provisioned for AMT are not automatically reconfigured. Note If you manage AMT-based computers on 802.1X authenticated wired or wireless networks, you can update the AMT management controllers when the computers are connected to these networks, with the exception of settings in a wireless profile that is currently in use. To update computers for new AMT settings 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, locate, and then select the AMT-based computers to update. 3. On the Home tab, in the Device group, click Manage Out of Band, click Update AMT Provisioning Data, and then click OK.

How to Remove AMT Information

You might have to remove the AMT provisioning information because you no longer want the computer managed out of band by Configuration Manager. Or, you no longer trust the computer and decide that its associated certificates and Active Directory account should no longer be available. Another scenario is if you rename a computer that is already provisioned for AMT by
2202

Configuration Manager or move the computer to another domain, or you want to reassign the computer to another Configuration Manager site. Warning For more information about renaming or moving AMT-based computers, see Renaming AMT-Based Computers and Domain Changes in this topic. For more information about how to reassig AMT-based computers, see Reassigning AMT-Based Computers to Another Configuration Manager Site in this topic. You have the following options when you use Configuration Manager to remove provisioning information from an AMT-based computer: You can remove the configuration data for the management controller including whether IDE redirection and serial over LAN are enabled, network pings are supported, and the web interface is enabled, but keep identification information about the computer including its host name, IP address, and DNS suffix. You can remove both the configuration data and the identification information from the computer. The primary site server revokes the certificate that was issued to the AMT-based computer when it was provisioned. The revocation reason is Cease of Operation. The primary site server removes the Active Directory objects that were created during AMT provisioning: The object published to the organizational unit (OU) and the computer account added to the universal security group. The primary site server deletes the service principal name (SPN) for the AMT-based computer.

Additionally, the following actions are performed when you remove provisioning information:

By default, AMT-based computers automatically reprovision with Configuration Manager if they are in a collection that is configured for the option Enable AMT provisioning. To prevent automatic provisioning, select the option Disable automatic provisioning when you remove provisioning information for the computer. Note If you disable automatic reprovisioning and later want to automatically provision these AMT-based computers, right-click the resource, click Manage Out of Band, and then click Enable Automatic AMT Provisioning. If you reassign the client to another Configuration Manager hierarchy that is configured for AMT provisioning, the automatic AMT provisioning status Disabled is not carried forward to the new hierarchy. Use the following procedure to remove provisioning information for an AMT-based computer if you no longer want to manage it out of band with Configuration Manager. After you complete the procedure, to confirm that this action is successful, check that the AMT status for the computer changes from Provisioned to Not Provisioned. This check is particularly important if you are removing the provisioning information because the AMT-based computer is no longer trusted. If the status remains as Provisioned, you must manually delete the associated AMT account in Active Directory Domain Services and manually revoke any out of band management certificates that have been issued to the computer.
2203

Important If the AMT audit log is enabled on the AMT-based computer, clear the log before you remove the AMT provisioning information. For more information, see To clear the audit log on AMT-based computers. To remove AMT provisioning information 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, locate and select the AMT-based computers to update. 3. On the Home tab, in the Device group, click Manage Out of Band, and then click Remove AMT Provisioning Data. 4. Select a data removal option. 5. If you want to prevent the AMT-based computer from automatically reprovisioning, select Disable automatic provisioning. 6. If you are removing the AMT provisioning information because you have recovered the site, select Use AMT Provisioning Removal Account. You might also be able to use this account if you have reassigned the AMT-based computer from another site and did not remove the provisioning information in the original site. For example, this might apply if you are migrating from Configuration Manager 2007. Note To successfully remove the AMT provisioning information by using the AMT Provisioning Removal Account, the following must be true: The AMT Provisioning Removal Account is configured in the out of band management component properties. If this account is not configured, the option to select this account is not available. The account that is configured for the AMT Provisioning Removal Account was configured as an AMT User Account in the out of band management component properties when the AMT-based computer was provisioned or updated. The account that is configured for the AMT Provisioning Removal Account is a member of the local Administrators group on the out of band service point computer. The AMT auditing log does not contain any data. When the AMT Status for the selected AMT-based computer is Detected rather than Provisioned, this option is always selected when the AMT Provisioning Removal Account is configured because in this scenario, you must use the AMT Provisioning Removal Account. 7. Click OK.

Renaming AMT-Based Computers and Domain Changes

If you rename a computer that Configuration Manager already provisioned for AMT or move the computer to another domain, you must remove all the provisioning information from the AMT2204

based computer, and then provision the computer again. You can remove the provisioning information either before renaming or moving the computer or after renaming or moving the computer. However, do not provision the computer again until the name change or domain move is completed. If you fail to perform these procedures, the AMT-based computer cannot be managed out of band after the change of name or domain move. When you remove the provisioning information, select the option to remove both configuration data and identification information from the management controller; and select the Disable automatic provisioning option and re-enable it after the name change or domain move has taken place.

Reassigning AMT-Based Computers to Another Configuration Manager Site

If you reassign an AMT-based computer to another Configuration Manager site, you must remove the AMT provisioning information and then provision the computer again in the new site. Until you do this, you cannot connect to the AMT-based computer in the new site. In this scenario, the AMT Status displays Detected. As a best practice, use the preceding procedure in this topic to remove the provisioning information while the computer is in the original site. If this is not possible, you can manually remove the provisioning information by configuring the BIOS extensions. Alternatively, if one of the AMT User Accounts on the AMT-based computer is configured for a Windows account that is configured as the AMT Provisioning Removal Account in the new site, you can remove the provisioning information after the Configuration Manager client is assigned to the new site.

See Also
Configuring Out of Band Management in Configuration Manager

Operations and Maintenance for Out of Band Management in Configuration Manager

Use the following topics in this section to help you perform operations and maintenance tasks that manage Intel AMT-based computers out of band by using System Center 2012 Configuration Manager.

In This Section
How to Manage the Audit Log for AMT-Based Computers in Configuration Manager How to Manage AMT-based Computers Out of Band in Configuration Manager How to Monitor Out of Band Management in Configuration Manager

2205

See Also
Out of Band Management in Configuration Manager

How to Manage AMT-based Computers Out of Band in Configuration Manager

After you have provisioned Intel AMT-based computers for System Center 2012 Configuration Manager, you can manage them by using the following procedures: How to Run the Out of Band Management Console How to Power off Computers How to Power on and Restart Computers How to Configure BIOS Settings for a Computer How to Run Commands, Repair Tools, and Diagnostic Applications for a Computer

You can also block an Intel AMT-based computer if you no longer trust the computer. However, after you block an AMT-based computer that is provisioned by Configuration Manager, you cannot manage it out of band any longer. For more information, see Blocking AMT-Based Computers.

How to Run the Out of Band Management Console

You can use the out of band management console to connect to an AMT-based computer to manage it even if the operating system is not responding, or if the computer is turned off. You can run multiple out of band management consoles to connect to different AMT-based computers at the same time. However, an AMT-based computer cannot be managed by more than one out of band management console at the same time. In this scenario, the second and subsequent connections fail to restart the computer or to establish a serial connection. The computer must be provisioned for AMT before you can connect to it by using the out of band management console, and you must be logged on by using one of the AMT User Accounts that you specified in the Out of Band Management Component Properties dialog box. Log on by using one of the AMT User Accounts that you specified in the Out of Band Management Component Properties dialog box, and then use one of the following procedures to run the out of band management console. To run the out of band management console from the Configuration Manager console 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or Device Collections. 3. Select the computer that you want to manage by using the out of band management console, and then, on the Home tab, in the Device group, click Manage Out of Band, and then click Out of Band Management Console.
2206

Note The Out of Band Management Console option is available for a resource only if it is provisioned for AMT. 4. When you have completed your out of band management tasks for the currently selected computer, you can leave the console running and connected, or perform one of the following actions: Click File, and then click Exit to disconnect from the computer and exit the out of band management console. Click Connection, and then click Disconnect so that you can reconnect to the same computer later.

To run the out of band management console at the command prompt 1. At the command prompt, type: <ConfigMgrInstallPath>\bin\oobconsole.exe -s <siteserver> -t <resourceID> Note If you are running the out of band management console outside the client's assigned site, specify the site server in the client's assigned site. 2. When you have completed your out of band management tasks for the currently selected computer, you can leave the console running and connected or perform one of the following actions: Click File, and then click Exit to disconnect from the computer and exit the out of band management console. Click Connection, and then click Disconnect so that you can reconnect to the same computer later.

How to Run the Intel AMT Web Console

You can use the Intel AMT web console as an alternative to running the out of band management console. For more information about this web console, see the Intel documentation. Note To support the AMT web console on computers, in the Out of Band Management Component Properties dialog box, on the AMT Settings tab, select the option Enable Web interface. Use the following procedure to manage computers by using the Intel AMT web console. To manage computers by using the Intel AMT web console 1. Open a web browser. In the address bar, type: https://<FQDN_of_computer>:16993 Note If your web browser uses a proxy web server, you might have to configure the
2207

computer's FQDN as an exception in your web browser so that the connection does not use the proxy web server for this connection on the intranet. 2. Click Log On, and supply an AMT User Account and credentials. 3. When you have finished using the AMT web console, close the web browser.

How to Power off Computers

You can power off a single computer or multiple computers in a selected collection, or power off all computers in a collection. This power control action is available from the Configuration Manager console and from the out of band management console. Caution When you power off a computer, this action should be performed as a last resort in a troubleshooting scenario where the operating system is not responding. To power off a computer has the same effect as removing the power cable from the computer: the operating system does not shut down correctly, unsaved work is lost, and logged-on users are not notified of the power off action. Use the following procedures to power off one or more computers. To power off individual computers from the Configuration Manager console 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or Device Collections. 3. Select one or multiple computers to power off, and then on the Home tab, in the Device group, click Manage Out of Band, and then click Power Control. Note The Power Control option is available for a resource only if it is provisioned for AMT. 4. In the Power Control dialog box, select Power off, and then click OK to confirm the action. To power off a single computer by using the out of band management console 1. Connect to the resource by using the out of band management console. 2. Click Power Control, click Power Off, and then click Yes to confirm the action. To power off all computers in a collection from the Configuration Manager console 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or Device Collections. 3. Select a collection that contains the computers to power off, and then on the Home tab, in the Device group, click Manage Out of Band, and then click Power Control.

2208

Note The Power Control option is always available for a collection, even if the collection contains resources that are not provisioned for AMT. Configuration Manager sends power control actions only to the computers that are provisioned for AMT. 4. In the Power Control dialog box, select Power off, and then click Yes to confirm the action.

How to Power on and Restart Computers

You can power on or restart a single computer or multiple computers in a selected collection, or power on or restart all computers in a collection. The power-on and restart power control actions are available from the Configuration Manager console and the out of band management console. When you power on or restart a computer by using the out of band management console, you can also select the boot action to perform when the computer has powered on or restarted. The boot options available depend on what the computer supports, but typically include the following: Boot normally Boot from local CD or DVD drive Boot from local hard drive Boot from IDE redirection location Boot from the network Boot to BIOS Note If you power on or restart a computer that has a BIOS password configured, by default, the computer waits for the password to be entered until after the computer has powered on or restarted. If the computer supports bypassing the BIOS password for AMT management (this setting is manufacturer-dependent), selecting the option Enable BIOS password bypass in the Out of Band Management Component Properties dialog box on the AMT Settings tab or in the out of band management console enables the computer to start after the power on or restart action is performed. Additionally, you can power on a computer before the configured deadline for a software deployment. When you power on a computer by using the Configuration Manager console and when power on commands are sent to wake up computers for scheduled activities, the packets are always sent from the out of band service point. When you power on a computer by using the out of band management console, the packets are sent from the computer that is running the out of band management console. When the targeted computer is connected by a WAN link with the out of band service point, consider using the out of band management console from a computer that is local to the targeted computer to avoid traffic across the WAN. Caution
2209

Consider the restart of a computer to be a last resort in a troubleshooting scenario where the operating system is not responding. Restarting a computer has the same effect as pressing the Restart button: the operating system does not shut down correctly, unsaved work is lost, and logged-on users are not notified of the restart action. Use the following procedures to power on or restart a computer. To power on or restart individual computers from the Configuration Manager console 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or Device Collections. 3. Select one or multiple computers to power on or restart, and then, on the Home tab, in the Device group, click Manage Out of Band, and then click Power Control. Note The Power Control option is available for a resource only if it is provisioned for AMT. 4. In the Power Control dialog box, select Power on if the computer is turned off or Restart Computer if the computer is running, and then click OK. To power on or restart all computers in a collection from the Configuration Manager console 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or Device Collections. 3. Select a collection that contains computers to power on or restart, and then on the Home tab, in the Device group, click Manage Out of Band, and then click Power Control. Note The Power Control option is always available for a collection, even if the collection contains resources that are not provisioned for AMT. Configuration Manager sends power control actions only to the computers that are provisioned for AMT. 4. In the Power Control dialog box, select Power on if computers are turned off or Restart Computer if the computers are running, and then click OK. To power on or restart a single computer by using the out of band management console 1. Connect to the resource by using the out of band management console. 2. Click Power Control. 3. If you want the computer to use a boot option that is different from its default configuration after it has powered on or restarted, select it from the Boot option list. 4. If you select a boot option that uses IDE redirection, click Boot from local drive or Boot from file, and ensure that the default value associated with the option specified is correct for the computer. If you want to use another value, click the drop-down menu for the local drive, or click Browse to select the path and file name that contains the image file that
2210

you want to use. IDE paths must use ASCII characters only. Note To use the Boot from local drive and Boot from file options, the option Enable serial over LAN and IDE redirection must be selected in the Out of Band Management Properties dialog box on the AMT Settings tab. 5. Optionally, select Bypass BIOS password and Lock remote keyboard if required and if these options are supported by the AMT-based computer. 6. Click Power On if the computer is turned off, or click Restart Computer if the computer is running. To power on computers before the configured deadline for a software deployment 1. Ensure that the site is configured to send power-on commands for scheduled wake-up activities. For more information, see Configuring the Site to Send Power on Commands for Scheduled Wake-Up Activities. 2. Configure the scheduled deployment for wake-up packets.

How to Configure BIOS Settings for a Computer

You can remotely view and change BIOS settings of an AMT-based computer when you have selected the option Allow serial over LAN and IDE-Redirect for AMT devices in the Out of Band Management Component Properties dialog box on the AMT Settings tab. This out of band management option uses serial-over-LAN technology and runs a terminal emulation session within the out of band management console so that you can remotely view and interact with the computer output. Use the following procedure to run a serial over LAN connection to a computer so that you can remotely view and modify BIOS settings. To configure BIOS settings for a computer 1. Connect to the resource by using the out of band management console. 2. If you have to change the default terminal emulation type from PC ANSI to VT-100 to match the terminal emulation settings in the targeted computer's BIOS, click Tools, click Options, select VT-100, and then click OK. 3. Click Serial Connection. 4. Click the Open Serial-over-LAN button, and then click Yes to acknowledge the warning about disconnecting a wireless connection. Wait for the BIOS Setup menu to display. 5. Click Power Control, and from the displayed list of options for Boot Option, select the option that refers to BIOS Setup. 6. Click Power On if the power state of the computer is off, or click Restart Computer if the power state of the computer is on. 7. Click inside the blank window to activate the remote display session.
2211

8. View or change the BIOS settings, and then save them as required. When you have completed BIOS setup, and select the option to save the settings, the computer automatically restarts. Note Refer to your computer manufacturer's documentation for more information about configuring the BIOS settings. 9. If you have finished managing the computer, choose one of the following options: To disconnect from the computer and close the out of band management console, click File, and then click Exit. To disconnect from the computer but leave the out of band management console running so that you can reconnect to it later, click File, and then click Disconnect.

How to Run Commands, Repair Tools, and Diagnostic Applications for a Computer
You can remotely run commands, repair tools, and diagnostic applications for an AMT-based computer when both of the following conditions apply: The files or commands to run character-based tools or applications, which can be located from a network share or are locally available to the computer. (For example, they have been installed onto the local hard drive by using Configuration Manager application management.) A boot image that runs a character-based operating system. Note To use this option, in the Out of Band Management Component Properties dialog box on the AMT Settings tab, select the Enable serial over LAN and IDE redirection advanced setting. This out of band management option uses serial-over-LAN technology and runs a terminal emulation session from within the out of band management console so that you can remotely view and interact with the computer output. Although it is possible to remotely run graphics-based applications, the output will not be visible in the out of band management console. Run graphics-based applications only if you can run them completely automated. For example, you can reinstall an operating system if you also specify an unattended setup file so that no interaction is required for completion. Use the following procedure to remotely run commands, repair tools, or diagnostic applications on a computer. To remotely run commands, repair tools, or diagnostic applications on a computer 1. Connect to the resource by using the out of band management console. 2. If you have to change the default terminal emulation type from PC ANSI to VT-100 to match the terminal emulation settings in the targeted computer's BIOS, click Tools, click Options, select VT-100, and then click OK.
2212

3. Click Serial Connection. 4. Click the Open Serial-over-LAN button, and then click Yes to acknowledge the warning about disconnecting a wireless connection. Wait for the computer to complete startup, while the command prompt is displayed. 5. Click Power Control, and from the displayed list of options for Boot option, select the option that refers to IDE redirection. 6. Click Boot from file, and if required, change the default value for the IDE redirection file path so that it specifies the path and file that will run the character-based operating system. IDE paths must use ASCII characters only. 7. Click Power On if the power state of the computer is off, or click Restart Computer if the power state of the computer is on. 8. Click inside the blank window to activate the remote display session. 9. Run the commands, repair tools, or diagnostic applications. 10. Click Power Control, and then choose one of the following options: To restart the computer, select the option that refers to normal boot from the displayed list of options for Boot option, and then click Restart Computer. To power down the computer, click Power Off. To disconnect from the computer and close the out of band management console, click File, and then click Exit. To disconnect from the computer but leave the out of band management console running so that you can reconnect to it later, click File, and then click Disconnect.

11. If you have finished managing the computer, choose one of the following options:

See Also
Operations and Maintenance for Out of Band Management in Configuration Manager

How to Manage the Audit Log for AMT-Based Computers in Configuration Manager
If you have configured System Center 2012 Configuration Manager for AMT auditing, you can enable and disable auditing on selected Intel AMT-based computers, you can update existing audit settings, you can export the auditing entries to a file, and you can clear the auditing log. You might have to clear the audit log on AMT-based computers to make more space in the log for new entries. All the auditing features that you can select by using Configuration Manager are categorized as noncritical, and depending on your AMT version, these might stop writing to the audit log when it is 85 percent full or might start overwriting old entries. You can save the current audit log entries and delete them from an AMT-based computer by using the out of band management console. Use the following procedures to manage the audit log for AMT-based computers:
2213

To enable auditing and update audit settings on AMT-based computers To disable auditing on AMT-based computers To export the audit log for AMT-based computers To clear the audit log on AMT-based computers To monitor auditing activities by using status messages

Before you perform these procedures, you must configure Configuration Manager for AMT auditing as described in Configuring the Out of Band Management Component. To enable auditing and update audit settings on AMT-based computers 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or Device Collections. 3. Select one or multiple AMT-based computers for which you want to enable auditing or update the audit settings, and then, on the Home tab, in the Device group, click Manage Out of Band, and then click Enable Auditing and Apply Audit Log Settings. 4. Click OK in the confirmation dialog box. To disable auditing on AMT-based computers 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or Device Collections. 3. Select one or multiple AMT-based computers for which you want to clear the AMT audit log, and then, on the Home tab, in the Device group, click Manage Out of Band, and then click Disable Audit Log. 4. Click OK in the confirmation dialog box. To export the audit log for AMT-based computers 1. Connect to the AMT-based computer by using the out of band management console. 2. Click System Audit Log, click Export All, specify the path and file name to contain the auditing entries, and then click OK. To clear the audit log on AMT-based computers 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Device Collections. 3. From one of the collections, perform one of the following actions: To clear the audit log for all AMT-based computers in a collection, select the collection, and then, on the Home tab, in the Device group, click Manage Out of Band, and then click Clear Audit Log. To clear the audit log for selected AMT-based computers, select one or multiple computers within a collection, and then, on the Home tab, in the Device group, click Manage Out of Band, and then click Clear Audit Log.

4. Click OK in the confirmation dialog box.

2214

To monitor auditing activities by using status messages 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand System Status, click Status Message Queries, and then in the results pane, click All Status Messages. 3. On the Home tab, in the Status Message Queries group, click Show Messages. 4. In the All Status Messages dialog box, you are prompted for the time period for which you want to check status messages. Enter the time period or date and time, and then click OK. 5. All status messages are displayed in the Configuration Manager Status Message Viewer. Click the Component column, and locate the status messages with a component named Microsoft.ConfigurationManagement.exe. 6. For more information about any of the status messages, right-click a status message, and then select Detail.

7. View the information in the Status Message Details dialog box, and then click OK to close this dialog box, or click Previous or Next to view the details of other status messages. 8. Click OK to close the Status Message Details dialog box, and close the Configuration Manager Status Message Viewer.

See Also
Operations and Maintenance for Out of Band Management in Configuration Manager

How to Monitor Out of Band Management in Configuration Manager

You can monitor the out of band management activity in System Center 2012 Configuration Manager by using the following procedures: Run reports related to out of band management. Use the out of band management performance counter for SMS AMT Operations Manager. Identify status messages related to out of band management. To monitor out of band management by running reports 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting, and then click Reports. 3. In the results pane, type out of band in the Look for box so that you can more easily find the reports relating to out of band management. 4. Right-click one of the following reports, and then click Run.
2215

Clients with out of band management controllers Status of client out of band management provisioning Out of band management console activity

5. If you see the Report Information window, specify any required or optional values, and then click Display. For more information about the AMT status values in the reports, see About the AMT Status and Out of Band Management in Configuration Manager. To monitor out of band management by using the out of band management performance counter 1. In the Performance tool, ensure that the site server is selected as the targeted computer, and in the Performance object drop-down menu, click SMS AMT Operations Manager. 2. Select either All counters or select Select counters from list, and then click one or more of the following options: Number of packets per second Total number of packets failed Total number of packets sent Total number of requests pending

3. Click Add for each out of band management performance counter that you require. 4. Click Close. To monitor out of band management by using status messages 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand System Status, click Status Message Queries, and then in the results pane, click All Status Messages. 3. On the Home tab, in the Status Message Queries group, click Show Messages. 4. In the All Status Messages dialog box, you are prompted for the time period for which you want to check status messages. Enter the time period or date and time, and then click OK. 5. All status messages are displayed in the Status Message Viewer. Click the Component column, and locate the status messages with the following component names: 6. SMS_AMT_OPERATION_MANAGER SMS_AMT_PROXY_COMPONENT OOB Console

For more information about any of the status messages, right-click a status message, and then select Detail.

7. View the information in the Status Message Details dialog box, and then click OK to close this dialog box, or click Previous or Next to view the details of other status messages. 8. Click OK to close the Status Message Details dialog box, and close the Status
2216

Message Viewer.

See Also
Operations and Maintenance for Out of Band Management in Configuration Manager

Security and Privacy for Out of Band Management in Configuration Manager

This topic contains security and privacy information for out of band management in System Center 2012 Configuration Manager.

Security Best Practices for Out of Band Management

Use the following security best practices when you manage Intel AMT-based computers out of band.
Security best practice More information

Request customized firmware before you purchase Intel AMT-based computers.

Computers that can be managed out of band have BIOS extensions that can set customized values to significantly increase security when these computers are on your network. Check which BIOS extension settings are available from your computer manufacturer, and specify your values. For more information, see Determine Whether to Use a Customized Firmware Image From Your Computer Manufacturer. If your AMT-based computers do not have the firmware values that you want to use, you might be able to manually specify them. For more information about manually configuring the BIOS extensions, see the Intel documentation or the documentation from your computer manufacturer. For additional information, see Intel vPro Expert Center: Microsoft vPro Manageability. Customize the following options to increase your security: Replace all certificate thumbprints of
2217

Security best practice

More information

external certification authorities (CAs) with the certificate thumbprint of your own internal CA. This prevents rogue provisioning servers from attempting to provision your AMT-based computers, and you do not have to purchase provisioning certificates from external CAs. Use a custom password for the MEBx Account so that the default value of admin is not used. Then specify this password with an AMT Provisioning and Discovery Account in Configuration Manager. This prevents rogue provisioning servers from attempting to provision your AMT-based computers with the known default password.

Control the request and installation of the provisioning certificate.

Request the provisioning certificate directly from the provisioning server by using the computer security context so that the certificate is installed directly into the local computer store. If you must request the certificate from another computer, you have to export the private key, and then use additional security controls when you transfer and import the certificate into a certificate store.

Ensure that you request a new provisioning An expired AMT provisioning certificate results certificate before the existing certificate expires. in a provisioning failure. If you are using an external CA for your provisioning certificate, allow for additional time to complete the renewal process and reconfigure the out of band management point.

Use a dedicated certificate template for provisioning AMT-based computers.

If you are use an Enterprise version of Windows Server for your enterprise CA, create a new certificate template by duplicating the default Web Server certificate template, ensure that only the security group that you specify in the out of band management component properties has Read and Enroll permissions, and do not add additional capabilities to the default of server authentication.
2218

Security best practice

More information

A dedicated certificate template allows you to better manage and control access to help prevent elevation of privileges. If you have a Standard version of Windows Server for your enterprise CA, you cannot create a duplicate certificate template. In this scenario, you must add Read and Enroll permissions to the security group that you specify in the out of band management component properties and remove any permission that you do not require. Use AMT power on commands instead of wake-up packets. Although both solutions support waking up computers for software installation, AMT power on commands are more secure than transmitting wake-up packets because they provide authentication and encryption by using standard industry security protocols. By using AMT power on commands with out of band management, this solution can also integrate with an existing public key infrastructure (PKI) deployment, and the security controls can be managed independently from the product. For more information, see Planning How to Wake Up Clients in Planning for Client Communication in Configuration Manager. Even when AMT-based computers have a supported version of AMT, there are some scenarios that out of band management does not support. These scenarios include workgroup computers, computers that have a different namespace, and computers that have a disjoint namespace. To ensure that these AMT-based computers are not published to Active Directory Domain Services and do not have a PKI certificate requested for them, disable AMT in the firmware. AMT provisioning in Configuration Manager creates domain credentials for the accounts published to Active Directory Domain Services, which risks the elevation of privileges when the computers are not part of your Active
2219

Disable AMT in the firmware if the computer is not supported for out of band management.

Security best practice

More information

Directory forest. Use a dedicated OU to publish AMT-based computer accounts. Do not use an existing container or organizational unit (OU) to publish the Active Directory accounts that are created during AMT provisioning. A separate OU lets you manage and control these accounts better and helps ensure that site servers and these accounts are not granted more permissions than they require. In addition to allowing the site server computer accounts Create all child objects and Delete all child objects permissions for the OU and apply to This object only, allow the following permissions for the site server computer accounts: For the OU: Write all properties permission and apply to This object and all descendant objects. For the Domain Computers group: Write all properties permission and apply to This object only. For the Domain Guest group: Write all properties permissions and apply to This object only.

Allow the site server computer accounts Write permission to the OU, the Domain Computers group, and the Domain Guests group in each domain that contains AMT-based computers.

Use a dedicated collection for AMT provisioning.

Do not use an existing collection that contains more computers than you want to provision for AMT. Instead, create a query-based collection by using the AMT status of Not Provisioned. For more information about the AMT Status and how to construct a query for Not Provisioned, see About the AMT Status and Out of Band Management in Configuration Manager.

Retrieve and store image files securely when you boot from alternative media to use the IDE redirection function.

When you boot from alternative media to use the IDE redirection function, whenever possible, store the image files locally on the computer running the out of band management console. If you must store them on the network, ensure that connections to retrieve the files over the network use SMB signing to help prevent the
2220

Security best practice

More information

files being tampered with during the network transfer. In both scenarios, secure the stored files to help prevent unauthorized access, for example, by using NTFS permissions and the encrypted file system. Retrieve and store AMT audit log files securely. If you save AMT audit log files, whenever possible, store the files locally on the computer that is running the out of band management console. If you must store them on the network, ensure that connections to retrieve the files over the network use SMB signing to help prevent the files being tampered with during the network transfer. In both scenarios, secure the stored files to help prevent unauthorized access, for example, by using NTFS permissions and the encrypted file system. Although you can specify multiple AMT Provisioning and Discovery Accounts so that Configuration Manager can discover computers that have AMT management controllers and provision them for out of band management, do not specify accounts that are not currently required and delete accounts that are no longer required. Specify only the accounts that you require to help ensure that these accounts are not granted more permissions than they require and to reduce unnecessary network traffic and processing. For more information about the AMT Provisioning and Discovery Account, see Configuring the Out of Band Management Component. The AMT Provisioning Removal Account helps ensure service continuity if you must restore the Configuration Manager site. After you restore the site, request and configure a new AMT provisioning certificate, use the AMT Provisioning and Removal Account to remove provisioning information from AMT-based computers, and then reprovision the computers. You might also be able to use this account if an
2221

Minimize the number of AMT Provisioning and Discovery Accounts.

For service continuity, specify a user account as the AMT Provisioning Removal Account and ensure that this user account is also specified as an AMT User Account.

Security best practice

More information

AMT-based computer was reassigned from another site and the provisioning information was not removed. For more information about how to remove AMT provisioning information, see How to Remove AMT Information. Use a single certificate template for client authentication certificates whenever practical. Although you can specify different certificate templates for each of the wireless profiles, use a single certificate template unless you have a business requirement for different settings to be used for different wireless networks, specify only client authentication capability, and dedicate this certificate template for use with Configuration Manager out of band management. For example, if one wireless network required a higher key size or shorter validity period than another, you would have to create a separate certificate template. A single certificate template lets you control its use more easily and guards against elevation of privileges. Depending on the AMT version, Configuration Manager might stop writing new entries to the AMT audit log when it is nearly full or might overwrite old entries. To ensure that new entries are logged and old entries are not overwritten, periodically clear the audit log if required, and save the auditing entries. For more information about how to manage the audit log and monitor auditing activities, see How to Manage the Audit Log for AMT-Based Computers in Configuration Manager. Use the Remote Tools Operator security role to grant administrative users the Control AMT permission, which allows them to view and manage computers by using the out of band management console, and initiate power control actions from the Configuration Manager console. For more information about the security
2222

Ensure that only authorized administrative users perform AMT auditing actions and manage the AMT audit logs as required.

Use the principle of least privileges and rolebased administration to grant administrative users permissions to manage AMT-based computers out of band.

Security best practice

More information

permissions that you might require to manage AMT-based computers, see Configuration Manager Dependencies in Prerequisites for Out of Band Management in Configuration Manager.

Security Issues for Out of Band Management

Managing AMT-based computers out of band has the following security issues: An attacker might fake a provisioning request, which results in the creation of an Active Directory account. Monitor the OU where the AMT accounts are created to ensure that only expected accounts are created. You cannot configure web proxy access for the out of band service point to check the certificate revocation list (CRL) that is published on the Internet. If you enable CRL checking for the AMT provisioning certificate, and the CRL cannot be accessed, the out of band service point does not provision AMT-based computers. The option to disable automatic AMT provisioning is stored on the Configuration Manager client and not in AMT. This means that the AMT-based computer can still be provisioned. For example, the Configuration Manager client might be uninstalled, or the computer might be provisioned by another management product. Even though you select the option to disable automatic provisioning for an AMT-based computer, the out of band service point accepts a provisioning request from that computer.

Privacy Information for Out of Band Management

The out of band management console manages computers that have the Intel vPro chip set and Intel Active Management Technology (Intel AMT) with a firmware version that is supported by Configuration Manager. Configuration Manager temporarily collects information about the computer configuration and settings, such as the computer name, IP address, and MAC address. Information is transferred between the managed computer and the out of band management console by using an encrypted channel. By default, this feature is not enabled, and typically no information is retained after the management session is ended. If you enable AMT auditing, you can save auditing information to a file that includes the IP address of the AMT-based computer that is managed and the domain and user account that performed the management action on the recorded date and time. This information is not sent to Microsoft. You have the option to enable Configuration Manager to discover computers with management controllers that can be managed by the out of band management console. Discovery creates records for the manageable computers and stores them in the database. Data discovery records contain computer information, such as the IP address, operating system, and computer name. By default, discovery of management controllers is not enabled. Discovery information is not sent to Microsoft. Discovery information is stored in the site database. Information is retained in the
2223

database until the site maintenance task Delete Aged Discovery Data deletes it in intervals of every 90 days. You can configure the deletion interval. Before you configure out of band management, consider your privacy requirements.

See Also
Compliance Settings in Configuration Manager

Technical Reference for Out of Band Management in Configuration Manager

Use the following topics in this section to view technical reference information for managing Intel AMT-based computers out of band by using System Center 2012 Configuration Manager.

In This Section
About the AMT Status and Out of Band Management in Configuration Manager Example Scenario for Implementing Out of Band Management in Configuration Manager Example Scenarios for Using Out of Band Management in Configuration Manager AMT Provisioning Process for Out of Band Management in Configuration Manager

See Also
Out of Band Management in Configuration Manager

About the AMT Status and Out of Band Management in Configuration Manager
The AMT status is used with out of band management in System Center 2012 Configuration Manager to identify the capability and provisioning status of the management controller on Intel AMT-based computers. This status is displayed in the Configuration Manager console, in the report Computers with out of band management controllers, and can also be used to construct queries.

The AMT Status Values, Descriptions, and Corresponding Queries

Use the following table for more details about the AMT status and the corresponding queries.
2224

AMT status

Description

Query

Unknown

The AMT status is not yet known. This occurs when the AMT-based computer has not contacted the out of band service point site system server to be provisioned, or when you have not run Discover AMT Status for the collection.

Select * from sms_r_system where AMTStatus is null

Not Supported

The computer does not have Select * from sms_r_system AMT capability and cannot where AMTStatus=0 support out of band management. AMT capability is detected on this computer, but the out of band service point is unable to provision it for AMT. This scenario can occur when the computer has been previously provisioned for AMT outside the Configuration Manager site and the password for the AMT Remote Admin Account or the MEBx Account has been changed and is unknown. Before Configuration Manager can provision and manage this computer, you must remove the provisioning information, and then run the Discover AMT Status action. Tip You might be able to remove the AMT provisioning information by using Configuration Manager and the AMT Provisioning Removal Account, if this account is configured in the Out of Band Management
2225

Detected

Select * from sms_r_system where AMTStatus=1

AMT status

Description

Query

Component Properties dialog box. Or, manually remove the AMT provisioning information. For more information about removing the AMT provisioning information by using Configuration Manager and the AMT Provisioning Removal Account, see How to Remove AMT Information. Not Provisioned AMT capability is detected on this computer, and it can be provisioned for AMT by the out of band service point. AMT capability is detected on this computer, and it can be managed out of band by Configuration Manager. AMT capability is detected on this computer, and it has been provisioned outside Configuration Manager by using AMT Host Based Provisioning. The computer account of the out of band service point lets Configuration Manager manage this computer out of band. However, Configuration Manager cannot update the management controller, remove the provisioning information, or reprovision this computer. Select * from sms_r_system where AMTStatus=2

Provisioned

Select * from sms_r_system where AMTStatus=3

Externally Provisioned

Select * from sms_r_system where AMTStatus=4

Determining the AMT Status

The AMT status is determined when the AMT discovery process runs, which uses the following accounts in the order specified:
2226

1. The AMT Remote Admin Account 2. The computer account of the out of band service point 3. The AMT Provisioning and Discovery Account The AMT status is automatically updated when Configuration Manager provisions a computer for AMT or removes provisioning information.

See Also
Technical Reference for Out of Band Management in Configuration Manager

Example Scenario for Implementing Out of Band Management in Configuration Manager

Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. The following sections in this topic provide an example scenario for implementing out of band management in System Center 2012 Configuration Manager, by using a three-phased approach: Pilot: Implementing and Testing a Few Computers that Use Certificate Services (Internal CA) for the Provisioning Certificate Rollout: Full Deployment by Using an External CA for the Provisioning Certificate Add Wireless Support: Extend Management to Wireless Networks

In the following scenario, Trey Research is interested in using out of band management to more efficiently troubleshoot computers that fail to start or stop responding, require powering on for routine maintenance, or require reconfiguring the BIOS settings. This company has Intel AMTbased computers with versions of AMT that are supported by Configuration Manager, but they do not have customized firmware that includes the certificate thumbprint of their own internal root certification authority (CA). Trey Research has a single Configuration Manager primary site, and all the internal computers reside in the testnet.treyresearch.net domain. The company already has an existing public key infrastructure (PKI) infrastructure that is using Windows Server 2008 Certificate Services, and has an enterprise certification authority running Windows Server 2008 Enterprise Edition. Adam is the Configuration Manager administrative user who has been asked to implement out of band management by using a three-phase approach. He first tests the functionality by using a small number of desktop computers and without purchasing a provisioning certificate from an external CA. If the testing goes well, Adam can purchase an AMT provisioning certificate and provision all the AMT-based desktop computers. For the final deployment phase, Adam is asked to extend the out of band management to laptops that use the wireless network.
2227

Pilot: Implementing and Testing a Few Computers that Use Certificate Services (Internal CA) for the Provisioning Certificate
For the pilot phase to implement and test out of band management, Adam takes the course of action outlined in the following table.
Process Reference

Adam checks the prerequisites for out of band management and decides to create a site system server on which he installs the out of band service point and the enrollment point. This computer has the fully qualified domain name (FQDN) of server15.testnet.treyresearch.net. Adam also confirms that the existing DHCP and DNS configuration meets the requirements for AMT. Adam works with his Active Directory service administrators to create the following Windows security groups: A group named ConfigMgr Out Band Service Points that contains server15. A group named ConfigMgr Primary Site Servers that contains the primary site server computer account. A universal security group named ConfigMgr AMT Computers that will contain the AMT computer accounts.

For more information about the prerequisites, see Prerequisites for Out of Band Management in Configuration Manager.

For more information about how to create groups and OUs, see the Active Directory Domain Services documentation.

They then create an organization unit (OU) in the testnet.treyresearch.net domain for the published AMT-based computer accounts, and grant the newly created group ConfigMgr Primary Site Servers the following permissions to this OU: Create Computer Objects and Delete Computer Objects. Adam works with the PKI team with the following results: The web server certificate template is duplicated and configured for the For guidance about how to deploy the PKI certificates required for out of band management, see the Deploying the Certificates for AMT section in the Step-by-Step
2228

Process

Reference

enrollment point. It is installed and configured in IIS on server15. A custom template is created to request and install the AMT provisioning certificate on server15. The web server certificate template is duplicated and configured so that it is appropriate for out of band management. They identify and write down the certificate thumbprint of the root CA, which has to be manually added to the AMT firmware until they purchase a provisioning certificate from an external CA.

Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

To prepare the desktop AMT-based computers that Adam will use in the initial testing, Adam checks that the AMT firmware configuration is correct and adds the certificate thumbprint of their internal root CA: 1. When the computer starts, he presses CTRL+P to configure the ME module. 2. He selects Intel (R) ME Configuration, Intel (R) ME Feature Control, Manageability Feature Selection, and then selects Intel (R) AMT. He exits and restarts the computer. 3. He runs the ME module again, selects Intel (R) AMT Configuration, Setup and Configuration, to verify that the value for the Current provision mode is PKI. The value is not PKI, so he selects TLS PKI, and sets the Remote Configuration to Enable. 4. In the TLS-PKI section, he selects Manage Certificate Hashes, presses the Insert key, and types the certificate thumbprint of his internal root CA. 5. He saves the changes, exits, and then restarts the computer. Adam then configures the Configuration Manager primary site and makes the following changes:

For more information, see the Intel documentation.

For more information, see the following sections in the How to Provision and Configure AMT-Based Computers in Configuration
2229

Process

Reference

He installs a new site system server on server15, configures it with the intranet FQDN of server15.treyresearch.net, and then installs the out of band service point and the enrollment point. He then configures the Out of Band Management component. On the AMT Provisioning Certificate page for the out of band service point, he browses to the AMT provisioning certificate that he installed. On the Out of Band Management Component Properties dialog box, he configures the following: On the General tab, he specifies the OU that he created in testnet.treyresearch.net, the universal security group that he created, browses to the AMT web server certificate template that he created earlier, and configures a strong password for the MEBx Account. On the AMT Settings tab, he specifies his own account as an AMT User Account and a Windows global domain security group that contains help desk engineers who will use the out of band management console. He also selects the options Enable serial over LAN and IDE redirection, Allow ping responses, and Enable BIOS password bypass for power on and restart commands.

Manager topic: How to Install and Configure the AMT Provisioning Site Systems: New Site System Server Configuring the Out of Band Management Component

Adam wants to use Wake on LAN technology to install critical software updates on computers. He has tried this feature in the past and discovered that subnet-directed broadcasts consumed too much network bandwidth over the remote links and that few of their network adapters worked with unicast transmissions. He enables Wake on LAN and decides to keep the default option of Use power on commands

For more information, see the Configuring the Site to Send Power-On Commands for Scheduled Wake-Up Activities step in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic.

2230

Process

Reference

if the computer supports this technology; otherwise, use wake-up packets. Adam adds the AMT Status column to the Configuration Manager console and creates a new collection that contains just five AMTbased computers as his initial pilot. These computers are for testing only and contain different supported versions of AMT. He configures this collection for AMT provisioning. Adam monitors the AMT provisioning process. For more information, see the Displaying the AMT Status and Enabling AMT provisioning step in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic.

For more information, see the Monitoring AMT Provisioning step in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic.

When the computers are successfully provisioned for AMT, Adam starts testing these computers for out of band management. For example scenarios of using out of band management, see Example Scenarios for Using Out of Band Management in Configuration Manager.

Rollout: Full Deployment by Using an External CA for the Provisioning Certificate

When the initial testing is completed, Adam receives confirmation from his manager that out of band management can be rolled out to all AMT-based workstation computers. To eliminate the requirement to add the thumbprint of their internal root CA certificate to each AMT-based computer, Adam purchases a provisioning certificate from an external CA and installs it on server15, according to the accompanying instructions. Adam then takes the course of action outlined in the following table.
Process Reference

Adam checks the prerequisites for out of band For more information, see Prerequisites for Out management again, to see whether there are of Band Management in Configuration any additional changes that he has to make. He Manager. notes the following: There are ports requirements that he must relate to the firewall administrator so that help desk engineers can connect to AMTbased computers in remote sites that are protected by the internal company firewall.
2231

Process

Reference

Some help desk computers still run Windows XP, and so he must check these computers for their version of Windows Remote Management (WinRM) and update the version if necessary. He must add help desk engineers to an appropriate security role to run the out of band management console. For more information, see the Configuring the Enrollment Point and Out of Band Service Point for AMT Provisioning step in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic. For more information, see the Displaying the AMT Status and Enabling AMT provisioning step in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic.

Adam configures the properties of the out of band service point, browses to the newly purchased AMT provisioning certificate, and saves the changes.

Adam creates new collections to gradually roll out AMT provisioning for workstation computers. Over a period of four weeks, he enables these collections for AMT provisioning and monitors progress.

As a result of this course of action, all Intel AMT-based workstation computers are provisioned for AMT and can be managed out of band by the help desk. The ability to troubleshoot and repair computers when the operating system is not functioning greatly reduces the total cost of ownership for the company because engineers no longer require local access to the computer.

Add Wireless Support: Extend Management to Wireless Networks

After the successful rollout for workstations to use out of band management, Trey Research now wants to extend this support to laptop computers that use the wireless network. The wireless network uses a Windows Server 2008-based server that is running Network Policy Server (NPS) and requires a client certificate for authentication. Adam takes the course of action outlined in the following table.
Process Reference

Adam checks the wireless support prerequisites For more information about the prerequisites, for out of band management and confirms that see Prerequisites for Out of Band Management the versions of AMT on the laptops supports in Configuration Manager. wireless profiles. He notes the wireless configuration settings that are required by the
2232

Process

Reference

Network Policy Server as WPA2 security, AES encryption, and EAP-TLS authentication. Adam works with the PKI team to create an additional certificate template that the AMTbased computers use to authenticate with the Network Policy Server. For more information about creating the client certificate template, see Creating and Issuing the Client Authentication Certificates for 802.1X AMT-Based Computers in the Deploying the Certificates for AMT section of the Step-byStep Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. Adam configures the Out of Band Management Component Properties: 802.1X and Wireless tab: He creates a wireless profile that contains the wireless network name, the security type of WPA2-Enterprise, and the encryption method of AES. He then selects the trusted root certificate for the Network Policy Server, and the client certificate template that was created earlier. For more information, see steps 26 through 39 in the Configuring the Out of Band Management Component section in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic.

Adam creates a new collection for laptops that can support AMT. On the Out of Band Management tab, he selects Enable provisioning for AMT-based computers. Adam then monitors the provisioning status for these laptops, and uses the log file Amtopmgr.log, to verify that the wireless profile is successfully configured for these AMT-based computers. Tip If these laptops are already provisioned for AMT without the wireless profile, Adam runs the Update Provisioning Data in Management Controller Memory command for the wireless

For more information about monitoring AMT provisioning, see the Monitoring AMT Provisioning step in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic.

2233

Process

Reference

settings to be applied. For more information, see the How to Update Computers for New AMT Settings section in the How to Manage AMT Provisioning Information in Configuration Manager topic. As a result of this course of action, laptops can also now be managed out of band by the help desk, which reduces the time to resolve the problems reported by laptop users.

See Also
Technical Reference for Out of Band Management in Configuration Manager

Example Scenarios for Using Out of Band Management in Configuration Manager

Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. The following sections in this topic provide example scenarios of how you can manage computers out of band in System Center 2012 Configuration Manager: Powering on Computers to Install Applications Powering off Computers to Protect Against a Security Attack Re-imaging a Nonfunctioning Computer Configuring BIOS Settings Troubleshooting a Nonfunctional Computer Achieving Compliance for Software Updates by Using Wake on LAN and Power on Commands

In all these scenarios for Trey Research, Adam, the Configuration Manager administrative user, has implemented out of band management throughout the Configuration Manager hierarchy. The desktop computers are AMT-based, meet all the prerequisites for out of band management, and are successfully provisioned for AMT.

2234

Powering on Computers to Install Applications

The following scenario demonstrates how you can use out of band management to power on computers to install applications (or perform routine maintenance) without using traditional wakeup packets. The marketing department at Trey Research has approved a request to install a nonstandard application on five computers. Adam has already created a collection for these five computers and a deployment to install the application as soon as possible. After he establishes a time period when no users have their computers turned on and will not be unduly inconvenienced, he performs the actions in the following table to power on the computers so that the application can be installed.
Process More information

Adam locates the computers in the Assets and Compliance workspace of the Configuration Manager console, and then performs the following actions: Selects the five computers and right-clicks them. Clicks Manage Out of Band, and then clicks Power Control. Selects Power on. Confirms the action by clicking OK.

Section How to Power on and Restart Computers in the How to Manage AMT-based Computers Out of Band in Configuration Manager topic.

He then monitors the progress of the application installation. If required, after the installation is completed, Adam can shut down each computer individually by using the Configuration Manager Remote Control and select the Shut down command in Windows. Note The out of band management power-off command is not appropriate here because this does not perform a graceful shutdown of the operating system. As a result of the preceding course of action, the application is installed outside business hours without sending wake-up packets over the network, without requiring that the computers remain turned on, or without requiring local access to the computers.
2235

How to Remotely Administer a Client Computer by Using Configuration Manager

Powering off Computers to Protect Against a Security Attack

The following scenario demonstrates how you can use out of band management to power off computers when it is imperative that they do not remain running, but you cannot shut them down by normal means. Powering off computers should always be considered a last resort because it has the same effect as removing the power cable from the computer: the operating system does not shut down correctly, unsaved work is lost, and logged-on users do not receive any notice of the power off action. Trey Research has an intrusion detection system that monitors suspicious activity on servers and the network. In the early hours of the morning, an alert is generated that indicates a security attack has occurred on one of the servers. Although the desktop computers are usually turned off at night, some users leave their computers turned on. These computers must be turned off immediately to safeguard them against the security threat. To help protect the desktop computers from the security threat, a security administrator performs the actions that are outlined in the following table.
Process More information

The security administrator identifies the desktop computers that are turned on and at risk and locates them in the Assets and Compliance workspace in the Configuration Manager console. He performs the following actions: Selects the computers and right-clicks them. Clicks Manage Out of Band, and then clicks Power Control. Selects Power off. Confirms the action by clicking OK.

Section How to Power off Computers in the How to Manage AMT-based Computers Out of Band in Configuration Manager topic.

As a result of the preceding course of action, the risk of these computers being vulnerable to the security attack is greatly reduced.

Re-imaging a Nonfunctioning Computer

The following scenario demonstrates how you can use out of band management to re-image a nonfunctioning computer when other troubleshooting steps have failed. Trey Research has a help desk policy that computer desktop issues that prevent business continuity must be resolved within a set period. No data is stored locally on the computers, so reimaging these computers is the most efficient way to resolve these types of reported problems.
2236

However, in the past this has meant that a help desk engineer must visit the site, or the computer must be transported to and from the help desk location. To more efficiently re-image a nonfunctioning computer, the help desk engineer proceeds with the course of action that is outlined in the following table.
Process More information

The help desk engineer locates the computer in question in the Configuration Manager console and confirms that he cannot use Configuration Manager Remote Tools to connect to the client computer. He connects to it by using the out of band management console. The help desk engineer then performs the following actions: He clicks Power Control, selects the boot option for IDE redirection, and enters the network path to the image to reinstall the operating system, custom applications and settings, and the Configuration Manager client. Then he clicks Restart Computer.

Section How to Run the Out of Band Management Console in the How to Manage AMT-based Computers Out of Band in Configuration Manager topic.

Section How to Power on and Restart Computers in the How to Manage AMT-based Computers Out of Band in Configuration Manager topic.

Later that day, the engineer checks the status of the computer and confirms that it is working again as required. He closes the help desk ticket within the specified time limit.

Company-specific process.

As a result of the preceding course of action, the computer is efficiently re-imaged without requiring local access, although the operating system was not responding. This level of control helps resolve critical issues in a timely manner that ensures higher levels of business continuity for the company.

Configuring BIOS Settings

The following scenario demonstrates how you can use out of band management to configure BIOS settings for a desktop computer without requiring local access to the computer. The help desk at Trey Research receives notification that two newly deployed computers do not start successfully. This is a custom build, and the engineer suspects that the BIOS settings are not correctly configured. To check the BIOS settings without local access to the computer, the help desk engineer proceeds with the course of action outlined in the following table.
2237

Process

More information

The help desk engineer locates the computer in question in the Assets and Compliance workspace of the Configuration Manager console, and connects to it by using the out of band management console. The help desk engineer then performs the following actions for each computer in turn: He clicks Power Control, selects the boot option for BIOS Setup, and then clicks Power On. He clicks Serial Connection and waits for the BIOS settings to appear. When they do, he discovers that the wrong disk is configured for booting the computer. He makes the required change, and then saves the new BIOS settings.

Section How to Run the Out of Band Management Console in the How to Manage AMT-based Computers Out of Band in Configuration Manager topic.

Section How to Configure BIOS Settings for a Computer in the How to Manage AMT-based Computers Out of Band in Configuration Manager topic.

The computer automatically restarts and successfully loads the operating system from the correct disk. The engineer confirms that the two computers are now operational and closes the help desk ticket. Company-specific process.

As a result of the preceding course of action, the mean time to resolution for these computers is dramatically reduced because local access to the computers is not required.

Troubleshooting a Nonfunctional Computer

The following scenario demonstrates how you can use out of band management to run diagnostic commands and tools for a desktop computer that is not functioning (for example, the operating system stops responding or does not load) without requiring local access to the computer. The help desk at Trey Research receives notification that a computer has stopped responding. To troubleshoot the computer, the help desk engineer proceeds with the course of action outlined in the following table.
Process More information

The help desk engineer locates the computer in Section How to Run the Out of Band question in the Assets and Compliance Management Console in the How to Manage workspace of the Configuration Manager AMT-based Computers Out of Band in
2238

Process

More information

console, and connects to it by using the out of band management console. The help desk engineer then performs the following actions: He clicks Power Control, selects the boot option for IDE redirection, specifies the path and file for a diagnostic tool in the IDE redirection path, and then clicks Restart Computer. He clicks Serial Connection and waits for the computer to boot from the image that contains the diagnostic tool. By using the diagnostics, he discovers that the disk has a number of bad sectors. He selects the option to repair the bad sectors, and then exits the tool. He clicks Power Control, clicks Restart Computer, and closes the out of band management console.

Configuration Manager topic.

Section How to Run Commands, Repair Tools, and Diagnostic Applications for a Computer in the How to Manage AMT-based Computers Out of Band in Configuration Manager topic.

The engineer confirms that the computer restarts and loads the operating system successfully. Because the computer is operational again, he closes the ticket, but he puts in a request to replace the hard drive to safeguard against the same problem in the future.

Company-specific process.

As a result of the preceding course of action, the time-to-resolution for this computer is dramatically reduced because local access to the computer is not required.

Achieving Compliance for Software Updates by Using Wake on LAN and Power on Commands
The following scenario demonstrates how you can use out of band management with software updates in Configuration Manager to help achieve higher success rates for installing software updates within a specified time frame. Trey Research has a security policy that requires that all computers on the network running Windows have critical security software updates installed within two weeks of release. The installation of these software updates on servers has a 100 percent success rate, but the success rate on desktops is only 80 percent, although the Configuration Manager administrative user
2239

deployed them within one week after release. On investigation, the computers that do not have the software updates installed are turned off for various reasons for example, because users are on vacation or sick leave or because the computers are not in everyday use and are turned on only when required for a specific application or process. The security policy also prohibits sending wake-up packets over the network, but there is often not enough time to track down each computer, turn it on, and install the required software updates to meet the compliance deadline. To help achieve the compliance levels in a timely and efficient fashion, Adam decides on the course of action outlined in the following table.
Process More information

Adam enables Wake on LAN for the primary sites in the hierarchy and selects the Use AMT power on commands only option.

Step Configuring the Site to Send Power on Commands for Scheduled Wake-Up Activities in the How to Provision and Configure AMTBased Computers in Configuration Manager topic. Step Configuring the Enrollment Point and Out of Band Service Point for AMT Provisioning in the How to Provision and Configure AMTBased Computers in Configuration Manager topic. How to Create Collections in Configuration Manager

He checks the packet transmission settings in the out of band service point properties and makes some minor changes.

He reads the information in the documentation about the additional time that might be required to power on multiple computers and plans accordingly by creating different collections of computers so that software update deployments can be configured in batches.

Adam closely monitors the installation of the Operations and Maintenance for Software critical software updates. For the computers Updates in Configuration Manager that have not yet installed them, he creates a new deployment that contains the software updates, but this time it is also configured for Wake on LAN. He targets this software update deployment in batches to the collections that he created. As a result of the preceding course of action, critical software updates are installed on the majority of computers within one week. This leaves a comfortable margin of one more week to track down and correct the few desktop computers that still require the software update, perhaps

2240

because the computer was put into hibernation before it received the software update deployment or because there was no power for the computer. By using the combination of software updates with a deadline for the majority of computers, Wake on LAN with power-on commands for the few computers that are turned off, and manual intervention for the minority of computers that remain noncompliant, Trey Research can now meet its compliance levels every month.

See Also
Technical Reference for Out of Band Management in Configuration Manager

AMT Provisioning Process for Out of Band Management in Configuration Manager

The following flow of events occurs when an AMT-based computer is provisioned by System Center 2012 Configuration Manager. 1. The Configuration Manager client downloads its client policy with instructions to initiate AMT provisioning and performs the follow checks: a. The Intel HECI driver is installed. b. The AMT status is Not Provisioned. Any other status stops the provisioning process. 2. The Configuration Manager client generates a random one-time password (OTP), hashes it, sends the hash to the site server, and then activates the AMT network interface so that the AMT-based computer is ready for provisioning. For AMT-based computers that support wireless network connections, they also send their wired IP address, which will be used during provisioning, even if the AMT-based computer has multiple network interfaces. 3. The Configuration Manager client sends AMT manufacturing information to the site server by using a state message. This information includes the AMT version number. 4. The site server receives the OTP hash and then creates an Active Directory account in the configured Active Directory container (or OU), and sets the SPN for the AMT-based computer. The site server then sends an instruction to the out of band service point to start provisioning for the Configuration Manager client. 5. The out of band service point retrieves the OTP hash for this AMT-based computer from the site server and compares it with the OTP hash reported by the AMT firmware to verify the identity of the AMT-based computer to be provisioned. 6. The out of band service point retrieves the Active Directory account and password from the site server and then sends an instruction to the enrollment point to request an AMT web server certificate for the AMT-based computer. The enrollment point impersonates the AMTbased computer to request the AMT web server certificate. 7. The out of band service point creates an outbound TLS connection by using the AMT provisioning certificate and the Secure Channel (Schannel) Security Support Provider (SSP).

2241

In this connection, the AMT-based computer is the server, and the out of band service point is the client. This transport layer session is established by using TLS handshaking: a. The out of band service point sends a client Hello message to the AMT -based computer and requests to use SHA1. b. The AMT-based computer sends a server Hello message to the out of band service point and sends its public key with a self-signed certificate. c. The Microsoft Security Support Provider Interface (SSPI) is used to create the TLS channel.

d. The out of band service point sends its AMT provisioning certificate and its full certificate chain to the AMT-based computer, with the specific AMT provisioning object identifier (OID) or OU attribute of Intel(R) Client Setup Certificate. e. The AMT-based computer checks the following for the AMT provisioning certificate and, if these successfully match, establishes the TLS session: the subject name (CN) against its own DNS namespace, the OID against the OID for AMT provisioning (or the OU attribute), and the certificate thumbprint of the root certificate from the certificate chain against the certificate thumbprint that it has stored in AMT firmware memory. 8. The out of band service point establishes an application layer connection with the AMT-based computer, by using HTTP Digest authentication: a. A SOAP request is sent from the out of band service point to the AMT-based computer, without any user name and password. b. The AMT-based computer responds to the out of band service point with an "authentication needed" response, which results in HTTP Digest authentication. c. The out of band service point resends the SOAP request with the same payload to AMTbased computer, this time by using HTTP Digest authentication.

d. The AMT-based computer finishes the authentication challenge and sends a success or failure response to the out of band service point. 9. If the HTTP Digest authentication failed during the application layer connection, the out of band service point retries by using another user name and password that has been configured in Configuration Manager. All user names and passwords are tried sequentially until authentication succeeds or there are no more user names and passwords. 10. The AMT-based computer undergoes first-stage provisioning, initiated by a SOAP request from the out of band service point: a. The AMT time is synchronized with the Windows time from the out of band service point. b. The AMT host name and domain is configured by using the computers host name and domain. The computers host and domain name might be retrieved from system discovery or from client registration when the client is assigned to the site. c. The requested and retrieved certificate is saved to the AMT firmware memory, and TLS authentication is enabled.

d. Configuration Manager creates a random and strong password for the AMT Remote Admin Account and stores this value in AMT. e. Configuration Manager might reconfigure the MEBx password with the strong password configured in the Configuration Manager console, depending on whether it has been changed previously on the AMT-based computer and on the version of AMT.
2242

f.

The settings are saved in AMT firmware, and the AMT firmware state is set to the operational mode of post provisioning.

11. The AMT-based computer undergoes second-stage provisioning, initiated by a Windows Remote Management (WinRM) request from the out of band service point: a. The AMT ACLs are deleted and configured according to the AMT User Accounts and rights. b. Kerberos is enabled, and in the Out of Band Management Component Properties dialog box, on the AMT Settings tab, the power scheme is set according to the configured value for Manageability is on in the following power state. In addition, the other AMT settings, such as Enable web interface, Enable serial over LAN and IDE redirection, and Allow ping responses, are also set according to the configured values in the AMT Advanced Settings dialog box. c. If you have configured any 802.1X options, the following additional actions occur: Any existing wireless profiles are deleted, any certificates related to the wireless profiles or 802.1X wired network configuration are deleted, and the wireless capability of AMT is detected. If any certificates are required to support 802.1X, the out of band service point sends an instruction to the enrollment point to request the certificates for the AMT-based computer, and the enrollment point impersonates the AMT-based computer to request these certificates. The wireless profiles and the 802.1X authenticated wired network configuration are then saved to AMT.

12. The out of band service point sends the results of the provisioning process to the site server, which then updates the Configuration Manager database to use the following information about the AMT-based computer: the AMT status; the MEBx password, the AMT Remote Admin Password.

See Also
Technical Reference for Out of Band Management in Configuration Manager

Compliance Settings in Configuration Manager

Compliance settings in System Center 2012 Configuration Manager provides a set of tools and resources that can help assess, track, and remediate the configuration compliance of client computers in the enterprise.

2243

Compliance Setting Topics

Use the following topics to help you maintain the configuration compliance of your Configuration Manager client computers. Introduction to Compliance Settings in Configuration Manager Planning for Compliance Settings in Configuration Manager Configuring Compliance Settings in Configuration Manager Operations and Maintenance for Compliance Settings in Configuration Manager Security and Privacy for Compliance Settings in Configuration Manager Technical Reference for Compliance Settings in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Assets and Compliance in System Center 2012 Configuration Manager

Introduction to Compliance Settings in Configuration Manager

Compliance settings in System Center 2012 Configuration Manager provides a unified interface and user experience that lets you manage the configuration and compliance of servers, laptops, desktop computers, and mobile devices in your organization. Compliance settings contains tools to help you assess the compliance of users and client devices for many configurations, such as whether the correct Windows operating system versions are installed and configured appropriately, whether all required applications are installed and configured correctly, whether optional applications are configured appropriately, and whether prohibited applications are installed. Additionally, you can check for compliance with software updates, security settings, and mobile devices. Configuration item settings of the type Windows Management Instrumentation (WMI), registry, script, and all mobile device settings in Configuration Manager let you automatically remediate noncompliant settings when they are found. Compliance is evaluated by defining a configuration baseline that contains the configuration items that you want to evaluate and settings and rules that describe the level of compliance you must have. You can import this configuration data from the web in Microsoft System Center Configuration Manager Configuration Packs as best practices that are defined by Microsoft and other vendors, in Configuration Manager, and that you then import into Configuration Manager. Or, an administrative user can create new configuration items and configuration baselines. After a configuration baseline is defined, you can deploy it to users and devices through collections and evaluate its settings for compliance on a schedule. Client devices can have multiple configuration baselines deployed to them. This provides the administrator with a high level of control.
2244

Client devices evaluate their compliance against each deployed configuration baseline and immediately report the results to the site by using state messages and status messages. If a client device is currently not connected to the network, but has downloaded the configuration items that are referenced in a deployed configuration baseline, the configuration baseline is evaluated for compliance. The compliance information is sent on reconnection. You can also view compliance evaluation results from clients that are running Windows by using the Configurations tab in Configuration Manager in Control Panel. You can monitor the results of the configuration baseline evaluation compliance from the Deployments node in the Monitoring workspace in the Configuration Manager console to view the most common causes of noncompliance, errors, and the number of users and devices that are affected. You can also run compliance settings reports to find additional details, such as which devices are compliant or noncompliant, and which element of the configuration baseline is causing a computer to be noncompliant. You can also view compliance evaluation results from Windows clients by using the Configurations tab in Configuration Manager in Control Panel. You can use compliance settings to support the following business requirements: Compare the configuration of desktop computers, laptops, servers, and mobile devices in your enterprise against best practices configurations from Microsoft and other vendors. Verify the configuration of provisioned devices against one or more custom-defined configuration baselines before the computers go into production. Identify device configurations that are not authorized by change control procedures. Prioritize noncompliance with five levels of severity (None, Information, Warning, Critical, and Critical with event). Report compliance with regulatory policies and in-house security policies. Identify security vulnerabilities, as defined by Microsoft and other software vendors, across your enterprise. Provide the help desk with the information to detect probable causes of reported incidents and problems by identifying noncompliant configurations. Automatically remediate noncompliant settings for WMI, the registry, scripts, and all settings for the mobile devices that are enrolled by Configuration Manager. Remediate noncompliance by deploying applications, packages and programs, or scripts to a collection that is automatically populated with computers that report that they are out of compliance. Integrate with other management products that monitor Windows events on computers to take automatic action when a configuration is reported as noncompliant.

For an example scenario that shows how you might use compliance settings in your environment, see Example Scenario for Compliance Settings in Configuration Manager.

User Data and Profiles Configuration Items

For Configuration Manager SP1 only: User data and profiles configuration items contain settings that control how users in your hierarchy manage folder redirection, offline files, and roaming profiles on computers that run
2245

Windows 8. You can deploy them to collections of users and then monitor their compliance from the Monitoring node of the Configuration Manager console. Unlike other configuration items, you do not add these to configuration baselines before you deploy them. You can deploy them directly with the Deploy User Data and Profiles Configuration Item dialog box. For more information, see the topic How to Create User Data and Profiles Configuration Items in Configuration Manager.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for compliance settings, previously known as desired configuration management since Configuration Manager 2007: Configuration Manager 2007 desired configuration management is now called compliance settings in System Center 2012 Configuration Manager. Configuration Manager provides a new built-in security role named Compliance Settings Manager. Administrative users who are members of this role can manage and deploy configuration items and configuration baselines and view compliance results. An administrative user can create registry and file system settings by browsing to an existing file, folder, or registry setting on the local or a remote reference computer. It is now easier for an administrative user to create configuration baselines. You can reuse settings for multiple configuration items. You can remediate noncompliant settings for WMI, the registry, scripts, and all settings for the mobile devices that are enrolled by Configuration Manager. When you deploy a configuration baseline, you can specify a compliance threshold for the deployment. If the compliance is below the specified threshold after a specified date and time, System Center 2012 Configuration Manager generates an alert to notify the administrator. You can use the new monitoring features of System Center 2012 Configuration Manager to monitor compliance settings and to view the most common causes of noncompliance, errors, and the number of users and devices that are affected. You can deploy configuration baselines to users and devices. Configuration baseline deployments and evaluation now support Configuration Manager maintenance windows. You can use compliance settings to manage the mobile devices that you enroll with Configuration Manager. Configuration item versioning lets you view and use earlier versions of configuration items. You can restore or delete earlier versions of configuration items and see the user names of administrative users who made changes. Configuration items can contain user and device settings. User settings are evaluated when the user is logged on. Examples of user settings include registry settings that are stored in
2246

HKEY CURRENT USER and user-based script settings that an administrative user configured. Improved reports contain rule details, remediation information, and troubleshooting information. You can now detect and report conflicting compliance rules. Unlike Configuration Manager 2007, System Center 2012 Configuration Manager does not support uninterpreted configuration items. An uninterpreted configuration item is a configuration item that is imported into compliance settings, but the Configuration Manager console cannot interpret it. Therefore, you cannot view or edit the configuration item properties in the console. Before you import Configuration Packs or configuration baselines to System Center 2012 Configuration Manager, you must remove uninterpreted configuration items in Configuration Manager 2007. You can migrate configuration items and configuration baselines from Configuration Manager 2007 to System Center 2012 Configuration Manager. During migration, configuration data is automatically converted into the new format. Settings groups from Configuration Manager 2007 are no longer supported in System Center 2012 Configuration Manager. Regular expressions for settings are not supported in System Center 2012 Configuration Manager. Using wildcard characters for registry settings is not supported in System Center 2012 Configuration Manager. If you migrate configuration data from Configuration Manager 2007, you must remove wildcard characters from registry settings before you migrate. Otherwise the data will not be valid in the System Center 2012 Configuration Manager configuration item. The string operators Matches and Do not Match are not supported in System Center 2012 Configuration Manager. You can no longer create configuration items of the type General from the Configuration Manager console. You can now create only application configuration items and operating system configuration items. However, if you create a configuration item for a mobile device, this is created as a general configuration item.

Whats New in Configuration Manager SP1

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for compliance settings in Configuration Manager SP1: You can create user data and profiles configuration items that contain settings that control how users in your hierarchy manage folder redirection, offline files, and roaming profiles on computers that run Windows 8. You can deploy these settings to collections of users and then monitor their compliance from the Monitoring node of the Configuration Manager console.
2247

The new Mac OS X configuration item lets you evaluate and remediate property list (.plist) settings on Mac computers. You can also use shell scripts to evaluate and remediate other Mac settings.

See Also
Assets and Compliance in System Center 2012 Configuration Manager

Planning for Compliance Settings in Configuration Manager

Use the following topics in this section to help you plan for using compliance settings in System Center 2012 Configuration Manager.

In This Section
Prerequisites for Compliance Settings in Configuration Manager

See Also
Compliance Settings in Configuration Manager

Prerequisites for Compliance Settings in Configuration Manager

Compliance settings in System Center 2012 Configuration Manager has the following dependencies within the product.

Configuration Manager Dependencies

Dependency More information

Clients must be enabled and configured for compliance evaluation.

Before you can use compliance settings, you must enable and configure client settings. For more information, see Configuring Compliance Settings in Configuration Manager. The reporting point site system role must be installed and configured before compliance settings reports can be displayed. For more
2248

Reporting point site system role must be installed and configured.

Dependency

More information

information, see Configuring Reporting in Configuration Manager. Specific security permissions must have been granted to manage compliance settings. You must have the following security permissions to manage compliance settings: To view and manage alerts and reports for compliance settings: Create, Delete, Modify, Modify Report, Read, and Run Report for the Alerts object. To manage configuration baseline deployments: Deploy Configuration Items, Modify Client Status Alert, Modify, Read, and Read Resource for the Collection object. To create and manage configuration baselines and configuration items: Create, Delete, Modify, Modify Folder, Modify Report, Move Object, Read, Run Report, and Set Security Scope permission for the Configuration Item object. To run queries related to compliance settings: Read permission for the Query object. To view compliance settings information in the Configuration Manager console: Read permission for the Site object. To select software updates to be used in configuration baselines: Read permission for the Software Updates object. To view status messages for compliance settings: Read permission for the Status Messages object. For Configuration Manager SP1 only: To manage user data and profiles configuration items: Author Policy, Modify Report, Read and Run Report for the Settings for user data and profile management object. The Compliance Settings Manager security role includes these permissions that are required to manage compliance settings in Configuration Manager.
2249

Dependency

More information

For more information, see the Configure RoleBased Administration section in the Configuring Security for Configuration Manager topic.

See Also
Planning for Compliance Settings in Configuration Manager

Configuring Compliance Settings in Configuration Manager

Before you can use compliance settings in System Center 2012 Configuration Manager, you must perform the following configuration steps. You can modify the default client settings, create new custom client settings, or modify existing custom client settings. Create or modify custom client settings when you want to apply a group of client settings to specific collections. For more information, see How to Configure Client Settings in Configuration Manager.

How to Enable Compliance Settings and Configure Client Settings

This procedure configures the default client settings for compliance settings and applies to all computers in your hierarchy. If you want these settings to apply to only some computers, create a custom device client setting and assign it to a collection that contains the computers for which you want to use compliance settings. For more information about how to create custom device settings, see How to Create and Assign Custom Client Settings. To enable compliance settings and configure client settings 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Settings. 4. On the Home tab, in the Properties group, click Properties. 5. In the Default Settings dialog box, click Compliance Settings. 6. Configure the following client settings for compliance settings.
Client setting name More information

2250

Enable compliance evaluation on clients

Set Enable compliance evaluation on clients to True if you want to evaluate compliance on client devices. Click Schedule if you want to modify the default compliance evaluation schedule on client devices.

Schedule compliance evaluation

7. Click OK to close the Default Settings dialog box. Client computers are configured with these settings the next time they download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

See Also
Compliance Settings in Configuration Manager

Operations and Maintenance for Compliance Settings in Configuration Manager

Use the information in this section to find out more about operations and maintenance for compliance settings in System Center 2012 Configuration Manager.

In This Section
How to Create Windows Configuration Items for Compliance Settings in Configuration Manager How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager How to Create Mac Computer Configuration Items in Configuration Manager How to Create Configuration Baselines for Compliance Settings in Configuration Manager How to Create Child Configuration Items in Configuration Manager How to Deploy Configuration Baselines in Configuration Manager How to Manage Configuration Baselines for Compliance Settings in Configuration Manager How to Manage Configuration Items for Compliance Settings in Configuration Manager How to Monitor for Compliance Settings in Configuration Manager How to Import Configuration Data in Configuration Manager How to Create User Data and Profiles Configuration Items in Configuration Manager

2251

See Also
Compliance Settings in Configuration Manager

How to Create Windows Configuration Items for Compliance Settings in Configuration Manager
Create configuration items in System Center 2012 Configuration Manager to define configurations that you want to manage and assess for compliance on devices. There are different types of configuration items: Application configuration item Used to determine compliance for an application. This can include whether the application is installed and details about its configuration. Operating system configuration item Used to determine compliance for settings that relate to the operating system and its configuration. Software updates configuration item Automatically created when you download software updates with Configuration Manager. You do not create or see these configuration items in the Compliance Settings node, but you can select them when you define configuration baselines. General configuration item Used to determine compliance for mobile devices. For more information about creating configuration items for mobile devices, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager. Use one the following four different methods to create a configuration item in the Configuration Manager console.
Method Description More information

Create a new configuration item

Use the Create Configuration Item Wizard to create the configuration item. Use this method to create a configuration item when you want to configure all properties, or you have no existing configuration item

For more information about how to create a configuration item by using the wizard, see the steps and supplemental procedures in this topic. Note For more information about how to create
2252

Method

Description

More information

from which you can create a duplicate or a child configuration item.

mobile device configuration items, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager. For more information about how to create a child configuration item, see How to Create Child Configuration Items in Configuration Manager.

Create a child configuration Create a child configuration item item from the Configuration Items node. Use this method to create a configuration item when you want a configuration item that continues to inherit the properties of an existing configuration item, but refines them with more detailed configuration. You cannot create child configuration items for mobile devices. Import Import configuration data from a file. Use this method to create configuration items when they have been defined outside the Configuration Manager hierarchy. For example, you created them in a test environment and now want to use them on the production network, or you want to import best practices from a Configuration Pack that vendors provided. Duplicate Create a duplicate configuration item from the Configuration Items node. Use this method to create a

For more information, see How to Import Configuration Data in Configuration Manager.

To create a duplicate of a configuration item, select a configuration item in the Configuration Items node and then, on the Home tab, in the
2253

Method

Description

More information

configuration item when you Configuration Item group, click want an exact copy of an Copy. existing configuration item to Important use as your starting point, but When you create a you want to modify it to create duplicate configuration an independent configuration baseline or configuration item from the original. item, the duplicate does not retain a relationship to the original configuration data. Therefore, if the original configuration data is upgraded, any revisions are not passed to the duplicate configuration baseline or configuration item.

Warning Do not configure configuration items with identical settings that evaluate different values and assign them to the same devices. When devices evaluate configuration items that have conflicting values, the order in which they are evaluated is nondeterministic. Use the following steps and the supplemental procedures for when you want to create a new configuration item for Windows-based computers.

Steps to Create a New Configuration Item for Client Computers

Use the following required steps to create a configuration item by using the Create Configuration Item Wizard.
Step Details More information

Step 1: Start the Create Configuration Item Wizard.

Start the wizard in the Assets and Compliance workspace in the Compliance Settings node. Specify a Windows configuration item and a detection method if this configuration item assesses

See the Step 1: Start the Create Configuration Item Wizard section in this topic See Step 2: Provide General Information about the Configuration Item.
2254

Step 2: Provide general information about the configuration item.

Step

Details

More information

the compliance of an application. Step 3: Provide detection method information for the configuration item. A detection method contains rules that detect whether an application is installed on a client device before it is assessed for compliance. Note Detection methods apply only to application configuration items (you have selected This configuration item contains application settings on the General page of the wizard). See the Step 3: Provide Detection Method Information for the Configuration Item section in this topic.

Step 4: Configure settings for the configuration item.

A setting represents the business or technical conditions to be used to assess compliance on client devices. You can configure a new setting or browse to an existing setting on a reference computer.

See the Step 4: Configure Settings for the Configuration Item section in this topic.

Step 5: Configure compliance Compliance rules specify the rules for the configuration conditions that define the item. compliance of a configuration item. Some settings let you remediate values that are found to be noncompliant. You can also create new rules by browsing to existing settings in any configuration item and creating rules against them.

See the Step 5: Configure Compliance Rules for the Configuration Item section in this topic.

Step 6: Specify supported Supported platforms are the platforms for the configuration operating systems on which a item. configuration item is assessed for compliance.

See the Step 6: Specify Supported Platforms for the Configuration Item section in this topic.
2255

Step

Details

More information

Step 7: Complete the wizard.

Complete the wizard to create the new configuration item.

No additional information.

Supplemental Procedures to Create a New Configuration Item for Client Computers

Use the following information when the steps in the preceding table require supplemental procedures.

Step 1: Start the Create Configuration Item Wizard

Use this procedure to start the Create Configuration Item Wizard. To start the Create Configuration Item Wizard 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Configuration Items. 3. On the Home tab, in the Create group, click Create Configuration Item.

Step 2: Provide General Information about the Configuration Item

Use this procedure to provide general information about the configuration item. To provide general information about the configuration item 1. On the General page of the Create Configuration Item Wizard, specify the following information: Name: Enter a unique name for the configuration item. You can use a maximum of 256 characters. Description: Provide a description that gives an overview of the configuration item and other relevant information that helps to identify it in the Configuration Manager console. You can use a maximum of 256 characters.

2. In the Specify type of configuration item that you want to create list, select Windows. Note If you want to create a configuration item for a mobile device, see How to Create
2256

Mobile Device Configuration Items for Compliance Settings in Configuration Manager. 3. If this configuration item is used to assess the compliance of an application, and you want to use a detection method to detect whether the application is present, select This configuration item contains application settings.

Step 3: Provide Detection Method Information for the Configuration Item

Use this procedure to provide detection method information for the configuration item. Note Applies only if you selected This configuration item contains application settings on the General page of the wizard. A detection method in Configuration Manager contains rules that are used to detect whether an application is installed on a computer. This detection occurs before the configuration item is assessed for compliance. To detect whether an application is installed, you can detect the presence of a Windows Installer file for the application, use a custom script, or select Always assume application is installed to assess the configuration item for compliance regardless of whether the application is installed. Use these procedures to configure detection methods in System Center 2012 Configuration Manager. To detect an application installation by using the Windows Installer File 1. On the Detection Methods page of the Create Configuration Item Wizard, select the Use Windows Installer detection check box. 2. Click Open, browse to the Windows Installer (.msi) file that you want to detect, and then click Open. 3. The Version box is automatically populated with the version number of the Windows Installer file that you selected. You can enter a new version number in this box if the displayed value is incorrect. 4. Select the This application is not installed for one or more users check box if you want to detect each user profile on the computer. To detect an application installation by using a custom script 1. On the Detection Methods page of the Create Configuration Item Wizard, select the Use a custom script to detect this application check box. 2. In the list, select the language of the script you want to open. Choose from the following scripts: VBScript JScript PowerShell
2257

3. Click Open, browse to the script that you want to use, and then click Open.

Step 4: Configure Settings for the Configuration Item

Use this procedure to configure the settings in the configuration item. Settings represent the business or technical conditions that are used to assess compliance on client devices. You can configure a new setting or browse to an existing setting on a reference computer. To create a setting 1. On the Settings page of the Create Configuration Item Wizard, click New. 2. On the General tab of the Create Setting dialog box, provide the following information: Name: Enter a unique name for the setting. You can use a maximum of 256 characters. Description: Enter a description for the setting. You can use a maximum of 256 characters. Setting type: In the list, choose one of the following setting types to use for this setting:
Setting type More information

Active Directory query

Configure the following for this setting type: LDAP prefix - Specify a valid prefix to the Active Directory Domain Services query to assess compliance on client computers. You can use either LDAP:// for a or GC:// to perform a global catalog search.. Distinguished Name (DN) - Specify the distinguished name of the Active Directory Domain Services object that is assessed for compliance on client computers.

For example, if you want to evaluate a value related to a user named John Smith in the corp.contoso.com domain, enter the following: CN=John Smith, CN=Users, DC=corp, DC=Contoso, DC=com
Search filter - Specify an optional LDAP filter to refine the results from
2258

the Active Directory Domain Services query to assess compliance on client computers.

To return all results from the query, enter (objectclass=*).

Search scope - Specify the search scope in Active Directory Domain Services: Base - Queries only the object that is specified. One Level - This option is not used in this version of Configuration Manager. Subtree - Queries the object that is specified and its complete subtree in the directory.

Property - Specify the property of the Active Directory Domain Services object that is used to assess compliance on client computers.

For example, if you want to query the Active Directory property badPwdCount, which stores the number of times a user incorrectly enters a password, enter badPwdCount in this field.
Query - Displays the query constructed from the entries in LDAP prefix, Distinguished name (DN), Search Filter (if specified), and Property, which are used to assess compliance on client computers.

For more information about constructing LDAP queries, see your Windows Server documentation. Assembly Configure the following for this setting type: Assembly name: Specifies the name of the assembly object that you want to search for. The name cannot be
2259

the same as other assembly objects of the same type and must be registered in the Global Assembly Cache. The assembly name can be up to 256 characters long. Note An assembly is a piece of code that can be shared between applications. Assemblies can have the file name extension .dll or .exe. The Global Assembly Cache is a folder named %systemroot%\Assembly on client computers where all shared assemblies are stored. File system Configure the following for this setting type: Type In the list, select whether you want to search for a File or a Folder. Path - Specify the path of the specified file or folder on client computers. You can specify system environment variables and the %USERPROFILE% environment variable in the path. Note If you use the %USERPROFILE% environment variable in the Path or File or folder name boxes, all user profiles on the client computer are searched, which could result in multiple instances of the file or folder that is found. If compliance settings do not have access to the specified path, a discovery error is
2260

generated. Additionally, if the file you are searching for is currently in use, a discovery error is generated. File or folder name - Specify the name of the file or folder object to search for. You can specify system environment variables and the %USERPROFILE% environment variable in the file or folder name. You can also use the wildcards * and ? in the file name. Note If you specify a file or folder name and use wildcards, this combination might produce a high numbers of results and could result in high resource use on the client computer and high network traffic when reporting results to Configuration Manager. Include subfolders Enable this option if you also want to search any subfolders under the specified path. This file or folder is associated with a 64-bit application - Choose whether the 64-bit system file location (%windir%\System32) should be searched in addition to the 32-bit system file location (%windir%\Syswow64) on Configuration Manager clients running a 64-bit version of Windows. Note If the same file or folder exists in both the 64-bit and 32-bit system file
2261

locations on the same 64-bit computer, multiple files are discovered by the global condition. The File system setting type does not support specifying a UNC path to a network share in the Path box. IIS metabase Configure the following for this setting type: Metabase path - Specify a valid path to the Internet Information Services (IIS) Metabase. Property ID - Specify the numeric property of the IIS Metabase setting.

Registry key

Configure the following for this setting type: Hive In the list, select the registry hive that you want to search in. Key - Specify the registry key name that you want to search for. Use the format key\subkey. This registry key is associated with a 64-bit application - Specifies whether the 64-bit registry keys should be searched in addition to the 32-bit registry keys on clients that are running a 64-bit version of Windows. Note If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit computer, both registry keys are discovered by the global condition.

Registry value

Configure the following for this setting type: Hive - In the list, select the registry hive that you want to search in. Key - Specify the registry key name that you want to search for. Use the format key\subkey. Value Specify the value that must
2262

be contained within the specified registry key. This registry key is associated with a 64-bit application - Specifies whether the 64-bit registry keys should be searched in addition to the 32-bit registry keys on clients that are running a 64-bit version of Windows. Note If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit computer, both registry keys are discovered by the global condition. You can also click Browse to browse to a registry location on the computer or on a remote computer. To browse a remote computer, you must have administrator rights on the remote computer and the remote computer must be running the remote registry service. Script Configure the following for this setting type: Discovery script Click Add to enter, or browse to the script you want to use. You can use Windows PowerShell, VBScript, or Microsoft JScript scripts. Run scripts by using the logged on user credentials If you enable this option, the script runs on client computers that use the credentials of the logged-on users. Note The value returned by the script is used to assess the compliance of the global condition. For example, when using VBScript, you could use
2263

the command WScript.Echo Result to return the Result variable value to the global condition. SQL query Configure the following for this setting type: SQL Server instance Choose whether you want the SQL query to run on the default instance, all instances, or a specified database instance name. Note The instance name must refer to a local instance of SQL Server. To refer to a clustered SQL server instance, you should use a script setting. Database - Specify the name of the Microsoft SQL Server database against which you want to run the SQL query. Column - Specify the column name returned by the Transact-SQL statement that is used to assess the compliance of the global condition. Transact-SQL statement Specify the full SQL query you want to use for the global condition. You can also click Open to open an existing SQL query. Important SQL Query settings do not support any SQL commands that modify the database. You can only use SQL commands that read information from the database. WQL query Configure the following for this setting type: Namespace - Specify the Windows
2264

Management Instrumentation (WMI) namespace which is used to build a WQL query that is assessed for compliance on client computers. The default value is Root\cimv2. Class - Specifies the WMI class which is used to build a WQL query that is assessed for compliance on client computers. Property - Specifies the WMI property which is used to build a WQL query that is assessed for compliance on client computers. WQL query WHERE clause - You can use the WQL query WHERE clause item to specify a WHERE clause to be applied to the specified namespace, class, and property on client computers.

XPath query

Configure the following for this setting type: Path - Specify the path of the .xml file on client computers that is used to assess compliance. Configuration Manager supports the use of all Windows system environment variables and the %USERPROFILE% user variable in the path name. XML file name - Specify the file name containing the XML query that is used to assess compliance on client computers. Include subfolders - Enable this option if you also want to search any subfolders under the specified path. This file is associated with a 64-bit application - Choose whether the 64-bit system file location (%windir%\System32) should be searched in addition to the 32-bit system file location (%windir%\Syswow64) on Configuration Manager clients that are running a 64-bit version of Windows.
2265

XPath query - Specify a valid full XML path language (XPath) query that is used to assess compliance on client computers. Namespaces - Opens the XML Namespaces dialog box to identify namespaces and prefixes to be used during the XPath query. Important If you attempt to discover an encrypted .xml file, compliance settings find the file, but the XPath query produces no results, and no error is generated. Note If the XPath query is not valid, the setting is evaluated as noncompliant on client computers.

Data type: In the list, choose the format in which the condition returns the data before it is used to assess the setting. The Data type list is not displayed for all setting types. Note The Floating point data type supports only 3 digits after the decimal point.

3. Configure additional details about this setting under the Setting type list. The items you can configure vary depending on the setting type you have selected. Note When you create settings of the type File system, Registry key, and Registry value, you can click Browse to configure the setting from values on a reference computer. To browse to a registry key or value on a remote computer, the remote computer must have the Remote Registry service enabled. 4. Click OK to save the setting and close the Create Setting dialog box.

Step 5: Configure Compliance Rules for the Configuration Item

Use the following procedure to configure compliance rules for the configuration item. Compliance rules specify the conditions that define the compliance of a configuration item. Before a setting can be evaluated for compliance, it must have at least one compliance rule. WMI,
2266

registry, and script settings let you remediate values that are found to be noncompliant. You can create new rules or browse to an existing setting in any configuration item to select rules in it. To create a compliance rule 1. On the Compliance Rules page of the Create Configuration Item Wizard, click New. 2. In the Create Rule dialog box, provide the following information: Name: Enter a name for the compliance rule. Description: Enter a description for the compliance rule. Selected setting: Click Browse to open the Select Setting dialog box. Select the setting that you want to define a rule for, or click New Setting. When you are finished, click Select. Note You can also click Properties to view information about the currently selected setting. Rule type: Select the type of compliance rule that you want to use: Value Create a rule that compares the value returned by the configuration item against a value that you specify. Existential Create a rule that evaluates the setting depending on whether it exists on a client device or on the number of times it is found. The setting must comply with the following rule Select an operator and a value which is assessed for compliance with the selected setting. You can use the following operators: More information No additional information No additional information No additional information No additional information No additional information No additional information No additional information In the text box, specify one entry on each line. In the text box, specify one entry on each line. Remediate noncompliant rules when supported Select this option if you
2267

For a rule type of Value, specify the following information:

Operator Equals Not equal to Greater than Less than Between Greater than or equal to Less than or equal to One of None of

want Configuration Manager to automatically remediate noncompliant rules. Configuration Manager can automatically remediate the following rule types: Registry value The registry value is remediated if it is noncompliant, and created if it does not exist. Script (by automatically running a remediation script). WQL Query Important You can only remediate noncompliant rules when the rule operator is set to Equals. Report noncompliance if this setting instance is not found The configuration item reports noncompliance if this setting is not found on client computers. Noncompliance severity for reports: Specify the severity level that is reported if this compliance rule fails. The available severity levels are the following: None Computers that fail this compliance rule do not report a failure severity for Configuration Manager reports. Information Computers that fail this compliance rule report a failure severity of Information for Configuration Manager reports. Warning Computers that fail this compliance rule report a failure severity of Warning for Configuration Manager reports. Critical Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. Critical with event Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. This severity level is also be logged as a Windows event in the application event log.

For a rule type of Existential, specify the following information: Note The options shown might vary depending on the setting type you are configuring a rule for. The setting must exist on client devices The setting must not exist on client devices The setting occurs the following number of times:

Noncompliance severity for reports: Specify the severity level that is reported if this compliance rule fails. The available severity levels are the following: None Computers that fail this compliance rule do not report a failure severity for Configuration Manager reports. Information Computers that fail this compliance rule report a failure severity of Information for Configuration Manager reports. Warning Computers that fail this compliance rule report a failure severity of
2268

Warning for Configuration Manager reports. Critical Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. Critical with event Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. This severity level is also logged as a Windows event in the application event log.

3. Click OK to close the Create Rule dialog box.

Step 6: Specify Supported Platforms for the Configuration Item

Use the following procedure to specify the supported platforms for the configuration item. Supported platforms are the operating systems on which a configuration item is assessed for compliance. To specify supported platforms for the configuration item 1. On the Supported Platforms page of the Create Configuration Item Wizard, specify one of the following options: Select the versions of Windows that will assess this configuration item for compliance: In the list, select the Windows versions on which you want the configuration item to be assessed for compliance, or click Select all. Specify the version of Windows manually: Click Edit to open the Specify Windows Version Manually dialog box, and then provide the full version number of the version of Windows on which you want the configuration item to be assessed for compliance. Note You can use the winver.exe command at a Windows command prompt to display the full Windows version. 2. Click OK to close the Specify Windows Version Manually dialog box. Note This option is not displayed if you have selected the This configuration item contains application settings check box on the General page of the Wizard.

Step 7: Complete the Wizard

On the Summary page of the Wizard, review the actions that will be taken, and then complete the wizard. The new configuration item is displayed in the Configuration Items node in the Assets and Compliance workspace.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager
2269

How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager
Use the following procedure to configure configuration items in System Center 2012 Configuration Manager to manage the settings on mobile devices that you enroll by using Configuration Manager or Windows Intune. The most typical mobile device settings to configure are email management, password, and roaming settings. However, there are many more settings that you can configure and define by using these three levels: The default settings group, from where you select typical settings to configure and select values in drop-down lists. Additional settings when the setting that you want to configure is not included in the default settings groups. To configure additional settings, select the Configure additional settings that are not in the default setting groups check box on the Mobile Device Settings page. Custom settings that you define yourself by using the OMA URI values. These settings are an equivalent to registry settings for computers. Consult your vendor documentation to help you define these settings and values. To create the custom settings, click Create Setting in the Browse Settings dialog box. Note Not all settings might be supported on all mobile operating systems and on all versions. Configuration Manager displays known compatibility issues for the settings that you configure in the default groups and the additional settings. However, consult your vendor documentation and test the settings and values before you deploy the settings in a production environment. All mobile device settings can be remediated if they are out of compliance. Warning Do not configure configuration items for different values and assign them to the same devices. When devices evaluate configuration items that have conflicting values, the order in which they are evaluated is nondeterministic. To create a mobile device configuration item 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Configuration Items. 3. On the Home tab, in the Create group, click Create Configuration Item. 4. On the General page of the Create Configuration Item Wizard, specify the following information, and then click Next: Name: Enter a unique name for the configuration item. You can use a maximum of
2270

256 characters. Description: Provide a description that gives an overview of the configuration item and other relevant information that helps to identify it in the Configuration Manager console. You can use a maximum of 256 characters. In the Specify type of configuration item that you want to create list, select Mobile device. Click Categories to assign optional categories to the configuration item to make it easier to search for and filter in the Configuration Manager console. For more information, see How to Manage Configuration Items for Compliance Settings in Configuration Manager.

5. On the Mobile Device Settings page, select the settings group to configure. If the setting that you want is not listed, select the Configure additional settings that are not in the default setting groups check box, and then click Next. 6. Configure the settings, and specify whether to remediate them if they are out of compliance. 7. Complete the wizard.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

How to Create Mac Computer Configuration Items in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. You can use compliance settings in System Center 2012 Configuration Manager to monitor and remediate settings on Mac computers. The Mac OS X operating system uses property list (or plist) files to store application settings. Use compliance settings to evaluate and remediate the compliance of settings that are stored in a property list file. You can also manage Mac OS X settings by writing a Shell Script that returns a value that you can evaluate and remediate for compliance. Important Configuration Manager does not support the deployment of configuration baselines for Mac computers to users. Use the following required steps to create a configuration item for Mac computers by using the Create Configuration Item Wizard.

2271

Step

Details

More information

Step 1: Start the Create Configuration Item Wizard

Start the wizard in the Assets and Compliance workspace in the Compliance Settings node. Specify that you want to create a Mac OS X configuration item and provide general information.

See Step 1: Start the Create Configuration Item Wizard in this section. See Step 2: Provide General Information about the Configuration Item in this section. See Step 3: Specify Supported Platforms for the Configuration Item in this section. See Step 4: Configure Settings for the Configuration Item in this section.

Step 2: Provide General Information about the Configuration Item

Step 3: Specify Supported Platforms for the Configuration Item

Supported platforms are the operating systems on which a configuration item is assessed for compliance. A setting represents the business or technical conditions to be used to assess compliance on client devices. Compliance rules specify the conditions that define the compliance of a configuration item. Complete the wizard to create the new configuration item. The configuration item is displayed in the Configuration Items node of the Assets and Compliance workspace. Use the Create Configuration Baseline dialog box to add configuration items to a configuration baseline that you can then deploy to Mac computers. Use the Deploy Configuration Baselines dialog box to define configuration baseline deployments, which includes adding or removing configuration baselines from deployments in addition to specifying the

Step 4: Configure Settings for the Configuration Item

Step 5: Configure Compliance Rules for the Configuration Item

See Step 5: Configure Compliance Rules for the Configuration Item in this section. No additional information.

Step 6: Complete the wizard

Step 7: Add the configuration item to a configuration baseline

See the topic How to Create Configuration Baselines for Compliance Settings in Configuration Manager.

Step 8: Deploy the configuration baseline to Mac computers

See the topic How to Deploy Configuration Baselines in Configuration Manager.

2272

Step

Details

More information

evaluation schedule. Note If you want to build a collection containing only Mac computers, create a collection that uses a query rule and use the example WQL query in the Example WQL Queries section in the topic How to Create Queries in Configuration Manager. Step 9: Monitor the configuration baseline for compliance You can monitor the compliance of configuration baselines for Mac computers from the Configuration Manager console, by using reports, or by creating collections based on configuration baseline compliance. See the topic How to Monitor for Compliance Settings in Configuration Manager.

Supplemental Procedures to Create a New Configuration Item for Client Computers

Use the following information when the steps in the preceding table require supplemental procedures.

Step 1: Start the Create Configuration Item Wizard

Use this procedure to start the Create Configuration Item Wizard. To start the Create Configuration Item Wizard 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Configuration Items. 3. On the Home tab, in the Create group, click Create Configuration Item.

2273

Step 2: Provide General Information about the Configuration Item

Use this procedure to provide general information about the configuration item. To provide general information about the configuration item 1. On the General page of the Create Configuration Item Wizard, specify the following information: Name: Enter a unique name for the configuration item. You can use a maximum of 256 characters. Description: Provide a description that gives an overview of the configuration item and other relevant information that helps to identify it in the Configuration Manager console. You can use a maximum of 500 characters.

2. In the Specify the type of configuration item that you want to create list, select Mac OS X.

Step 3: Specify Supported Platforms for the Configuration Item

On the Supported Platforms page of the Create Configuration Item Wizard, select the Mac operating systems on which the configuration item will be assessed for compliance, or click Select all.

Step 4: Configure Settings for the Configuration Item

Use this procedure to configure the settings in the configuration item. To create a setting 1. On the Settings page of the Create Configuration Item Wizard, click New. 2. On the General tab of the Create Setting dialog box, provide the following information: Name: Enter a unique name for the setting. You can use a maximum of 256 characters. Description: Enter a description for the setting. You can use a maximum of 1000 characters. Setting type: In the list, choose one of the following setting types to use for this setting:
Setting type More information

Mac OS X Preferences

Configure the following for this setting type: Application ID Specify the application ID of the property list file from which you want to evaluate a key for compliance.
2274

For example, if you want to edit settings for the Safari Web browser, you might use com.apple.Safari.plist.
Key Specify the name of the key that you want to evaluate for compliance on Mac computers. Use the following syntax: /<dictionary>/<keyname>.

Script

Configure the following for this setting type: Discovery Script Click Add Script, and then enter a shell script to assess settings on the Mac computer for compliance. Use the echo command in the shell script to return values to Configuration Manager for compliance. Configuration Manager uses the results returned in STDOUT to evaluate compliance. Important Do not include the reboot command in the discovery script. Because the discovery script runs each time the client restarts, this will cause the Mac computer to continually restart. Remediation script (optional) Optionally, click Add Script and then enter a shell script that is used to remediate any noncompliance settings found on Mac client computers. Warning To ensure that you do not introduce formatting characters that the Mac
2275

computer cannot interpret, do not use copy and paste but type in the script. Data type: In the list, choose the format in which the condition returns the data before it is used to assess the setting. Note The Floating point data type supports only 3 digits after the decimal point. 3. Click OK to save the setting and close the Create Setting dialog box.

Step 5: Configure Compliance Rules for the Configuration Item

Use the following procedure to configure compliance rules for the configuration item. Compliance rules specify the conditions that define the compliance of a configuration item. Before a setting can be evaluated for compliance, it must have at least one compliance rule. To create a compliance rule 1. On the Compliance Rules page of the Create Configuration Item Wizard, click New. 2. In the Create Rule dialog box, provide the following information: Name: Enter a name for the compliance rule. Description: Enter a description for the compliance rule. Selected setting: Click Browse to open the Select Setting dialog box. Select the setting that you want to define a rule for, or click New Setting. When you are finished, click Select. Note You can also click Properties to view information about the currently selected setting. Rule type: Select the type of compliance rule that you want to use: Value Create a rule that compares the value returned by the configuration item against a value that you specify. Existential Create a rule that evaluates the setting depending on whether it exists on a client. The setting must comply with the following rule Select an operator and a value which is assessed for compliance with the selected setting. You can use the following operators: More information No additional information

For a rule type of Value, specify the following information:

Operator Equals

2276

Not equal to Greater than Less than Between Greater than or equal to Less than or equal to One of None of

No additional information No additional information No additional information No additional information No additional information No additional information In the text box, specify one entry on each line. In the text box, specify one entry on each line.

Remediate noncompliant rules when supported Select this option if you want Configuration Manager to automatically remediate noncompliant rules. Important You can only remediate noncompliant rules when the rule operator is set to Equals.

Report noncompliance if this setting instance is not found The configuration item reports noncompliance if this setting is not found on client computers. Noncompliance severity for reports: Specify the severity level that is reported if this compliance rule fails. The available severity levels are the following: None Computers that fail this compliance rule do not report a failure severity for Configuration Manager reports. Information Computers that fail this compliance rule report a failure severity of Information for Configuration Manager reports. Warning Computers that fail this compliance rule report a failure severity of Warning for Configuration Manager reports. Critical Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. Critical with event Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. This severity level is also be logged as a Windows event in the application event log.

For a rule type of Existential, specify the following information: Note The options shown might vary depending on the setting type you are configuring a rule for. The setting must exist on client devices The setting must not exist on client devices

Noncompliance severity for reports: Specify the severity level that is reported if
2277

this compliance rule fails. The available severity levels are the following: None Computers that fail this compliance rule do not report a failure severity for Configuration Manager reports. Information Computers that fail this compliance rule report a failure severity of Information for Configuration Manager reports. Warning Computers that fail this compliance rule report a failure severity of Warning for Configuration Manager reports. Critical Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. Critical with event Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. This severity level is also be logged as a Windows event in the application event log.

3. Click OK to close the Create Rule dialog box.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

How to Create Configuration Baselines for Compliance Settings in Configuration Manager

Configuration baselines in System Center 2012 Configuration Manager contain predefined configuration items and optionally, other configuration baselines. After a configuration baseline is created, you can deploy it to a collection so that devices in that collection download the configuration baseline and assess their compliance with it. Configuration baselines in Configuration Manager can contain specific revisions of configuration items or can be configured to always use the latest version of a configuration item. For more information about configuration item revisions, see How to Manage Configuration Items for Compliance Settings in Configuration Manager. There are two methods that you can use to create configuration baselines in Configuration Manager: Import configuration data from a file. To start the Import Configuration Data Wizard, in the Configuration Items or Configuration Baselines node in the Assets and Compliance workspace, click Import Configuration Data. Use the Create Configuration Baseline dialog box to create a new configuration baseline.

Use the following procedure to create a configuration baseline by using the Create Configuration Baseline dialog box.

2278

To create a configuration baseline 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Configuration Baselines. 3. On the Home tab, in the Create group, click Create Configuration Baseline. 4. In the Create Configuration Baseline dialog box, enter a unique name and a description for the configuration baseline. You can use a maximum of 255 characters for the name and 512 characters for the description. 5. The Configuration data list displays all configuration items or configuration baselines that are included in this configuration baseline. Click Add to add a new configuration item or configuration baseline to the list. You can choose from the following: Configuration Items Software Updates Configuration Baselines

6. Use the Change Purpose list to specify the behavior of a configuration item that you have selected in the Configuration data list. You can select from the following: Required The configuration baseline is evaluated as noncompliant if the configuration item is not detected on a client device. If it is detected, it is evaluated for compliance Optional The configuration item is only evaluated for compliance if the application it references is found on client computers. If the application is not found, the configuration baseline is not marked as noncompliant (only applicable to application configuration items). Prohibited The configuration baseline is evaluated as noncompliant if the configuration item is detected on client computers (only applicable to application configuration items). Note The Change Purpose list is available only if you clicked the option This configuration item contains application settings on the General page of the Create Configuration Item Wizard. 7. Use the Change Revision list to select a specific or the latest revision of the configuration item to assess for compliance on client devices or select Always Use Latest to always use the latest revision. For more information about configuration item revisions, see How to Manage Configuration Items for Compliance Settings in Configuration Manager. 8. If you want to remove a configuration item from the configuration baseline, select a configuration item, and then click Remove. 9. Click OK to close the Create Configuration Baseline dialog box and to create the configuration baseline.

2279

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

How to Create Child Configuration Items in Configuration Manager

Child configuration items in System Center 2012 Configuration Manager are copies of configuration items that retain a relationship to the original configuration item; therefore, they inherit the original configuration from the parent configuration item. When you view the properties of a child configuration item in the Configuration Manager console, you can view, but not edit the inherited objects and settings with their validation criteria. However, you can add and then edit additional validation criteria to the child configuration item, and you can also add new objects and settings to the child configuration item. Therefore, the usual purpose for creating and editing a child configuration item is that it refines the original configuration item to meet your business requirements. Note You cannot create a child configuration item from a mobile device configuration item.

To create a child configuration item

1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Configuration Items. 3. In the Configuration Items list, select the configuration item for which you want to create a child configuration item, and then in the Home tab, in the Configuration Item group, click Create Child Configuration Item. 4. On the General page of the Create Child Configuration Item Wizard, you can choose a specific revision of the parent configuration item to use to create the child. Other steps in this wizard are identical to those you would use to create a standard configuration item. For more information, see How to Create Windows Configuration Items for Compliance Settings in Configuration Manager. 5. Complete the wizard. The new child configuration item displays in the Configuration Items list.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager
2280

How to Deploy Configuration Baselines in Configuration Manager

Configuration baselines in System Center 2012 Configuration Manager must be deployed to one or more collections of users or devices before client devices in those collections can assess their compliance with the configuration baseline. Use the Deploy Configuration Baselines dialog box to define configuration baseline deployments, which includes adding or removing configuration baselines from deployments in addition to specifying the evaluation schedule. To deploy a configuration baseline 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Configuration Baselines. 3. In the Configuration Baselines list, select the configuration baseline that you want to deploy, and then in the Home tab, in the Deployment group, click Deploy. 4. In the Deploy Configuration Baselines dialog box, select the configuration baselines that you want to deploy in the Available configuration baselines list. Click Add to add these to the Selected configuration baselines list. Important If you change a configuration item that has been added to a deployed configuration baseline, the revised configuration item is not evaluated for compliance until its next scheduled evaluation time. 5. Specify the following additional information: Remediate noncompliant rules when supported Enable this option to automatically remediate any rules that are noncompliant for Windows Management Instrumentation (WMI), the registry, scripts, and all settings for mobile devices that are enrolled by Configuration Manager. Allow remediation outside the maintenance window If a maintenance window has been configured for the collection to which you are deploying the configuration baseline, enable this option to let compliance settings remediate the value outside of the maintenance window. For more information about maintenance windows, see How to Use Maintenance Windows in Configuration Manager.

6. Generate an alert Enable this option to configure an alert that is generated if the configuration baseline compliance is less than a specified percentage by a specified date and time. You can also specify whether you want an alert to be sent to System Center Operations Manager. 7. Collection: Click Browse to select the collection where you want to deploy the configuration baseline. 8. Specify the compliance evaluation schedule for this configuration baseline: Specifies the schedule by which the deployed configuration baseline is evaluated on
2281

client computers. This can be either a simple or a custom schedule. Note If the configuration baseline is deployed to a computer, it is evaluated for compliance within two hours of the start time that you schedule. If it is deployed to a user, it is evaluated for compliance when the user logs on. 9. Click OK to close the Deploy Configuration Baselines dialog box and to create the deployment. For more information about how to monitor the deployment, see How to Monitor for Compliance Settings in Configuration Manager.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

How to Manage Configuration Baselines for Compliance Settings in Configuration Manager

Use the information in this topic to help you manage configuration baselines in System Center 2012 Configuration Manager. For information about how to create configuration baselines, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager.

To manage configuration baselines

In the Assets and Compliance workspace, expand Compliance Settings, select Configuration Baselines, select the configuration baseline to manage, and then select a management task.

Use the following table for more information about the management tasks that might require some information before you select them.
Management task Details More information

Show Members

Displays all of the configuration items that are referenced by the configuration baseline.

No additional information.

Schedule Summarization

Configures the schedule by which No additional information. the data shown in the Configuration Baselines node in the Configuration Manager
2282

Management task

Details

More information

console is updated with the latest information from the site database. Run Summarization Summarization causes the data in No additional information. the Configuration Baselines node to be refreshed with the latest data from the site database. This action might take several minutes to complete. You might have to click Refresh before you can see the latest data in the console. Displays the XML definition file for No additional information. the selected configuration baseline in a new window. This information can be useful when you want to author configuration data manually. Enables a configuration baseline for compliance monitoring. Disables a configuration baseline so it is no longer evaluated for compliance on client computers. Configuration baselines that reference this configuration baseline will also be disabled. Exports a configuration baseline in a cabinet (.cab) file format, providing that it was created at that site. You can then import it to the same or a different System Center 2012 Configuration Manager site. Configuration data is converted to DCM Digest. For information about how to import configuration data, see How to Import Configuration Data in Configuration Manager.
2283

View XML Definition

Enable

No additional information.

Disable

No additional information.

Export

No additional information.

Management task

Details

More information

Copy

Creates a copy of the selected configuration baseline with a name that you specify. The new configuration baseline does not retain any relationship to the original configuration baseline. Opens the Delete Configuration Baseline dialog box where you can review any references to this configuration baseline. Important You must remove all references to a configuration baseline before you can delete the configuration baseline.

No additional information.

Delete

No additional information.

Deploy

Opens the Deploy Configuration How to Deploy Configuration Baseline dialog box where you Baselines in Configuration can deploy one or more Manager configuration baselines to devices in your hierarchy.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

How to Manage Configuration Items for Compliance Settings in Configuration Manager

Use the information in this topic to help you manage configuration items in System Center 2012 Configuration Manager. For information about how to create configuration items, see How to Create Windows Configuration Items for Compliance Settings in Configuration Manager and How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager.

2284

To manage configuration items

In the Assets and Compliance workspace, expand Compliance Settings, select Configuration Items, select the configuration item to manage, and then select a management task.

Use the following table for more information about the management tasks that might require some information before you select them.
Management task Details More information

Create Child Configuration Item

Opens the Create Child Configuration Item Wizard where you can create a child configuration item from the selected configuration item. Note You cannot create a child configuration item from a mobile device configuration item.

How to Create Child Configuration Items in Configuration Manager

Revision History

Opens the Configuration Item Revision History dialog box where you can view and manage previous revisions of the selected configuration item. Displays the XML definition file for the selected configuration item in a new window. This information can be useful when you want to author configuration data manually.

No additional information.

View XML Definition

No additional information.

Export

Exports a configuration item in a No additional information. cabinet (.cab) file format, providing that it was created at that site. You can then import it to the same or a different Configuration Manager site. Configuration data is converted to DCM Digest. Creates a copy of the selected configuration item with a name No additional information.

Copy

2285

Management task

Details

More information

you specify. The new configuration item does not retain any relationship to the original configuration item. This means that the duplicate configuration item does not continue to inherit configuration information from the original configuration item. Delete Opens the Delete Configuration Item dialog box where you can review any references to this configuration item. Important You must remove all references to a configuration item before you can delete the configuration item. No additional information.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

How to Monitor for Compliance Settings in Configuration Manager

After you have deployed System Center 2012 Configuration Manager configuration baselines to computers in your hierarchy, you can use one or more of the following procedures to display the compliance status of the configuration baseline: How to View Compliance Results in the Configuration Manager Console How to View Compliance Results by Using Reports How to View Compliance Results on a Configuration Manager Client How to Create Collections Based on Configuration Baseline Compliance Note The validation criteria fields in compliance settings reports (the equivalent on the clientside report is Constraints) display the underlying Service Modeling Language (SML).
2286

This can make it difficult for administrators who have authored the configuration item in the Configuration Manager console to understand what the validation criteria is if they do not have knowledge of SML. In this case, use the Monitoring workspace in the Configuration Manager console to view the properties of the configuration item and its validation criteria.

How to View Compliance Results in the Configuration Manager Console

Use this procedure to view details about the compliance of deployed configuration baselines in the Configuration Manager console. To view compliance results in the Configuration Manager console 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Deployments. 3. In the Deployments list, select the configuration baseline deployment for which you want to review compliance information. 4. You can review summary information about the compliance of the configuration baseline deployment on the main page. To view more detailed information, select the configuration baseline deployment, and then on the Home tab, in the Deployment group, click View Status to open the Deployment Status page. The Deployment Status page contains the following tabs: Compliant: Displays the compliance of the configuration baseline based on the number of assets affected. You can click a rule to create a temporary node under the Users or Devices node that are in the Assets and Compliance workspace, which contains all users or devices that are compliant with this rule. The Asset Details pane displays the users or devices that are compliant with the configuration baseline. Double-click a user or device in the list to display additional information. Important A configuration item rule is not evaluated if it is not detected or not applicable on a client computer; however, the rule is returned as compliant. Error: Displays a list of all errors for the selected configuration baseline deployment based on number of assets affected. You can click a rule to create a temporary node under the Users or Devices node of the Assets and Compliance workspace, which contains all users or devices that generated errors with this rule. When you select a user or device, the Asset Details pane displays the users or devices that are affected by the selected issue. Double-click a user or device in the list to display additional information about the issue. Non-Compliant: Displays a list of all noncompliant rules within the configuration baseline based on number of assets affected. You can click a rule to create a temporary node under the Users or Devices node of the Assets and Compliance workspace, which contains all users or devices that are not compliant with this rule.
2287

When you select a user or device, the Asset Details pane displays the users or devices that are affected by the selected issue. Double-click a user or device in the list to display further information about the issue. Unknown: Displays a list of all users and devices that did not report compliance for the selected configuration baseline deployment together with the current client status of devices.

5. On the Deployment Status page, you can review detailed information about the compliance of the deployed configuration baseline. A temporary node is created under the Deployments node that helps you find this information again quickly.

How to View Compliance Results by Using Reports

Compliance settings in Configuration Manager includes a number of built-in reports that let you monitor information about configuration items, configuration baselines, and deployments. These reports have the report category of Compliance and Settings Management. Important You must use a wildcard (%) character when you use the parameters Device filter and User filter in the compliance settings reports. For more information about how to configure Reporting in Configuration Manager, see Reporting in Configuration Manager

How to View Compliance Results on a Configuration Manager Client

Use this procedure to view details about the compliance of deployed configuration baselines on the Configuration Manager client. Note You cannot view information on the Configuration Manager client if you are logged on with a domain Guest account. To view compliance results on a Configuration Manager client 1. Navigate to Configuration Manager in Control Panel of the client computer, and doubleclick it to open its properties. 2. Click the Configurations tab, and view the list of deployed configuration baselines. 3. View the Compliance State for each configuration baseline: Important The evaluation results are cached on the client for 15 minutes. If you initiate a reevaluation within the 15 minute period, the compliance results are returned from
2288

this cache rather than a new evaluation. Therefore, if you make a change on the client that might affect the compliance evaluation results, wait until the 15 minutes have elapsed before initiating a re-evaluation. Compliant: The client computer is in compliance with the evaluated configuration baseline. Non-Compliant: The client computer is out of compliance with the evaluated configuration baseline. Unknown: The client computer has not yet evaluated the configuration baseline. If you want to initiate evaluation outside the compliance evaluation schedule, select the configuration baselines to evaluate, and then click Evaluate. Note If you have local administrator credentials on the client computer, you can view details of each evaluated configuration baseline to determine which configuration item is reporting a noncompliant status. To do this, select the configuration baseline, and then click View Report. 4. Click OK.

How to Create Collections Based on Configuration Baseline Compliance

Use the following procedure to create a Configuration Manager collection based on devices with a specified compliance. You can create collections based on the following compliance states: Compliant Error Non-compliant Unknown To create a collection based on compliance state 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Configuration Baselines. 3. In the Configuration Baselines list, select the configuration baseline from which you want to create a collection. 4. In the Deployment tab, in the Deployment Group, click Create New Collection and then, in the drop-down list, select the compliance level for which you want to create a collection. 5. The Create User Collection Wizard or the Create Device Collection Wizard opens, depending on whether the configuration item is deployed to users or devices. The wizard is automatically populated with the correct values to create the collection; however, you can edit these values.
2289

6. After you complete the wizard, the collection displays in the User Collections or the Device Collections node in the Assets and Compliance workspace.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

How to Import Configuration Data in Configuration Manager

In addition to creating configuration baselines and configuration items in the System Center 2012 Configuration Manager console, you can import configuration data if it is contained in a cabinet (.cab) file format and adheres to the supported SML schema. You can import configuration data from the following sources: Best practice configuration data (Configuration Packs) that has been downloaded from Microsoft or from other software vendor sites. Configuration data that has been exported from System Center 2012 Configuration Manager. Configuration data that was externally authored and that conforms to the Service Modeling Language (SML) schema.

For an example Configuration Pack that helps you manage compliance for System Center 2012 Configuration Manager site server roles, see System Center 2012 Configuration Manager Configuration Pack.

How to Import Configuration Data

When you import a configuration baseline, some or all of the configuration items that are referenced in the configuration baseline might also be included in the cabinet file. During the import process, Configuration Manager verifies that all of the configuration items that are referenced in the configuration baseline are either also included in the cabinet file or already exist in the Configuration Manager site. The import process fails if you attempt to import a configuration baseline that references configuration data that Configuration Manager cannot locate. Other scenarios where the import process might fail include the following: The configuration data references configuration data that Configuration Manager cannot locate, either in its database or in the cabinet file itself. The configuration data is already present in the Configuration Manager database with the same name and configuration data version, but the content version differs. The configuration data is already present in the Configuration Manager database with the same content version, but the hash calculation identifies it as being different. A newer version of the configuration data with same name is already present or has recently been deleted in the Configuration Manager database.
2290

In a multi-site Configuration Manager hierarchy, the configuration data was originally imported from a parent site. You must update it from the same site and not a child site.

Use the following procedure to import configuration data in Configuration Manager. To import configuration data 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Configuration Items or Configuration Baselines, and then in the Home tab, in the Create group, click Import Configuration Data. 3. On the Select Files page of the Import Configuration Data Wizard, click Add, and then in the Open dialog box, select the .cab files you want to import. 4. Select the Create a new copy of the imported configuration baselines and configuration items check box if you want the imported configuration data to be editable in the Configuration Manager console. 5. On the Summary page of the wizard, review the actions that will be taken, and then complete the wizard. The imported configuration data displays in the Compliance Settings node in the Assets and Compliance workspace.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

How to Create User Data and Profiles Configuration Items in Configuration Manager
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. User data and profiles configuration items in Microsoft System Center 2012 Configuration Manager contain settings that can manage folder redirection, offline files and roaming profiles on computers that run Windows 8 for users in your hierarchy. For example, you can: Redirect a users Documents folder to a network share. Ensure that specified files stored on the network are available on a users computer when the network connection is unavailable. Configure which files in a users roaming profile are synchronized with a network share when the user logs on and off.

2291

Unlike other configuration items in Configuration Manager, you do not add user data and profile configuration items to a configuration baseline which you then deploy. Instead, you deploy the configuration item directly by using the Deploy User Data and Profiles Configuration Item dialog box. Important You can only deploy user data and profiles configuration items to user collections.

How to Enable User Data and Profiles for Compliance Settings

Use the following procedure to configure the default client setting for user data and profiles compliance settings which will apply to all computers in your hierarchy. If you want this setting to apply to only some computers, create a custom device client setting and assign it to a collection that contains the computers for which you want to use user data and profiles compliance settings. For more information about how to create custom device settings, see How to Create and Assign Custom Client Settings.

1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Settings. 4. On the Home tab, in the Properties group, click Properties. 5. In the Default Settings dialog box, click Compliance Settings. 6. From the Enable User Data and Profiles drop-down list, select Yes. 7. Click OK to close the Default Settings dialog box.

How to Create a User Data and Profiles Configuration Item

Use the following procedure to create a user data and profiles configuration item in Configuration Manager.

1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click User Data and Profiles. 3. On the Home tab, in the Create group, click Create User Data and Profiles Configuration Item. 4. On the General page of the Create User Data and Profiles Configuration Item Wizard, specify the following information:
2292

Name: Enter a unique name for the configuration item. You can use a maximum of 256 characters. Description: Provide a description that gives an overview of the configuration item and other relevant information that helps to identify it in the Configuration Manager console. You can use a maximum of 256 characters. Folder redirection Check this box if you want to configure settings for folder redirection for this configuration item. Offline files Check this box if you want to configure settings for offline files for this configuration item. Roaming user profiles Check this box if you want to configure settings for roaming user profiles for this configuration item.

5. To continue, click Next. 6. On the Folder Redirection page of the Create User Data and Profiles Configuration Item Wizard, specify how you want the client computers of users that receive this configuration item to manage folder redirection. You can configure settings for any device the user logs onto or for only the users primary devices. For more information about folder redirection, see your Windows Server documentation. Note This page of the Wizard appears only if you checked the box Folder redirection on the General page of the wizard. 7. To continue, click Next. 8. On the Offline Files page of the Create User Data and Profiles Configuration Item Wizard, you can enable or disable the use of offline files for users that receive this configuration item and configure settings for the behavior of the offline files. You can also specify offline files that will always be available on any computer that the user logs on to. For more information about offline files, see your Windows Server documentation. Note This page of the Wizard appears only if you checked the box Offline files on the General page of the wizard. 9. To continue, click Next. 10. On the Roaming Profiles page of the Create User Data and Profiles Configuration Item Wizard, you can configure whether roaming profiles are available on computers that the user logs onto and also configure further information about how these profiles behave. For more information about roaming profiles, see your Windows Server documentation. Note This page of the Wizard appears only if you checked the box Roaming user profiles on the General page of the wizard. 11. To continue, click Next. 12. On the Summary page of the wizard, review the actions that will be taken and then click Next to create the configuration item.
2293

13. Complete the wizard. The new user data and profiles configuration item is shown in the User Data and Profiles node of the Assets and Compliance workspace.

How to Deploy a User Data and Profiles Configuration Item

Use the following procedure to deploy a user data and profiles configuration item in Configuration Manager. Unlike other configuration items in Configuration Manager, you do not add user data and profile configuration items to a configuration baseline which you then deploy. Instead, you deploy the configuration item directly by using the Deploy User Data and Profiles Configuration Item dialog box.

1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click User Data and Profiles. 3. Select the user data and profiles configuration item you want to deploy and then, in the Home tab, in the Deployment group, click Deploy. 4. In the Deploy User Data and Profiles Configuration Item dialog box, specify the following information. Collection: Click Browse to select the user collection where you want to deploy the configuration item. Important You can only deploy user data and profiles configuration items to user collections. Remediate noncompliant rules when supported Enable this option to automatically remediate any rules that are evaluated as noncompliant on client computers. Allow remediation outside the maintenance window If a maintenance window has been configured for the collection to which you are deploying the configuration item, enable this option to let compliance settings remediate the value outside of the maintenance window. For more information about maintenance windows, see How to Use Maintenance Windows in Configuration Manager. Generate an alert Enable this option to configure an alert that is generated if the configuration item compliance is less than a specified percentage by a specified date and time. You can also specify whether you want an alert to be sent to System Center Operations Manager. Specify the compliance evaluation schedule for this configuration item: Specifies the schedule by which the deployed configuration item is evaluated on client computers. This can be either a simple or a custom schedule.
2294

5. Click OK to close the Deploy User Data and Profiles Configuration Item dialog box and to create the deployment. For more information about how to monitor the deployment, see How to Monitor for Compliance Settings in Configuration Manager.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

Security and Privacy for Compliance Settings in Configuration Manager

This topic contains security and privacy information for compliance settings in System Center 2012 Configuration Manager.

Security Best Practices for Compliance Settings

Use the following security best practices when you manage compliance settings on clients.
Security best practice More information

Do not monitor sensitive data.

To help avoid information disclosure, do not configure configuration items to monitor potentially sensitive information. If you create a compliance rule based on data that users can modify, such as registry settings for configuration choices, the compliance results will not be reliable. Published configuration data can be digitally signed so that you can verify the publishing source and ensure that the data has not been tampered with. If the digital signature verification check fails, you are warned and prompted to continue with the import. Do not import unsigned data if you cannot verify the source and integrity of the data. Ensure that when an administrative user configures a registry or file system setting by browsing to a reference computer, the reference computer had not been compromised.
2295

Do not configure compliance rules that use data that can be modified by end users.

Import Microsoft System Center configuration packs and other configuration data from external sources only if they have a valid digital signature from a trusted publisher.

Implement access controls to protect reference computers.

Security best practice

More information

Secure the communication channel when you browse to a reference computer.

To prevent tampering of the data when it is transferred over the network, use Internet Protocol security (IPsec) or server message block (SMB) between the computer that runs the Configuration Manager console and the reference computer. Administrative users who are granted the Compliance Settings Manager role can deploy configuration items to all devices and all users in the hierarchy. Configuration items can be very powerful and can include, for example, scripts and registry reconfiguration.

Restrict and monitor the administrative users who are granted the Compliance Settings Manager role-based security role.

Privacy Information for Compliance Settings

You can use compliance settings to evaluate whether your client devices are compliant with configuration items that you deploy in configuration baselines. Some settings can be automatically remediated if they out of compliance. Compliance information is sent to the site server by the management point and stored in the site database. The information is encrypted when devices send it to the management point, but it is not stored in encrypted format in the site database. Information is retained in the database until the site maintenance task Delete Aged Configuration Management Data deletes it every 90 days. You can configure the deletion interval. Compliance information is not sent to Microsoft. By default, devices do not evaluate compliance settings. In addition, you must configure the configuration items and configuration baselines, and then deploy them to devices. Before you configure compliance settings, consider your privacy requirements.

See Also
Compliance Settings in Configuration Manager

Technical Reference for Compliance Settings in Configuration Manager

Use the following topics in this section for technical reference information about compliance settings in System Center 2012 Configuration Manager. Example Scenario for Compliance Settings in Configuration Manager Example Scenario for User Data and Profiles Management in Configuration Manager
2296

See Also
Compliance Settings in Configuration Manager

Example Scenario for Compliance Settings in Configuration Manager

Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. This topic provides an example scenario for how you can use compliance settings in System Center 2012 Configuration Manager to remediate a failed application installation because a registry key is being overwritten. In this scenario, Woodgrove Bank uses a line of business application that provides access to standard company forms on the desktop of users computers. Many users are reporting that this application fails to run. John is the Configuration Manager administrator at Woodgrove bank who must troubleshoot the problem and ensure that it does not recur in the future. After investigation, John realizes that a second application overwrites a registry key that is used by the line of business application. He tests this by correcting the registry key value on a computer. This change allows the line of business application to run. John requires a way to correct this registry key value on all desktop and laptop computers at Woodgrove Bank when it is not correct. He also requires that if the registry value is changed again in the future, the problem is automatically corrected. John wants to evaluate the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Woodgrove\LOB App\Configuration\Configuration1. If this registry key contains the value 0 then it is noncompliant and must be remediated with a value of 1. John discovers that compliance settings in System Center 2012 Configuration Manager can monitor for, and automatically remediate incorrect registry key values and decides to use this to solve the business problem. The following sections in this topic provide steps that can help you to create, deploy, and manage compliance settings in your organization: Preparing to perform the scenarios Step 1: Create a configuration item Step 2: Create a configuration baseline Step 3: Deploy the configuration baseline Step 4: Monitor the configuration baseline deployment

2297

Preparing to perform the scenarios

Before John can begin to use compliance settings, he takes the actions outlined in the following table.
Process Reference

John reviews the available information about the basic concepts for compliance settings in System Center 2012 Configuration Manager. John reviews and implements the required prerequisites for compliance settings.

For overview information about compliance settings, see Introduction to Compliance Settings in Configuration Manager. For information about the prerequisites for compliance settings, see Prerequisites for Compliance Settings in Configuration Manager.

Step 1: Create a configuration item

John creates a configuration item that contains the settings to evaluate and remediate the registry setting by taking the actions outlined in the following table.
Process Reference

John reads the compliance settings documentation and decides that an operating system configuration item would best meet his business requirements. John starts the Create Configuration Item Wizard and specifies general information about the configuration item. He creates a configuration item of the type Windows and does not check the This configuration item contains application settings box. He names the configuration item Woodgrove Bank Configuration Item 1. On the Supported Platforms page of the Create Configuration Item Wizard, John specifies the operating systems to evaluate the configuration item for compliance. John ensures that no Windows Server operating systems are selected that fulfills the requirement that the configuration item is not evaluated on computers that run Windows Server.

For more information, see How to Create Windows Configuration Items for Compliance Settings in Configuration Manager.

For more information, see the sections Step 1: Start the Create Configuration Item Wizard and Step 2: Provide General Information about the Configuration Item in the topic How to Create Windows Configuration Items for Compliance Settings in Configuration Manager.

For more information, see the section Step 6: Specify Supported Platforms for the Configuration Item in the topic How to Create Windows Configuration Items for Compliance Settings in Configuration Manager.

2298

Process

Reference

On the Settings page of the wizard, John clicks New to open the Create Setting dialog box and to create a new setting with the following parameters: Name John enters Woodgrove Bank registry setting. Setting type From the drop-down list, John selects Registry value. Data type Because John wants to detect a value of 1 or 0 for the registry key, he selects Integer from the drop-down list. Hive From the drop-down list, he selects HKEY_LOCAL_MACHINE. Key John enters SOFTWARE\Woodgrove\LOB App\Configuration\Configuration1. Value John enters 1, which is the required value for this registry key.

For more information about how to create settings, see the section Step 4: Configure Settings for the Configuration Item in the topic How to Create Windows Configuration Items for Compliance Settings in Configuration Manager.

In the Compliance Rules tab of the Create Settings dialog box, John clicks New to create a new rule that defines the compliant value for the Woodgrove Bank registry setting. In the Create Rule dialog box, he verifies or supplies the following parameters: Name John enters Rule 1. Selected setting John verifies that the selected setting is Woodgrove Bank registry setting\Woodgrove Bank registry setting. Rule type From the drop-down list, John selects Value. The setting must comply with the following rule John verifies that the setting name is correct and configures the options to specify that the setting value must equal 1. Remediate noncompliant rules when supported John checks this box to ensure that configuration manager will reset the registry key value to the correct value if

For more information about how to create settings, see the section Step 4: Configure Settings for the Configuration Item in the topic How to Create Windows Configuration Items for Compliance Settings in Configuration Manager.

2299

Process

Reference

it is incorrect. John completes the wizard and the new configuration item is displayed in the Configuration Items node of the Assets and Compliance workspace.

Step 2: Create a configuration baseline

John takes the actions outlined in the following table to create a configuration baseline that contains the configuration item he previously created and can be deployed to client computers.
Process Reference

John opens the Create Configuration Baseline dialog box and specifies the name Woodgrove Back Configuration Baseline 1.

For more information about how to create configuration baselines, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager. For more information about how to create configuration baselines, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager.

John adds the configuration item that he previously created, Woodgrove Bank Configuration Item 1 into the configuration baseline. John clicks OK to close the Create Configuration Baseline dialog box and the new configuration baseline is displayed in the Configuration Baselines node of the Assets and Compliance workspace.

Step 3: Deploy the configuration baseline

To deploy the configuration baseline to computers, John takes the actions outlined in the following table.
Process Reference

John creates a device collection that contains all computers that run a desktop operating system in the Woodgrove Bank hierarchy. He names this collection All Desktop and Laptop Computers.

For information about how to create collections, see How to Create Collections in Configuration Manager

2300

Process

Reference

John opens the Deploy Configuration Baselines dialog box, verifies that Woodgrove Back Configuration Baseline 1 is displayed in the Selected configuration baselines list, and then specifies the following additional information: Remediate noncompliant rules when supported John checks this box to enable Configuration Manager to remediate the incorrect registry key value when it is discovered. Select the collection for this configuration baseline deployment John clicks Browse and then selects the All Desktop and Laptop Computers device collection.

For more information about how to deploy configuration baselines, see How to Deploy Configuration Baselines in Configuration Manager.

John does not change the default schedule that clients evaluate the configuration item every 7 days. John completes the wizard and the deployment is displayed in the Deployments node of the Monitoring workspace.

Step 4: Monitor the configuration baseline deployment

After John deploys the configuration baseline, he takes the actions outlined in the following table to monitor the deployment and ensure that computers are now reporting compliance for the registry key.
Process Reference

In the Deployments node of the Monitoring workspace, John selects the Woodgrove Back Configuration Baseline 1 configuration baseline. In the Completion Statistics section, he views general information about the devices that are compliant, noncompliant, in error, or have not reported compliance information yet (unknown).

For more information about how to monitor compliance settings, see the section How to View Compliance Results in the Configuration Manager Console in the topic How to Monitor for Compliance Settings in Configuration Manager.

2301

Process

Reference

In the Home tab, in the Deployment group, he clicks View Status to view detailed information about the devices that report each status. After some time, John sees that no computers report noncompliance for the registry key value and he is able to report to his manager that the problem has been solved. No additional information.

See Also
Technical Reference for Compliance Settings in Configuration Manager

Example Scenario for User Data and Profiles Management in Configuration Manager
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. This topic provides an example scenario of how user data and profiles configuration items in System Center 2012 Configuration Manager can be used to solve a number of typical business requirements. Important User data and profiles configuration items can only be deployed to users of Windows 8 computers. John is the Configuration Manager administrator at Woodgrove Bank. To improve the efficiency of their IT infrastructure, he wants to make the following changes to the banks network: To ensure that important documents that are stored on users computers get archived, the Documents folder on each users primary computer must be stored on a share on one of the companys servers named \\Woodgrove\UserData. John learns that the folder redirection settings in a user data and profiles configuration item can be used to accomplish this. For information about how to define a computer as a users primary device, see the How to Manage User Device Affinity in Configuration Manager topic.
2302

Johns manager has asked that an important spreadsh eet be made available on his computer even when he is not on the network. When he reconnects to the network, the file must be synchronized with the copy on the company server. John learns that the offline files settings in a user data and profiles configuration item can be used to accomplish this. It is typical for users at Woodgrove Bank to move around the office and use different computers. Users would like their own settings and desktop layouts to be available to them no matter which computer they log on to. John learns that user data and profiles configuration items can be used to control roaming profiles settings on client computers.

The following sections in this topic provide example steps that can help you to create, deploy, and manage System Center 2012 Configuration Manager user data and profiles configuration items in your organization: Preparation Step 1: Start the create user data and profiles configuration item wizard and specify general information about the configuration item Step 2: Specify folder redirection information for the user data and profiles configuration item Step 3: Specify offline files information for the user data and profiles configuration item Step 4: Specify roaming profiles information for the user data and profiles configuration item Step 5: Complete the wizard to create the configuration item Step 6: Deploy the user data and profiles configuration item Step 7: Monitor the compliance of the user data and profiles configuration item

Preparation
Before John can begin to create and deploy a user data and profiles configuration item, he takes the actions outlined in the following table.
Process Reference

John reviews the available information about the basic concepts for compliance settings in Configuration Manager. John reviews and implements the required prerequisites for compliance settings.

For overview information about compliance settings, see Introduction to Compliance Settings in Configuration Manager. For information about the prerequisites for compliance settings, see Prerequisites for Compliance Settings in Configuration Manager. For more information about how to enable user data and profiles configuration items, see How to Create User Data and Profiles Configuration Items in Configuration Manager.

John enables the client setting for user data and profiles configuration items.

2303

Step 1: Start the create user data and profiles configuration item wizard and specify general information about the configuration item
John takes the actions outlined in the following table to open the Create User Data and Profiles Configuration Item Wizard and to supply general information about the configuration item.
Process Reference

John starts the Create User Data and Profiles Configuration item Wizard and specifies general information about the configuration item. He names the configuration item Woodgrove Bank user data and profiles configuration and supplies a description. Under Select user data and profiles to configure, he checks the following boxes: Folder redirection Offline files Roaming user profiles

For more information about how to start the wizard and specify general information, see How to Create User Data and Profiles Configuration Items in Configuration Manager.

Step 2: Specify folder redirection information for the user data and profiles configuration item
John takes the actions outlined in the following table to configure folder redirection settings for the configuration item. Note Configuring a users home folder in Active Directory as a local profile is not supported by user data and profiles configuration items in Configuration Manager.
Process Reference

On the Folder Redirection page of the Create User Data and Profiles Configuration Item Wizard, John selects the option Only on primary devices from the Folder redirection applicability drop-down list. This ensures that only the users primary device will redirect the contents of the Documents folder to the network share.

For more information about the folder redirection page of the wizard, see How to Create User Data and Profiles Configuration Items in Configuration Manager.

2304

Process

Reference

In the Folders to redirect list, John selects Documents and then, from the drop-down list, he selects Redirect to remote.

For more information about the folder redirection page of the wizard, see How to Create User Data and Profiles Configuration Items in Configuration Manager. For more information about the folder redirection page of the wizard, see How to Create User Data and Profiles Configuration Items in Configuration Manager.

Under Configure folder redirection path, John selects Redirect to the specified folder. He then specifies the folder as \\Woodgrove\UserData.

Step 3: Specify offline files information for the user data and profiles configuration item
John takes the actions outlined in the following table to configure offline files settings for the configuration item.
Process Reference

On the Offline Files page of the Create User Data and Profiles Configuration Item Wizard, John selects the option Enable offline files.

For more information about the offline files page of the wizard, see How to Create User Data and Profiles Configuration Items in Configuration Manager. See your Windows 8 documentation for more information about how to use offline files.

John instructs his manager to use the Windows Make Available Offline command on the spreadsheet he wants to use when he is not connected to the network.

Step 4: Specify roaming profiles information for the user data and profiles configuration item
John takes the actions outlined in the following table to configure roaming profiles settings for the configuration item.
Process Reference

On the Roaming Profiles page of the Create User Data and Profiles Configuration Item Wizard, John selects the option Allow roaming profiles on any device.

For more information about the roaming profiles page of the wizard, see How to Create User Data and Profiles Configuration Items in Configuration Manager.
2305

Step 5: Complete the wizard to create the configuration item

John takes the actions outlined in the following table to complete the Create User Data and Profiles Configuration Item Wizard and to create the configuration item.
Process Reference

On the Summary page of the Create User Data and Profiles Configuration Item Wizard, John reviews the actions that will be taken and then completes the Wizard. The new configuration item is displayed in the User Data and Profiles node of the Assets and Compliance workspace.

For more information about the wizard, see How to Create User Data and Profiles Configuration Items in Configuration Manager.

Step 6: Deploy the user data and profiles configuration item

John takes the actions outlined in the following table to deploy the configuration item to Windows 8 computers at Woodgrove Bank.
Process Reference

John deploys the new configuration item to users of Windows 8 computers at Woodgrove Bank.

For more information about how to deploy user data and profiles configuration items, see the How to Create User Data and Profiles Configuration Items in Configuration Manager topic.

Step 7: Monitor the compliance of the user data and profiles configuration item
John takes the actions outlined in the following table to monitor and report on the compliance of the configuration item he deployed.
Process Reference

John monitors the deployment and verifies that

For more information about how to monitor the

2306

Process

Reference

the folder redirection, offline files and roaming profile configurations are working correctly.

deployment, see How to Monitor for Compliance Settings in Configuration Manager.

See Also
Technical Reference for Compliance Settings in Configuration Manager

Endpoint Protection in Configuration Manager

Endpoint Protection in System Center 2012 Configuration Manager provides security, antimalware, and Windows Firewall management for computers in your enterprise.

Endpoint Protection Topics

Use the following topics to help you use Endpoint Protection in Configuration Manager. Introduction to Endpoint Protection in Configuration Manager Planning for Endpoint Protection in Configuration Manager Configuring Endpoint Protection in Configuration Manager Operations and Maintenance for Endpoint Protection in Configuration Manager Security and Privacy for Endpoint Protection in Configuration Manager Technical Reference for Endpoint Protection in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Assets and Compliance in System Center 2012 Configuration Manager

Introduction to Endpoint Protection in Configuration Manager

Endpoint Protection in System Center 2012 Configuration Manager allows you to manage antimalware policies and Windows Firewall security for client computers in your Configuration Manager hierarchy. Important
2307

You must be licensed to use Endpoint Protection to manage clients in your Configuration Manager hierarchy. When you use Endpoint Protection with Configuration Manager, you have the following benefits: You can configure antimalware policies and Windows Firewall settings to selected groups of computers, by using custom antimalware policies and client settings. You can use Configuration Manager software updates to download the latest antimalware definition files to keep client computers up-to-date. You can send email notifications, use in-console monitoring, and view reports to keep administrative users informed when malware is detected on client computers.

Endpoint Protection installs its own client in addition to the Configuration Manager client. The Endpoint Protection client has the following capabilities: Malware and Spyware detection and remediation. Rootkit detection and remediation. Critical vulnerability assessment and automatic definition and engine updates. Network vulnerability detection through Network Inspection System. Integration with Microsoft Active Protection Services to report malware to Microsoft. When you join this service, the Endpoint Protection client can download the latest definitions from the Malware Protection Center when unidentified malware is detected on a computer. Note The Endpoint Protection client can be installed on a server that runs Hyper-V and on guest machines with supported operating systems. To prevent excessive CPU usage, Endpoint Protection actions have a built-in randomized delay so that they do not occur simultaneously on all guest machines that are hosted by the server. In addition, Endpoint Protection in Configuration Manager allows you to manage Windows Firewall settings in the Configuration Manager console. For an example scenario that shows how you might configure and manage Endpoint Protection and the Windows Firewall, see Example Scenario for Protecting Computers From Malware by Configuring Endpoint Protection in Configuration Manager.

Managing Malware with Endpoint Protection

Endpoint Protection in Configuration Manager allows you to create antimalware policies that contain settings for Endpoint Protection client configurations. You can then deploy these antimalware policies to client computers and monitor them in the System Center 2012 Endpoint Protection Status node in the Monitoring workspace, or by using Configuration Manager reports. See List of Antimalware Policy Settings for a list of the settings that you can configure. For more information about how to create, deploy, and monitor antimalware policies, see How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager and How to Monitor Endpoint Protection in Configuration Manager.
2308

For information about how to remediate malware that is found on client computers, see How to Manage Antimalware Policies and Firewall Settings for Endpoint Protection in Configuration Manager.

Managing Windows Firewall with Endpoint Protection

Endpoint Protection in Configuration Manager provides basic management of the Windows Firewall on client computers. For each network profile, you can configure the following settings: Enable or disable the Windows Firewall. Block incoming connections, including those in the list of allowed programs. Notify the user when Windows Firewall blocks a new program. Note Endpoint Protection supports managing the Windows Firewall only. For more information about how to create and deploy Windows Firewall policies for Endpoint Protection, see How to Create and Deploy Windows Firewall Policies for Endpoint Protection in Configuration Manager.

Endpoint Protection Workflow

Use the following diagram to help you understand the workflow to implement Endpoint Protection in your Configuration Manager hierarchy.

2309

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.

2310

System Center 2012 Endpoint Protection is now integrated with System Center 2012 Configuration Manager. The following items are new or have changed for Endpoint Protection since Forefront Endpoint Protection 2010: Because Endpoint Protection is now fully integrated with Configuration Manager, you do not have to run a separate setup program to install an Endpoint Protection server. Instead, select the Endpoint Protection point as one of the available Configuration Manager site system roles. You can install the Endpoint Protection client by using Configuration Manager client settings, or you can manage the existing Endpoint Protection clients. You do not use a package and program to install the Endpoint Protection client. The Endpoint Protection Manager role-based administration security role provides an administrative user with the minimum permissions that are required to manage Endpoint Protection in the hierarchy. Endpoint Protection in Configuration Manager provides new reports that integrate with Configuration Manager reporting. For example, you can now identify the users who have computers that most frequently report security threats. You can use Configuration Manager software updates to automatically update definitions and the definition engine by using automatic deployment rules. You can configure multiple malware alert types to notify you when Endpoint Protection detects malware on computers. You can also configure subscriptions to notify you about these alerts by using email. The Endpoint Protection dashboard is integrated with the Configuration Manager console. You do not have to install the dashboard separately. To view the Endpoint Protection dashboard, click the System Center 2012 Endpoint Protection Status node in the Monitoring workspace.

Whats New in Configuration Manager SP1

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for Endpoint Protection in Configuration Manager SP1: You can now enable an Endpoint Protection client setting that commits the installation of the Endpoint Protection client on Windows Embedded devices that are write filter enabled. For more information about this client setting, see the Endpoint Protection section in the About Client Settings in Configuration Manager topic. Additionally, definition updates that are deployed by software updates can be configured to write to the overlay on Windows Embedded devices, so that these updates install immediately, without a restart. For more information, see the Support for Windows Embedded Devices That Use Write Filters section in the Introduction to Software Updates in Configuration Manager topic.
2311

You can now configure the Endpoint Protection client to install only during configured maintenance windows. The maintenance window must be at least 30 minutes long to allow installation to take place. Endpoint Protection in Configuration Manager now uses client notification to initiate the following actions as soon as possible, instead of during the normal client policy polling interval: Force antimalware definition updates Run quick scans Run full scans Allow threats Exclude folders and files Restore quarantined files

Improvements to software updates to allow more frequent distribution of Endpoint Protection definition updates. Multiple antimalware policies that are deployed to the same client computer are merged on the client. When two settings are in conflict, the highest priority option is used. Some settings are also merged, such as exclusion lists from separate antimalware policies. Client-side merge also honors the priority that you configured for each antimalware policy. A software update deployment template named Definition Updates is included in the Deploy Software Updates Wizard and Automatic Deployment Rule Wizard. This template includes typical settings to use when you deploy definition software updates for Endpoint Protection.

See Also
Endpoint Protection in Configuration Manager

Planning for Endpoint Protection in Configuration Manager

Use the following topics in this section to help you plan to use Endpoint Protection in System Center 2012 Configuration Manager.

In This Section
Prerequisites for Endpoint Protection in Configuration Manager Best Practices for Endpoint Protection in Configuration Manager Administrator Workflow for Endpoint Protection in Configuration Manager

See Also
Endpoint Protection in Configuration Manager
2312

Prerequisites for Endpoint Protection in Configuration Manager

Endpoint Protection in System Center 2012 Configuration Manager has external dependencies and dependencies in the product. Important In addition to these dependencies, to use Endpoint Protection in System Center 2012 Configuration Manager, you must have a license for System Center 2012 Endpoint Protection.

Dependencies External to Configuration Manager

The following table lists the external dependencies for running Endpoint Protection in Configuration Manager.
Dependency More information

Windows Server Update Services (WSUS) must be installed and configured for software updates synchronization if you want to use Configuration Manager software updates to deliver definition and engine updates. Some definition update methods require that client computers have Internet access.

See Prerequisites for Software Updates in Configuration Manager.

If you use any of the following methods to update definitions on client computers, the client computer must be able to access the Internet. Updates distributed from Microsoft Update Updates distributed from Microsoft Malware Protection Center Important Clients download definition updates by using the built-in System account. You must configure a proxy server for this account to enable these clients to connect to the Internet. You can use Windows Group Policy to configure a proxy server on multiple computers.

An SMTP server if you want to send email alerts

See Step 1 (Optional): Configure Email Settings for Alerts in the How to Configure Alerts for Endpoint Protection in Configuration
2313

Dependency

More information

Manager topic. Hotfix requirement to deploy Windows Firewall policies. If you want to deploy Windows Firewall policies to computers running Windows Server 2008 and Windows Vista Service Pack 1, you must first install Hotfix KB971800 on these computers.

Configuration Manager Dependencies

The following table lists the dependencies within Configuration Manager for running Endpoint Protection.
Dependency More information

Your standalone primary or central administration site must be running System Center 2012 Configuration Manager and have the Endpoint Protection point site system role installed and configured. Important The Endpoint Protection point site system role must be installed before you can use Endpoint Protection. It must be installed on one site system server only, and it must be installed at the top of the hierarchy on a central administration site or a stand-alone primary site. A software update point site system role must be installed and configured to deliver definition updates if you want to use Configuration Manager software updates to deliver definition and engine updates.

For more information about the requirements for the Endpoint Protection point site system role, see the Site System Requirements section of the Supported Configurations for Configuration Manager. For more information about to install this site system role, see How to Configure Endpoint Protection in Configuration Manager.

For more information about the requirements for the software update point site system role, see the Site System Requirements section of the Supported Configurations for Configuration Manager. For more information about how to install this site system role and configure it for Endpoint Protection, see Configuring Software Updates in Configuration Manager and How to Configure Endpoint Protection in Configuration Manager.
2314

Dependency

More information

Client settings that install the Endpoint Protection client and configure Endpoint Protection

For information about the system requirements for the Endpoint Protection client, see the Computer Client Requirements in the Supported Configurations for Configuration Manager topic. For more information about how to configure the client settings for Endpoint Protection, see Step 5: Configure Custom Client Settings for Endpoint Protection in the How to Configure Endpoint Protection in Configuration Manager topic.

The reporting services point site system role must be installed before Endpoint Protection reports can be displayed. Security permissions to manage Endpoint Protection

See Reporting in Configuration Manager.

You must have the following security permissions to manage Endpoint Protection: To create and manage subscriptions to Endpoint Protection alerts: Create, Delete, Modify, Read, Set Security Scope for the Alert Subscription object. To create and modify alerts for Endpoint Protection: Create, Delete, Modify, Modify Report, Read, Run Report for the Alerts object. To create and modify antimalware policies: Create, Delete, Modify, Modify Default, Modify Report, Read, Read Default, Run Report, Set Security Scope for the Antimalware Policy object. To deploy antimalware and Windows Firewall policies to computers: Audit Security, Delete, Deploy Antimalware Policies, Deploy Firewall Policies, Enforce Security, Read, Read Resource for the Collection object. To view and manage Endpoint Protection in the Configuration Manager console: Read permissions for the Site object. To create and modify Windows Firewall policies: Create Policy, Delete Policy, Modify Policy, Read Policy, Read
2315

Dependency

More information

Settings for the Windows Firewall Policy object. The Endpoint Protection Manager security role includes these permissions that are required to manage Endpoint Protection in Configuration Manager. Note To perform the following actions, you must be a member of the Full Administrator security role. Configure the Endpoint Protection point site system role. Configure email notification for Endpoint Protection alerts.

For more information, see Configure RoleBased Administration in the Configuring Security for Configuration Manager topic.

See Also
Planning for Endpoint Protection in Configuration Manager

Best Practices for Endpoint Protection in Configuration Manager

Use the following best practices for Endpoint Protection in System Center 2012 Configuration Manager.

Configure custom client settings for Endpoint Protection

When you configure client settings for Endpoint Protection, do not use the default client settings because they apply settings to all computers in your hierarchy. Instead, configure custom client settings and assign these settings to collections of computers in your hierarchy. When you configure custom client settings, you can do the following: Customize antimalware and security settings for different parts of your organization.

2316

Test the effects of running Endpoint Protection on a small group of computers before you deploy it to the entire hierarchy. Add more clients to the collection over time to phase your deployment of the Endpoint Protection client.

Distributing definition updates by using software updates

If you are using Configuration Manager software updates to distribute definition updates, consider placing definition updates in a package that does not contain other software updates. This keeps the size of the definition update package smaller which allows it to replicate to distribution points more quickly.

See Also
Planning for Endpoint Protection in Configuration Manager

Administrator Workflow for Endpoint Protection in Configuration Manager

Use the following workflow as a reference to help you enable, configure, and manage and monitor Endpoint Protection in System Center 2012 Configuration Manager.
Step More information

Review the prerequisites information for Endpoint Protection.

Prerequisites for Endpoint Protection in Configuration Manager.

Create an Endpoint Protection point site system How to Configure Endpoint Protection in role. Configuration Manager. Configure alerts for Endpoint Protection. How to Configure Alerts for Endpoint Protection in Configuration Manager. How to Configure Definition Updates for Endpoint Protection in Configuration Manager. How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager How to Configure Endpoint Protection in Configuration Manager.

Configure definition update methods to update client computers. Configure antimalware settings for collections of computers.

Configure client settings for Endpoint Protection.

2317

Step

More information

Create and deploy firewall policies to collections of computers.

How to Create and Deploy Windows Firewall Policies for Endpoint Protection in Configuration Manager. How to Monitor Endpoint Protection in Configuration Manager.

Monitor Endpoint Protection activity.

See Also
Planning for Endpoint Protection in Configuration Manager

Configuring Endpoint Protection in Configuration Manager

Use the following topics in this section to help you configure Endpoint Protection in System Center 2012 Configuration Manager.

In This Section
How to Configure Endpoint Protection in Configuration Manager How to Configure Alerts for Endpoint Protection in Configuration Manager How to Configure Definition Updates for Endpoint Protection in Configuration Manager

See Also
Endpoint Protection in Configuration Manager

How to Configure Endpoint Protection in Configuration Manager

Before you can use Endpoint Protection to manage security and malware on System Center 2012 Configuration Manager client computers, you must perform the configuration steps detailed in this topic.

2318

Steps to Configure Endpoint Protection in Configuration Manager

Use the following table for the steps, details, and more information about how to configure Endpoint Protection.
Steps Details More information

Step 1: Create an Endpoint Protection point site system role.

The Endpoint Protection point site system role must be installed before you can use Endpoint Protection. It must be installed on one site system server only, and it must be installed at the top of the hierarchy on a central administration site or a stand-alone primary site. Alerts inform the administrator when specific events have occurred, such as a malware infection. Alerts are displayed in the Alerts node of the Monitoring workspace, or optionally can be emailed to specified users. Endpoint Protection can be configured to use various sources to download definition updates.

See Step 1: Create an Endpoint Protection Point Site System Role in this topic.

Step 2: Configure alerts for Endpoint Protection.

See How to Configure Alerts for Endpoint Protection in Configuration Manager.

Step 3: Configure definition update sources for Endpoint Protection clients.

See How to Configure Definition Updates for Endpoint Protection in Configuration Manager. See How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager.

Step 4: Configure the default antimalware policy and create any custom antimalware policies.

The default antimalware policy is applied when the Endpoint Protection client is installed. Any custom policies you have deployed are applied by default, within 60 minutes of deploying the client. Ensure that you have configured antimalware policies before you deploy the Endpoint Protection client. Use custom client settings to configure Endpoint Protection settings for collections of

Step 5: Configure custom client settings for Endpoint Protection.

See Step 5: Configure Custom Client Settings for Endpoint Protection in this
2319

Steps

Details

More information

computers in your hierarchy. Important Do not configure the default Endpoint Protection client settings unless you are sure that you want these settings applied to all computers in your hierarchy.

topic.

Supplemental Procedures to Configure Endpoint Protection in Configuration Manager

Use the following information when the steps in the preceding table require supplemental procedures.

Step 1: Create an Endpoint Protection Point Site System Role

Use one of the following procedures depending on whether you want to install a new site system server for Endpoint Protection or use an existing site system server. Important When you install an Endpoint Protection point, an Endpoint Protection client is installed on the server hosting the Endpoint Protection point. Services and scans are disabled on this client to enable it to co-exist with any existing antimalware solution that is installed on the server. If you later enable this server for management by Endpoint Protection and select the option to remove any third-party antimalware solution, the third-party product will not be removed. You must uninstall this product manually. To install and configure the Endpoint Protection point site system role: New site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles. 3. On the Home tab, in the Create group, click Create Site System Server. 4. On the General page, specify the general settings for the site system, and then click Next. 5. On the System Role Selection page, select Endpoint Protection point in the list of available roles, and then click Next.
2320

6. On the Endpoint Protection page, select the I accept the Endpoint Protection license terms check box, and then click Next. Important You cannot use Endpoint Protection in Configuration Manager unless you accept the license terms. 7. On the Microsoft Active Protection Service page, select the level of information that you want to send to Microsoft to help develop new definitions, and then click Next. Note This option configures the Microsoft Active Protection Service settings that are used by default. You can then configure custom settings for each antimalware policy you create. Join Microsoft Active Protection Service, to help to keep your computers more secure by supplying Microsoft with malware samples that can help Microsoft to keep antimalware definitions more up-to-date. Additionally, when you join Microsoft Active Protection Service, the Endpoint Protection client can use the dynamic signature service to download new definitions before they are published to Windows Update. For more information, see How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager. 8. Complete the wizard. To install and configure the Endpoint Protection point site system role: Existing site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Servers and Site System Roles, and then select the server that you want to use for Endpoint Protection. 3. On the Home tab, in the Server group, click Add Site System Roles. 4. On the General page, specify the general settings for the site system, and then click Next. 5. On the System Role Selection page, select Endpoint Protection point in the list of available roles, and then click Next. 6. On the Endpoint Protection page, select the I accept the Endpoint Protection license terms check box, and then click Next. Important You cannot use Endpoint Protection in Configuration Manager unless you accept the license terms. 7. On the Microsoft Active Protection Service page, select the level of information that you want to send to Microsoft to help develop new definitions, and then click Next. Note This option configures the Microsoft Active Protection Service settings that are used by default. You can configure custom settings for each antimalware policy you configure. For more information, see How to Create and Deploy Antimalware
2321

Policies for Endpoint Protection in Configuration Manager. 8. Complete the wizard.

Step 5: Configure Custom Client Settings for Endpoint Protection

This procedure configures custom client settings for Endpoint Protection which can be deployed to collections of computers in your hierarchy. Important Do not configure the default Endpoint Protection client settings unless you are sure that you want them applied to all computers in your hierarchy. To enable Endpoint Protection and configure custom client settings 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. On the Home tab, in the Create group, click Create Custom Client Device Settings. 4. In the Create Custom Client Device Settings dialog box, provide a name and a description for the group of settings, and then select Endpoint Protection. 5. Configure the Endpoint Protection client settings that you require. For a full list of Endpoint Protection client settings that you can configure, see the section Endpoint Protection in the topic About Client Settings in Configuration Manager. Important You must install the Endpoint Protection site system role before you can configure client settings for Endpoint Protection. 6. Click OK to close the Create Custom Client Device Settings dialog box. The new client settings are displayed in the Client Settings node of the Administration workspace. 7. Before the custom client settings can be used, you must deploy them to a collection. Select the custom client settings you want to deploy and then, in the Home tab, in the Client Settings group, click Deploy. 8. In the Select Collection dialog box, choose the collection to which you want to deploy the client settings and then click OK. The new deployment is shown in the Deployments tab of the details pane. Client computers will be configured with these settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

See Also
Configuring Endpoint Protection in Configuration Manager
2322

How to Configure Alerts for Endpoint Protection in Configuration Manager

You can configure Endpoint Protection alerts in Microsoft System Center 2012 Configuration Manager to notify administrative users when specific security events occur in your hierarchy. Notifications display in the Endpoint Protection dashboard in the Configuration Manager console, in reports, and you can configure them to be emailed to specified recipients. Use the following steps and the supplemental procedures in this topic to configure alerts for Endpoint Protection in Configuration Manager. Important You must have the Enforce Security permission for collections to configure Endpoint Protection alerts.

Steps to Configure Alerts for Endpoint Protection in Configuration Manager

Use the following table for the steps, details, and more information about how to configure alerts for Endpoint Protection.
Steps Details More information

Step 1 (Optional): Configure email settings for alerts.

Before you can configure email subscriptions for alerts, you must configure an SMTP server in your hierarchy. An SMTP server can only be specified at the toplevel site of your Configuration Manager hierarchy. Configure the properties of a device collection and specify settings for alerts. Select the Endpoint Protection alerts in the Monitoring workspace, and create subscriptions by specifying email addresses to send the Endpoint Protection alerts.

For more details, see Configuring Alerts in Configuration Manager.

Step 2: Configure alerts by collection.

For more details, see Step 2: Configure Alerts by Collection in this topic. For more details, see Configuring Alerts in Configuration Manager.

Step 3 (Optional): Configure email subscriptions for specific alerts.

2323

Supplemental Procedures to Configure Endpoint Protection in Configuration Manager

Use the following information when the steps in the preceding table require supplemental procedures. These procedures configure the alerts for Endpoint Protection.

Step 2: Configure Alerts by Collection

1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Device Collections. 3. In the Device Collections list, select the collection for which you want to configure alerts, and then on the Home tab, in the Properties group, click Properties. Note You cannot configure alerts for user collections. 4. On the Alerts tab of the <Collection Name> Properties dialog box, select View this collection in the Endpoint Protection dashboard if you want to view details about antimalware operations for this collection in the Monitoring workspace of the Configuration Manager console. Note This option is unavailable for the All Systems collection. 5. On the Alerts tab of the <Collection Name> Properties dialog box, click Add. 6. In the Add New Collection Alerts dialog box, in the Generate an alert when these conditions apply section, select the alerts that you want Configuration Manager to generate when the specified Endpoint Protection events occur, and then click OK. 7. In the Conditions list of the Alerts tab, select each Endpoint Protection alert, and then specify the following information: Alert Name Accept the default name or enter a new name for the alert. Alert Severity In the list, select the alert level to display in the Configuration Manager console.

Depending on the alert that you select, specify the following additional information.
Alert name Additional information required

Malware detection

This alert is generated if malware is detected on any computer in the collection that you monitor. Specify the following information to configure this alert: Malware detection threshold: - specifies
2324

the malware detection levels at which this alert is generated. In the list, select one of the following: High All detections - The alert is generated when there are one or more computers in the specified collection on which any malware is detected, regardless of what action the Endpoint Protection client takes. Medium Detected, pending action - The alert is generated when there is one or more computers in the specified collection on which malware is detected, and you must manually remove the malware. Low Detected, still active - The alert is generated when there are one or more computers in the specified collection on which malware is detected and is still active.

Malware outbreak

This alert is generated if specified malware is detected on a specified percentage of computers in the collection that you monitor. Specify the following information to configure this alert: Percentage of computers with malware detected The alert is generated when the percentage of computers with malware that is detected in the collection exceeds the percentage that you specify. Specify a percentage from 1 through 99. Note The percentage value is based on the number of computers in the collection, but excludes computers that do not have a Configuration Manager client installed. It includes computers that do not yet have the
2325

Endpoint Protection client installed. Repeated malware detection This alert is generated if specific malware is detected more than a specified number of times over a specified number of hours on the computers in the collection that you monitor. Specify the following information to configure this alert: Number of times malware has been detected: - The alert is generated when the same malware is detected on computers in the collection more than the specified number of times. Specify a number from 2 through 32. Interval for detection (hours): Specify the detection interval (in hours) in which the number of malware detections must occur. Specify a number from 1 through 168.

Multiple malware detection

This alert is generated if more than a specified number of malware types are detected over a specified number of hours on computers in the collection that you monitor. Specify the following information to configure this alert: Number of malware types detected: The alert is generated when the specified number of different malware types are detected on computers in the collection. Specify a number from 2 through 32. Interval for detection (hours): Specify the detection interval, in hours, in which the number of malware detections must occur. Specify a number from 1 through 168.

8. Click OK to close the <Collection Name> Properties dialog box.

2326

See Also
Configuring Endpoint Protection in Configuration Manager

How to Configure Definition Updates for Endpoint Protection in Configuration Manager

With Endpoint Protection in Microsoft System Center 2012 Configuration Manager, you can use any of several available methods to keep antimalware definitions up to date on client computers in your hierarchy. The information in this topic can help you to select and configure these methods. To update antimalware definitions, you can use one or more of the following methods: Updates distributed from Configuration Manager This method uses Configuration Manager software updates to deliver definition and engine updates to computers in your hierarchy. Updates distributed from Windows Server Update Services (WSUS) This method uses your WSUS infrastructure to deliver definition and engine updates to computers. Updates distributed from Microsoft Update This method allows computers to connect directly to Microsoft Update in order to download definition and engine updates. This method can be useful for computers that are not often connected to the business network. Updates distributed from Microsoft Malware Protection Center This method will download definition updates from the Microsoft Malware Protection Center. Updates from UNC file shares With this method, you can save the latest definition and engine updates to a share on the network. Clients can then access the network to install the updates.

You can configure multiple definition update sources and control the order in which they are assessed and applied. This is done in the Configure Definition Update Sources dialog box when you create an antimalware policy.

How to Configure Definition Update Sources

Use the following procedure to configure the definition update sources to use for each antimalware policy. To configure definition update sources 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies. 3. Open the properties page of the Default Antimalware Policy or create a new antimalware policy. For more information about how to create antimalware policies, see
2327

How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager. 4. In the Definition updates section of the antimalware properties dialog box, click Set Source. 5. In the Configure Definition Update Sources dialog box, select the sources to use for definition updates. You can click Up or Down to modify the order in which these sources are used. 6. Click OK to close the Configure Definition Update Sources dialog box.

Using Configuration Manager Software Updates to Deliver Definition Updates

You can configure Configuration Manager software updates to deliver definition updates to client computers. This is done by configuring automatic deployment rules. Before you begin to create automatic deployment rules, make sure that you have configured Configuration Manager software updates. For more information, see Software Updates in Configuration Manager. Note This procedure is only for the items that must be specifically configured for Endpoint Protection. For more information about the Create Automatic Deployment Rule Wizard, see Operations and Maintenance for Software Updates in Configuration Manager. To configure an automatic deployment rule to deliver definition updates 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Software Updates, and then click Automatic Deployment Rules. 3. On the Home tab, in the Create group, click Create Automatic Deployment Rule. 4. On the General page of the Create Automatic Deployment Rule Wizard, specify the following information: Name: Enter a unique name for the automatic deployment rule. Collection: Select the collection of client computers to which you want to deploy definition updates. Note You cannot deploy definition updates to a collection of users. 5. Click Add to an existing Software Update Group. 6. Make sure that the Enable the deployment after this rule is run check box is selected, and then click Next. 7. On the Deployment Settings page of the wizard, in the Detail level list, select Minimal, and then click Next.

2328

Note From the Detail level list, select Minimal (Configuration Manager with no Service Pack) or Only error messages (Configuration Manager SP1). This will reduce the number of state messages returned by definition deployment. This configuration helps reduce the CPU processing usage on the Configuration Manager servers. 8. In the Property filters list, select the Update Classification check box. 9. In the Search criteria list, click <items to find>. Then, in the Search Criteria dialog box, in the Specify the value to search for list, select Definition Updates. 10. Click OK to close the Search Criteria dialog box. 11. In the Property filters list, select the Product check box. 12. In the Search criteria list, click <items to find>. Then, in the Search Criteria dialog box, in the Specify the value to search for list, select Forefront Endpoint Protection 2010. 13. Click OK to close the Search Criteria dialog box, and then click Next. 14. On the Evaluation Schedule page of the wizard, select Enable rule to run on a schedule, and then configure the schedule by which to download definition updates. At a minimum, set the rule to run two hours after each software update point synchronization. Click Next. Important For performance reasons, in Configuration Manager with no Service Pack, do not schedule automatic deployment rules to deliver definition updates more than once each day. In Configuration Manager SP1, do not schedule automatic deployment rules to deliver definition updates more than three times a day. 15. On the Deployment Schedule page of the wizard, configure the following settings: Time based on: Select UTC if you want all clients in the hierarchy to install the latest definitions at the same time. The actual installation time will vary within a two-hour window. This setting is a recommended best practice. Software available time: Specify the available time for the deployment that is created by this rule. The specified time must be at least one hour after the automatic deployment rule runs. This helps to ensure that the content has sufficient time to replicate to the distribution points in your hierarchy. Some definition updates might also include antimalware engine updates, which might take longer to reach distribution points. Installation deadline: Select As soon as possible. Note Software update deadlines are varied over a two-hour period to prevent all clients from requesting an update at the same time. 16. Click Next. 17. On the User Experience page of the wizard, in the User notifications list, select Hide in Software Center and all notifications. This ensures that the definition updates install
2329

silently. Click Next. 18. On the Alerts page of the wizard, you do not have to configure any alerts. Endpoint Protection in Configuration Manager generates any alerts that might be required. Click Next. 19. On the Download Settings page of the wizard, select the necessary software updates download behavior, and then click Next. 20. On the Deployment Package page of the wizard, select an existing deployment package or create a new deployment package to contain the software update files associated with the rule. Note Consider placing definition updates in a package that does not contain other software updates. This strategy keeps the size of the definition update package smaller, which allows it to replicate to distribution points more quickly. 21. On the Distribution Points page of the wizard, select one or more distribution points to which the content for this package will be copied, and then click Next. 22. On the Download Location page of the wizard, select Download software updates from the Internet, and then click Next. 23. On the Language Selection page of the wizard, select each language version of the updates to be downloaded, and then click Next. 24. Complete the Create Automatic Deployment Rule Wizard. 25. Verify that the new rule is displayed in the Automatic Deployment Rules node of the Configuration Manager console.

Using Windows Server Update Services (WSUS) to Deliver Definitions

If you use WSUS to keep your antimalware definitions up to date, you can configure it to autoapprove definition updates. Although using Configuration Manager software updates is the recommended method to keep definitions up to date, you can also configure WSUS as a method to allow users to manually initiate definition updated. Use the following procedures to configure WSUS as a definition update source.

Configuring Update Synchronization

To configure Configuration Manager software updates to synchronize Endpoint Protection definition updates, use the following procedure. To synchronize Endpoint Protection definition updates in Configuration Manager 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. Select the site that contains your software update point. In the Settings group, click
2330

Configure Site Components, and then click Software Update Point. 4. On the Classifications tab of the Software Update Point Component Properties dialog box, select the Definition Updates check box. 5. On the Products tab of the Software Update Point Component Properties dialog box, select the Forefront Endpoint Protection 2010 check box. 6. Click OK to close the Software Update Point Component Properties dialog box. Use the following procedure to configure Endpoint Protection updates when your WSUS server is not integrated into your Configuration Manager environment. To synchronize Endpoint Protection definition updates in standalone WSUS 1. In the WSUS administration console, expand Computers, click Options, and then click Products and Classifications. 2. On the Products tab of the Products and Classifications dialog box, select the Forefront Endpoint Protection 2010 check box. 3. On the Classifications tab of the Products and Classifications dialog box, select the Definition Updates and Updates check boxes.

Approving Definition Updates

Endpoint Protection definition updates must be approved and downloaded to the WSUS server before they are offered to clients that request the list of available updates. Clients connect to the WSUS server to check for applicable updates and then request the latest approved definition updates. To approve definitions and updates in WSUS 1. In the WSUS administration console, click Updates, and then click All Updates or the classification of updates that you want to approve. 2. In the list of updates, right-click the update or updates you want to approve for installation, and then click Approve. 3. In the Approve Updates dialog box, select the computer group for which you want to approve the updates, and then click Approved for Install. In addition to manual approval, you can also set an automatic approval rule for definition updates and Endpoint Protection updates. This will configure WSUS to automatically approve Endpoint Protection definition updates downloaded by WSUS. To configure an automatic approval rule 1. In the WSUS administration console, click Options, and then click Automatic Approvals. 2. On the Update Rules tab, click New Rule. 3. In the Add Rule dialog box, under Step 1: Select properties, select the When an update is in a specific classification check box.
2331

4. Under Step 2: Edit the properties, click any classification. 5. Clear all check boxes except Definition Updates, and then click OK. 6. In the Add Rule dialog box, under Step 1: Select properties, select the When an update is in a specific product check box. 7. Under Step 2: Edit the properties, click any product. 8. Clear all check boxes except Forefront Endpoint Protection, and then click OK. 9. Under Step 3: Specify a name, enter a name for the rule, and then click OK. 10. In the Automatic Approvals dialog box, select the check box for the newly created rule and then click Run rule. Note To maximize performance on your WSUS server and client computers, decline old definition updates. To accomplish this task, you can configure automatic approval for revisions and automatic declining of expired updates. For more information, see Microsoft Knowledge Base article 938947.

Using Microsoft Update to Download Definitions

When you select to download definition updates from Microsoft Update, clients will check the Microsoft Update site at the interval defined in the Definition updates section of the antimalware policy dialog box. This method can be useful when the client does not have connectivity to the Configuration Manager site or when you want users to be able to initiate definition updates. Important Clients must have access to Microsoft Update on the Internet to be able to use this method to download definition updates.

Using the Microsoft Malware Protection Center to Download Definitions

You can configure clients to download definition updates from the Microsoft Malware Protection Center. This option is used by Endpoint Protection clients to download definition updates if they have not been able to download updates from another source. This update method can be useful if there is a problem with your Configuration Manager infrastructure that prevents the delivery of updates. Important Clients must have access to Microsoft Update on the Internet to be able use this method to download definition updates.

2332

Downloading Definitions from a Share on the Network

You can manually download the latest definition updates from Microsoft and then configure clients to download these definitions from a shared folder on the network. Users can also initiate definition updates when you use this update source. Note Clients must have read access to the shared folder to be able to download definition updates. For more information about how to download the definition and engine updates to store on the file share, see Install the latest Microsoft Forefront Security definition updates. To configure definition downloads from a file share 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies. 3. Open the properties page of the Default Antimalware Policy or create a new antimalware policy. For more information about how to create antimalware policies, see How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager. 4. In the Definition updates section of the antimalware properties dialog box, click Set Source. 5. In the Configure Definition Update Sources dialog box, select Updates from UNC file shares. 6. Click OK to close the Configure Definition Update Sources dialog box. 7. Click Set Paths. Then, in the Configure Definition Update UNC Paths dialog box, add one or more UNC paths to the location of the definition updates files on a network share. 8. Click OK to close the Configure Definition Update UNC Paths dialog box.

See Also
Configuring Endpoint Protection in Configuration Manager

Operations and Maintenance for Endpoint Protection in Configuration Manager

Use the information in this section to find out more about operations and maintenance for Endpoint Protection in System Center 2012 Configuration Manager.

2333

In This Section
How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager How to Create and Deploy Windows Firewall Policies for Endpoint Protection in Configuration Manager How to Manage Antimalware Policies and Firewall Settings for Endpoint Protection in Configuration Manager How to Monitor Endpoint Protection in Configuration Manager

See Also
Endpoint Protection in Configuration Manager

How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager
You can deploy antimalware policies to collections of Microsoft System Center 2012 Configuration Manager client computers to specify how Endpoint Protection protects them from malware and other threats. These antimalware policies include information about the scan schedule, the types of files and folders to scan, and the actions to take when malware is detected. When you enable Endpoint Protection, a default antimalware policy is applied to client computers. You can also use additional policy templates that are supplied or create your own custom antimalware policies to meet the specific needs of your environment. Note Configuration Manager supplies a selection of predefined templates that are optimized for various scenarios and can be imported into Configuration Manager. These templates are available in the folder <ConfigMgr Install Folder>\AdminConsole\XMLStorage\EPTemplates. Important If you create a new antimalware policy and deploy it to a collection, this antimalware policy overrides the default antimalware policy. Use the procedures in this topic to create or import antimalware policies and assign them to System Center 2012 Configuration Manager client computers in your hierarchy. Note

2334

Before you perform these procedures, ensure that Configuration Manager is configured for Endpoint Protection as described in Configuring Endpoint Protection in Configuration Manager. To modify the default antimalware policy 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies. 3. Select the antimalware policy Default Client Antimalware Policy and then, on the Home tab, in the Properties group, click Properties. 4. In the Default Antimalware Policy dialog box, configure the settings that you require for this antimalware policy, and then click OK. Note For a list of settings that you can configure, see List of Antimalware Policy Settings in this topic. To create a new antimalware policy 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies. 3. On the Home tab, in the Create group, click Create Antimalware Policy. 4. In the General section of the Create Antimalware Policy dialog box, enter a name and a description for the policy. 5. In the Create Antimalware Policy dialog box, configure the settings that you require for this antimalware policy, and then click OK. Note For a list of settings that you can configure, see List of Antimalware Policy Settings in this topic. 6. Verify that the new antimalware policy is displayed in the Antimalware Policies list. To import an antimalware policy 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies. 3. In the Home tab, in the Create group, click Import. 4. In the Open dialog box, browse to the policy file to import, and then click Open. 5. In the Create Antimalware Policy dialog box, review the settings to use, and then click OK. 6. Verify that the new antimalware policy is displayed in the Antimalware Policies list.
2335

To deploy an antimalware policy to client computers 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies. 3. In the Antimalware Policies list, select the antimalware policy to deploy. Then, on the Home tab, in the Deployment group, click Deploy. Note The Deploy option cannot be used with the default client malware policy. 4. In the Select Collection dialog box, select the device collection to which you want to deploy the antimalware policy, and then click OK.

List of Antimalware Policy Settings

Many of the antimalware settings are self-explanatory. Use the following sections for more information about the settings that might require more information before you configure them.

Scheduled Scans
Setting name Description

Scan type

You can specify one of two scan types to run on client computers: Quick scan This type of scan checks the in-memory processes and folders where malware is typically found. It requires fewer resources than a full scan. Full Scan This type of scan adds a full check of all local files and folders to the items scanned in the quick scan. This scan takes longer than a quick scan and uses more CPU processing and memory resources on client computers.

In most cases, use Quick scan to minimize the use of system resources on client computers. If malware removal requires a full scan, Endpoint Protection generates an alert that is displayed in the Configuration Manager console. The default value is Quick scan. Randomize the scheduled scan start times Select True if you want to help avoid flooding
2336

Setting name

Description

(within 30 minutes)

the network, which can occur if all computers send their antimalware scans results to the Configuration Manager database at the same time. This setting is also useful when you run multiple virtual machines on a single host. Select this option to reduce the amount of simultaneous disk access for antimalware scanning.

Scan Settings
Setting name Description

Scan network drives when running a full scan

Set to True if you want to scan any mapped network drives on client computers. Important If you enable this setting, it might significantly increase the scan time on client computers.

Default Actions
Select the action to take when malware is detected on client computers. The following actions can be applied, depending on the alert threat level of the detected malware. Recommended Use the action recommended in the malware definition file. Quarantine Quarantine the malware but do not remove it. Remove Remove the malware from the computer. Allow Do not remove or quarantine the malware.

Real-time Protection
Setting name Description

Enable real-time protection

Set to True if you want to configure real-time protection settings for client computers. We recommend that you enable this setting. Set to True if you want Endpoint Protection to monitor when files and programs start to run on
2337

Monitor file and program activity on your computer

Setting name

Description

client computers and to alert you about any actions that they perform or actions taken on them. Scan system files This setting lets you configure whether incoming, outgoing, or incoming and outgoing system files are monitored for malware. For performance reasons, you might have to change the default value of Scan incoming and outgoing files if a server has high incoming or outgoing file activity. Enable this setting to use computer activity and file data to detect unknown threats. When this setting is enabled, it might increase the time required to scan computers for malware. Enable this setting to protect computers against known network exploits by inspecting network traffic and blocking any suspicious activity. Set this setting to True if you want to scan any scripts that run on computers for suspicious activity.

Enable behavior monitoring

Enable protection against network-based exploits

Enable script scanning

Exclusion Settings
Setting name Description

Excluded files and folders

Click Set to open the Configure File and Folder Exclusions dialog box and specify the names of the files and folders to exclude from Endpoint Protection scans. If you want to exclude files and folders that are located on a mapped network drive, specify the name of each folder in the network drive individually. For example, if a network drive is mapped as F:\MyFolder and it contains subfolders named Folder1, Folder2 and Folder 3, specify the following exclusions: F:\MyFolder\Folder1 F:\MyFolder\Folder2
2338

Setting name

Description

F:\MyFolder\Folder3

Threat Overrides
Setting name Description

Threat name and override action

Click Set to customize the remediation action to take for each threat ID when it is detected during a scan. Note The list of threat names might not be available immediately after the configuration of Endpoint Protection. Wait until the Endpoint Protection point has synchronized the threat information, and then try again.

Definition Updates
Setting name Description

Set sources and order for Endpoint Protection client updates

Click Set Source to specify the sources for definition and scanning engine updates, and to also specify the order in which they are used. If Configuration Manager is specified as one of the sources, then the other sources are used only if software updates fails to download the client updates. If you use any of the following methods to update the definitions on client computers, then the client computers must be able to access the Internet. Updates distributed from Microsoft Update Updates distributed from Microsoft Malware Protection Center Important Clients download definition updates by using the built-in system account. You
2339

Setting name

Description

must configure a proxy server for this account to enable these clients to connect to the Internet. Important If you have configured a software updates automatic deployment rule to deliver definition updates to client computers, these updates will be delivered regardless of the definition updates settings.

See Also
Operations and Maintenance for Endpoint Protection in Configuration Manager

How to Create and Deploy Windows Firewall Policies for Endpoint Protection in Configuration Manager
Firewall policies for Endpoint Protection in System Center 2012 Configuration Manager let you perform basic Windows Firewall configuration and maintenance tasks on client computers in your hierarchy. You can use Windows Firewall policies to perform the following tasks: Control whether Windows Firewall is turned on or off. Control whether incoming connections are allowed to client computers. Control whether users are notified when Windows Firewall blocks a new program.

Use the following procedures in this topic to help create and assign Windows Firewall policies to Configuration Manager client computers in your hierarchy: To create a Windows Firewall policy To deploy a Windows Firewall policy To create a Windows Firewall policy 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Windows Firewall Policies. 3. On the Home tab, in the Create group, click Create Windows Firewall Policy. 4. On the General page of the Create Windows Firewall Policy Wizard, specify a name
2340

and an optional description for this firewall policy, and then click Next. 5. On the Profile Settings page of the wizard, configure the following settings for each network profile: Important If you want to deploy Windows Firewall policies to computers running Windows Server 2008 and Windows Vista Service Pack 1, you must first install Hotfix KB971800 on these computers. Note For more information about network profiles, see the Windows documentation. Enable Windows Firewall Note If Enable Windows Firewall is not enabled, the other settings on this page of the wizard are unavailable. Block all incoming connections, including those in the list of allowed programs Notify the user when Windows Firewall blocks a new program

6. On the Summary page of the wizard, review the actions to be taken, and then complete the wizard. 7. Verify that the new Windows Firewall policy is displayed in the Windows Firewall Policies list. To deploy a Windows Firewall policy 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Windows Firewall Policies. 3. In the Windows Firewall Policies list, select the Windows Firewall policy that you want to deploy. 4. On the Home tab, in the Deployment group, click Deploy. 5. In the Deploy Windows Firewall Policy dialog box, specify the collection to which you want to assign this Windows Firewall policy, and specify an assignment schedule. The Windows Firewall policy evaluates for compliance by using this schedule and the Windows Firewall settings on clients to reconfigure to match the Windows Firewall policy. 6. Click OK to close the Deploy Windows Firewall Policy dialog box and to assign the Windows Firewall policy. Important When you deploy a Windows Firewall policy to a collection, this policy is applied to computers in a random order over a 2 hour period to avoid flooding the network.

2341

See Also
Operations and Maintenance for Endpoint Protection in Configuration Manager

How to Manage Antimalware Policies and Firewall Settings for Endpoint Protection in Configuration Manager
Use the information in this topic to help you manage Endpoint Protection antimalware policies and Windows Firewall policies in Microsoft System Center 2012 Configuration Manager, to perform on-demand scans, to force computers to download the latest available definitions, and to remediate detected malware. Note For information about how to create Configuration Manager antimalware policies and Windows Firewall policies, see How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager and How to Create and Deploy Windows Firewall Policies for Endpoint Protection in Configuration Manager.

How to Manage Antimalware Policies

In the Assets and Compliance workspace, expand Endpoint Protection, click Antimalware Policies, select the antimalware policy that you want to manage, and then select a management task. Use the following table for more information about the management tasks that might require some information before you select them.
Task Details

Increase Priority

If multiple antimalware policies are deployed to the same computer, they are applied in order. Use this option to increase the priority by which the selected antimalware policy is applied. Use the Order column to view the order in which the policies are applied. If multiple antimalware policies are deployed to the same computer, they are applied in order. Use this option to decrease the priority by which the selected antimalware policy is applied. Use the Order column to view the order in which the policies are applied.
2342

Decrease Priority

Task

Details

Merge

Merges the two selected antimalware policies. In the Merge Policies dialog box, enter a name for the new, merged policy. The Base policy is the antimalware policy that is merged with this new antimalware policy. Note If two settings conflict, the most secure setting is applied to computers.

Deploy

Opens the Select Collection dialog box. Select the collection to which you want to deploy the antimalware policy, and then click OK.

How to Manage Windows Firewall Policies

In the Assets and Compliance workspace, click Endpoint Protection, click Windows Firewall Policies, select the Windows Firewall policy that you want to manage, and then select a management task. Use the following table for more information about the management tasks that might require some information before you select them.
Task Details

Increase Priority

If multiple Windows Firewall policies are deployed to the same computer, they are applied in order. Use this option to increase the priority by which the selected Windows Firewall policy is applied. Use the Order column to view the order in which the policies are applied. If multiple Windows Firewall policies are deployed to the same computer, they are applied in order. Use this option to decrease the priority by which the selected Windows Firewall policy is applied. Use the Order column to view the order in which the policies are applied. Opens the Deploy Windows Firewall Policy dialog box from where you can deploy the firewall policy to a specified collection.
2343

Decrease Priority

Deploy

How to Perform an On-demand Scan of Computers

You can perform a scan of a single computer, multiple computers, or a collection of computers in the Configuration Manager console. This scan occurs outside any scheduled scans that you configured. Use the following procedure to perform an on-demand scan. Important If any of the computers that you select do not have the Endpoint Protection client installed, the on-demand scan option is unavailable. To perform an on-demand scan of computers 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Devices or Device Collections node, select the computer or collection of computers that you want to scan. 3. On the Home tab, in the Collection group, click Endpoint Protection, and then click Full Scan or Quick Scan. The scan will take place when the computer or collection of computers next downloads client policy. To monitor the results from the scan, use the procedures in How to Monitor Endpoint Protection in Configuration Manager.

How to Force Computers to Download the Latest Definition Files

You can force a single computer, multiple computers, or a collection of computers to download the latest definition files from the Configuration Manager console by using the following procedure. Important If any of the computers that you select do not have the Endpoint Protection client installed, the Download Definition option is unavailable. To force computers to download the latest definition files 1. In the Devices or Device Collections node, select the computer or collection of computers for which you want to download definitions. 2. On the Home tab, in the Collection group, click Endpoint Protection, and then click Download Definition. The definition download will take place when the computer or collection of computers next downloads client policy. Note Use the System Center 2012 Endpoint Protection Status node in the Monitoring workspace to discover clients that have out-of-date definitions.
2344

How to Remediate Detected Malware

When malware is detected on client computers, this will be displayed in the Malware Detected node under Endpoint Protection Status in the Monitoring workspace of the Configuration Manager console. Select an item from the Malware Detected list, and then use one of the following management tasks to remediate or allow the detected malware:
Task Details

Allow this threat

Creates an antimalware policy to allow the selected malware. The policy is deployed to the All Systems collection and can be monitored in the Client Operations node of the Monitoring workspace. Opens the Restore quarantined files dialog box where you can select one of the following options: Run the allow-threat or exclusion operation first to assure that files are not put back into quarantine Restores the files that were quarantined because of the detected malware and also excludes the files from malware scans. If you do not exclude the files from malware scans, they will be quarantined again when the next scan runs. Restore files without a dependency on the allow or exclusion job Restores the quarantined files but does not add them to the exclusion list.

Restore files quarantined by this threat

View infected clients

Displays a list of all clients that were infected by the selected malware. When you select this option from the malware details pane, the Exclude files and paths dialog box opens where you can specify the files and folders that you want to exclude from malware scans.

Exclude selected files or paths from scan

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager
2345

How to Monitor Endpoint Protection in Configuration Manager

You can monitor Endpoint Protection in your Microsoft System Center 2012 Configuration Manager hierarchy by using the System Center 2012 Endpoint Protection Status node in the Monitoring workspace, the Endpoint Protection node in the Assets and Compliance workspace, and by using reports.

How to Monitor Endpoint Protection by Using the System Center 2012 Endpoint Protection Status Node

1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click System Center 2012 Endpoint Protection Status. 3. In the Collection list, select the collection for which you want to view status information. Important Collections are available for selection in the following cases: When you select View this collection in the Endpoint Protection dashboard on the Alerts tab of the <collection name> Properties dialog box. When you deploy an Endpoint Protection antimalware policy to the collection. When you enable and deploy Endpoint Protection client settings to the collection.

4. Review the information that is displayed in the Security State and Operational State sections. You can click any status link to create a temporary collection in the Devices node in the Assets and Compliance workspace. The temporary collection contains the computers with the selected status. Important Information that is displayed in the System Center 2012 Endpoint Protection Status node is based on the last data that was summarized from the Configuration Manager database and might not be current. If you want to retrieve the latest data, on the Home tab, click Run Summarization, or click Schedule Summarization to adjust the summarization interval.

2346

How to Monitor Endpoint Protection in the Assets and Compliance Workspace

1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, perform one of the following actions: Click Devices. In the Devices list, select a computer, and then click the Malware Detail tab. Click Device Collections. In the Device Collections list, select the collection that contains the computer you want to monitor and then, on the Home tab, in the Collection group, click Show Members.

3. In the <collection name> list, select a computer, and then click the Malware Detail tab.

How to Monitor Endpoint Protection by Using Reports

Use the following reports to help you view information about Endpoint Protection in your hierarchy. You can also use these reports to help troubleshoot any Endpoint Protection problems. For more information about how to configure reporting in Configuration Manager, see Reporting in Configuration Manager. The Endpoint Protection reports are in the Endpoint Protection folder.
Report name Description

Antimalware Activity Report

Displays an overview of antimalware activity for a specified collection. Displays a list of computers on which a specified threat is detected. Displays a list of users with the most number of detected threats. Displays a list of threats that were found for a specified user account.

Infected Computers

Top Users By Threats

User Threat List

Malware Alert Levels

Use the following table to identify the different Endpoint Protection alert levels that might be displayed in reports, or in the Configuration Manager console.

2347

Alert level

Description

Failed

Endpoint Protection failed to remediate the malware. Check your logs for details of the error. Note For a list of Configuration Manager and Endpoint Protection log files, see the Endpoint Protection section in the Technical Reference for Log Files in Configuration Manager topic.

Removed

Endpoint Protection successfully removed the malware. Endpoint Protection moved the malware to a secure location and prevented it from running until you remove it or allow it to run. The malware was cleaned from the infected file. An administrative user selected to allow the software that contains the malware to run. Endpoint Protection took no action on the malware. This might occur if the computer is restarted after malware is detected and the malware is no longer detected; for instance, if a mapped network drive on which malware is detected is not reconnected when the computer restarts. Endpoint Protection blocked the malware from running. This might occur if a process on the computer is found to contain malware.

Quarantined

Cleaned Allowed

No Action

Blocked

See Also
Operations and Maintenance for Endpoint Protection in Configuration Manager

2348

Security and Privacy for Endpoint Protection in Configuration Manager

This topic contains information about security best practices and privacy information for Endpoint Protection in System Center 2012 Configuration Manager. Because Endpoint Protection uses software updates to deliver definition updates to client computers, make sure that you also read Security and Privacy for Software Updates in Configuration Manager.

Security Best Practices for Endpoint Protection

Use the following security best practices for Endpoint Protection.
Security best practice More information

Use automatic deployment rules to deliver definition updates to client computers.

Use the software updates automatic deployment rules to ensure that clients automatically receive the latest definition updates. Because Endpoint Protection clients use status messages to send information about any malware that they detect, prevent others from reading this information on the network by encrypting the data. To configure encryption for the site, see the Configure Signing and Encryption section in the Configuring Security for Configuration Manager topic. For management points to support HTTPS client connections, you must deploy PKI certificates. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

Make sure that the site is configured to use encryption, or that all management points are configured for HTTPS client connections.

If you use email notification, configure authenticated access to the SMTP mail server.

Whenever possible, use a mail server that supports authenticated access and use the computer account of the site server for authentication. If you must specify a user account for authentication, use an account that has the least privileges. Although it is always a security best practice to
2349

Ensure that end users do not have local

Security best practice

More information

administrative privileges.

grant end users the least privileges that they need and not to grant them local administrative privileges, this is especially important for Endpoint Protection. When users have local administrative rights on computers that run the Endpoint Protection client, they might be able to do the following: They can delete the reported instances of malware on their computer before this information is sent to Configuration Manager. Information about malware detection is collected and sent to the Configuration Manager site every five minutes. It is possible for a local administrator to delete the information on their computer that malware was detected, and if this happens within the five minutes, Configuration Manager will have no information about the detected malware. They can uninstall the Endpoint Protection client or stop dependent services. Although Configuration Manager can detect that the Endpoint Protection is no longer installed and will automatically reinstall it, and client status can restart a stopped service and set it back to automatic, this still leaves a potential window of vulnerability when the computer is unprotected by Endpoint Protection.

Security Issues for Endpoint Protection

Endpoint Protection has the following security issues: Email notification uses SMTP, which is a protocol that lacks security protection. When you use email notification for Endpoint Protection, this can be a convenient method to quickly learn about the malware that is detected on computers so that you can take remedial action as soon as possible. However, before you enable notifications by using email, consider the advantages and disadvantages according to your security risk profile and infrastructure capacity. For example, anybody can send email from your specified sender address and tamper with the message. In addition, an attacker could flood the network and email server with spoofed emails that appear to come from Configuration Manager.

2350

Privacy Information for Endpoint Protection

You see privacy information for Endpoint Protection when you install the Endpoint Protection point, and you can read the Microsoft System Center 2012 Endpoint Protection Privacy Statement online.

See Also
Endpoint Protection in Configuration Manager

Technical Reference for Endpoint Protection in Configuration Manager

Use the following topics in this section for technical reference information for Endpoint Protection in System Center 2012 Configuration Manager.

In This Section
Example Scenario for Protecting Computers From Malware by Configuring Endpoint Protection in Configuration Manager

See Also
Endpoint Protection in Configuration Manager

Example Scenario for Protecting Computers From Malware by Configuring Endpoint Protection in Configuration Manager
This topic provides an example scenario for how you can implement Endpoint Protection in Microsoft System Center 2012 Configuration Manager to protect computers in an organization from malware attacks. John is the Configuration Manager administrator at Woodgrove Bank. The bank currently uses Microsoft Forefront Endpoint Protection 2010 to protect computers against malware attacks. Additionally, the bank uses Windows Group Policy to ensure that the Windows Firewall is enabled on all computers in the company and that users are notified when Windows Firewall blocks a new program. John has been asked to upgrade the Woodgrove Bank antimalware software to System Center 2012 Endpoint Protection so that the bank can benefit from the latest antimalware
2351

features and be able to centrally manage the antimalware solution from the Configuration Manager console. This implementation has the following requirements: Use Configuration Manager to manage the Windows Firewall settings that are currently managed by Group Policy. Use Configuration Manager software updates to download malware definitions to computers. If software updates are not available, for example if the computer is not connected to the corporate network, computers must download definition updates from Microsoft Update. Users computers must perform a quick malware scan every day. Servers, however, must run a full scan every Saturday, outside business hours, at 1 A.M. Send an email alert whenever any one of the following events occurs: Malware is detected on any computer The same malware threat is detected on more than 5 percent of computers The same malware threat is detected more than 5 times in any 24 hour period More than 3 different types of malware are detected in any 24 hour period

Uninstall the existing antimalware solution.

John then performs the following steps to implement Endpoint Protection:

Steps to implement Endpoint Protection

Process Reference

John reviews the available information about the basic concepts for Endpoint Protection in Configuration Manager. John reviews and implements the required prerequisites to use Endpoint Protection.

For overview information about Endpoint Protection, see Introduction to Endpoint Protection in Configuration Manager. For information about the prerequisites for Endpoint Protection, see Prerequisites for Endpoint Protection in Configuration Manager. For more information about how to install the Endpoint Protection site system role, see the Step 1: Create an Endpoint Protection Point Site System Role section in the How to Configure Endpoint Protection in Configuration Manager topic. For more information, see How to Configure Alerts for Endpoint Protection in Configuration Manager. Note The email notification settings are different for Configuration
2352

John installs the Endpoint Protection site system role on one site system server only, at the top of the Woodgrove Bank hierarchy.

John configures Configuration Manager to use an SMTP server to send the email alerts. Note You must configure an SMTP server only if you want to be notified by email when an Endpoint Protection alert is

Process

Reference

generated.

Manager SP1 and Configuration Manager with no service pack. For more information about how to create collections, see How to Create Collections in Configuration Manager

John creates a device collection that contains all computers and servers to install the Endpoint Protection client. He names this collection All Computers Protected by Endpoint Protection. Tip You cannot configure alerts for user collections. He configures the following alerts for the collection: Malware is detected: John configures an alert severity of Critical. The same type of malware is detected on a number of computers : John configures an alert severity of Critical and specifies that the alert will be generated when more than 5 percent of computers have malware detected. The same type of malware is repeatedly detected within the specified interval on a computer: John configures an alert severity of Critical and specifies that the alert will be generated when malware is detected more than 5 times in a 24 hour period. Multiple types of malware are detected on the same computer within the specified interval: John configures an alert severity of Critical and specifies that the alert will be generated when more than 3 types of malware are generated in a 24 hour period. Note The value for Alert Severity indicates the alert level that will be displayed in the Configuration Manager console and in alerts that he receives in an email message.

For more information, see How to Configure Alerts for Endpoint Protection in Configuration Manager.

2353

Process

Reference

He additionally selects the option View this collection in the Endpoint Protection dashboard so that he can monitor the alerts in the Configuration Manager console. John configures Configuration Manager software updates to download and deploy definition updates three times a day by using an automatic deployment rule. Important This frequency is suitable for Configuration Manager SP1. However, for performance reasons, in Configuration Manager with no service pack, do not schedule automatic deployment rules to deliver definition updates more than one time each day. John examines the settings in the default antimalware policy, which contains recommended security settings from Microsoft. For computers to perform a quick scan every day to, he changes the following settings: Run a daily quick scan on client computers: Yes. Daily quick scan schedule time: 9:00 AM. For more information, see How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager. For more information, see the Using Configuration Manager Software Updates to Deliver Definition Updates section in the How to Configure Definition Updates for Endpoint Protection in Configuration Manager topic.

John notes that Updates distributed from Microsoft Update is selected by default as a definition update source. This fulfills the business requirement that computers download definitions from Microsoft Update when they cannot receive Configuration Manager software updates. John creates a collection that contains only the Woodgrove Bank servers named Woodgrove Bank Servers. John creates a custom antimalware policy named Woodgrove Bank Server Policy. He adds only the settings for Scheduled scans For more information about how to create collections, see How to Create Collections in Configuration Manager For more information, see How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager.
2354

Process

Reference

and makes the following changes: Scan type: Full Scan day: Saturday Scan time: 1:00 AM Run a daily quick scan on client computers: No. For more information, see the To deploy an antimalware policy to client computers section in the How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager topic. For more information, see the Step 5: Configure Custom Client Settings for Endpoint Protection section in the How to Configure Endpoint Protection in Configuration Manager topic.

John deploys the Woodgrove Bank Server Policy custom antimalware policy to the Woodgrove Bank Servers collection.

John creates a new set of custom client device settings for Endpoint Protection and names these Woodgrove Bank Endpoint Protection Settings. Warning If you do not want to install and enable Endpoint Protection on all clients in your hierarchy, make sure that the options Manage Endpoint Protection client on client computers and Install Endpoint Protection client on client computers are both configured as No in the default client settings. He configures the following settings for Endpoint Protection: Manage Endpoint Protection client on client computers: Yes This setting and value ensures that any existing Endpoint Protection client that is installed becomes managed by Configuration Manager. Install Endpoint Protection client on client computers: Yes. Automatically remove previously installed antimalware software before Endpoint Protection is installed: Yes. This setting and value fulfills the business

For more information, see the Step 5: Configure Custom Client Settings for Endpoint Protection section in the How to Configure Endpoint Protection in Configuration Manager topic.

2355

Process

Reference

requirement that the existing antimalware software is removed before Endpoint Protection is installed and enabled. John deploys the Woodgrove Bank Endpoint Protection Settings client settings to the All Computers Protected by Endpoint Protection collection. John uses the Create Windows Firewall Policy Wizard to create a policy by configuring the following settings for the domain profile: Enable Windows Firewall: Yes Notify the user when Windows Firewall blocks a new program: Yes For more information, see the How to Create and Deploy Custom Client Settings section in the How to Configure Client Settings in Configuration Manager topic. For more information, see the To create a Windows Firewall policy section in the How to Create and Deploy Windows Firewall Policies for Endpoint Protection in Configuration Manager

John deploys the new firewall policy to the collection All Computers Protected by Endpoint Protection that he created earlier.

For more information, see the To deploy a Windows Firewall policy section in the How to Create and Deploy Windows Firewall Policies for Endpoint Protection in Configuration Manager For more information about the Endpoint Protection management tasks, see How to Manage Antimalware Policies and Firewall Settings for Endpoint Protection in Configuration Manager.

John uses the available management tasks for Endpoint Protection to manage antimalware and Windows Firewall policies, perform ondemand scans of computers when necessary, force computers to download the latest definitions, and to specify any further actions to take when malware is detected. John uses the following methods to monitor the status of Endpoint Protection and the actions that are taken by Endpoint Protection: By using the System Center 2012 Endpoint Protection Status node in the Monitoring workspace. By using the Endpoint Protection node in the Assets and Compliance workspace. By using the built-in Configuration Manager reports.

For more information about the System Center 2012 Endpoint Protection Status node, see the How to Monitor Endpoint Protection by Using the System Center 2012 Endpoint Protection Status Node section in the How to Monitor Endpoint Protection in Configuration Manager topic. For more information about how to monitor Endpoint Protection in the Assets and Compliance workspace, see the How to Monitor Endpoint Protection in the Assets and Compliance Workspace section in the How to Monitor Endpoint Protection in Configuration
2356

Process

Reference

Manager topic. For more information about how to monitor Endpoint Protection by using reports, see the How to Monitor Endpoint Protection by Using Reports section in the How to Monitor Endpoint Protection in Configuration Manager topic. John reports a successful implementation of Endpoint Protection to his manager, and confirms that the computers at Woodgrove Bank are now protected from antimalware, according to the business requirements that he was given.

See Also
Technical Reference for Endpoint Protection in Configuration Manager

Security and Privacy for System Center 2012 Configuration Manager

The Security and Privacy for System Center 2012 Configuration Manager guide provides documentation to help you implement security and privacy for Configuration Manager. Before you read this guide, make sure that you understand the basic concepts of System Center 2012 Configuration Manager. At a minimum, read Fundamentals of Configuration Manager. If you have already installed System Center 2012 Configuration Manager, identify the design decisions for your implementation. You might find the Configuration Manager planning and deployment content helpful. For more information, see the Site Administration for System Center 2012 Configuration Manager guide. See the following for security-related features in the product: Software Updates in Configuration Manager Compliance Settings in Configuration Manager Endpoint Protection in Configuration Manager

This security and privacy guide assumes that you understand basic security principles. Tip In addition to this information, you can also use the Security Configuration Wizard (SCW) for System Center 2012 Configuration Manager. Run this wizard to help you reduce the attack surface for site system servers that run Windows Server 2008 R2. The wizard determines the minimum functionality required for the selected site system roles, and can disable functionality that is not required. The Security Configuration Wizard is included
2357

with the toolkit for System Center 2012 Configuration Manager, which you can download from the Microsoft Download Center: For Configuration Manager SP1: System Center 2012 Configuration Manager Component Add-ons and Extensions For Configuration Manager with no service pack: System Center 2012 Service Pack 1 Configuration Manager Component Add-ons and Extensions

Security and Privacy Topics

Use the following topics to help you implement security and privacy for System Center 2012 Configuration Manager. Planning for Security in Configuration Manager Configuring Security for Configuration Manager Microsoft System Center 2012 Configuration Manager Privacy Statement Microsoft System Center 2012 Configuration Manager Privacy Statement - Mobile Device Addendum Security Best Practices and Privacy Information for Configuration Manager Technical Reference for Cryptographic Controls Used in Configuration Manager Technical Reference for Ports Used in Configuration Manager Technical Reference for Accounts Used in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Documentation Library for System Center 2012 Configuration Manager Microsoft System Center 2012 Endpoint Protection Privacy Statement

Planning for Security in Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. Use the following information to help you plan for security in Microsoft System Center 2012 Configuration Manager. Planning for Certificates (Self-Signed and PKI) Planning for PKI Certificate Revocation Planning for the PKI Trusted Root Certificates and the Certificate Issuers List
2358

Planning for PKI Client Certificate Selection Planning a Transition Strategy for PKI Certificates and Internet-Based Client Management

Planning for the Trusted Root Key Planning for Signing and Encryption Planning for Role-Based Administration

In addition to these sections, see Security and Privacy for Site Administration in Configuration Manager. For additional information about how Configuration Manager uses certificates and cryptographic controls, see Technical Reference for Cryptographic Controls Used in Configuration Manager.

Planning for Certificates (Self-Signed and PKI)

Configuration Manager uses a combination of self-signed certificates and public key infrastructure (PKI) certificates. As a security best practice, use PKI certificates whenever possible. For more information about the PKI certificate requirements, see PKI Certificate Requirements for Configuration Manager. When Configuration Manager requests the PKI certificates, such as during enrollment for mobile devices and AMT provisioning, you must use Active Directory Domain Services and an enterprise certification authority. For all other PKI certificates, you must deploy and manage them independently from Configuration Manager. PKI certificates are also required when client computers connect to Internet-based site systems, and they are recommended to be used when clients connect to site systems that run Internet Information Services (IIS). For more information about client communication, see Planning for Client Communication in Configuration Manager. When you use a PKI, you can also use IPsec to help secure the server-to-server communication between site systems in a site and between sites, and for any other scenario when you transfer data between computers. You must configure and implement IPsec independently from Configuration Manager. Configuration Manager can automatically generate self-signed certificates when PKI certificates are not available, and some certificates in Configuration Manager are always self-signed. In most cases, Configuration Manager automatically manages the self-signed certificates, and you do not have to take additional action. One possible exception is the site server signing certificate. The site server signing certificate is always self-signed, and it ensures that the client policies that clients download from the management point were sent from the site server and were not tampered with.

Planning for the Site Server Signing Certificate (Self-Signed)

Clients can securely obtain a copy of the site server signing certificate from Active Directory Domain Services and from client push installation. If clients cannot obtain a copy of the site server signing certificate by using one of these mechanisms, as a security best practice, install a
2359

copy of the site server signing certificate when you install the client. This is especially important if the clients first communication with the site is from the Internet, because the management point is connected to an untrusted network and therefore, vulnerable to attack. If you do not take this additional step, clients automatically download a copy of the site server signing certificate from the management point. Scenarios when clients cannot securely obtain a copy of the site server certificate include the following: You do not install the client by using client push, and any of the following conditions is true: The Active Directory schema is not extended for Configuration Manager. The clients site is not published to Active Directory Domain Services. The client is from an untrusted forest or a workgroup.

You install the client when it is on the Internet.

Use the following procedure to install clients together with a copy of the site server signing certificate. To install clients with a copy of the site server signing certificate 1. Locate the site server signing certificate on the clients primary site server. The certificate is stored in the SMS certificate store and has the Subject name Site Server and the friendly name Site Server Signing Certificate. 2. Export the certificate without the private key, store the file securely, and only access it from a secured channel (for example, by using SMB signing or IPsec). 3. Install the client by using the Client.msi property SMSSIGNCERT= <Full path and file name> with CCMSetup.exe.

Planning for PKI Certificate Revocation

When you use PKI certificates with Configuration Manager, plan for how and whether clients and servers will use a certificate revocation list (CRL) to verify the certificate on the connecting computer. The certificate revocation list (CRL) is a file that is created and signed by a certification authority (CA) and contains a list of certificates that it has issued, but revoked. Certificates can be revoked by a CA administrator, for example, if an issued certificate is known or suspected to be compromised. Important Because the location of the CRL is added to a certificate when it is issued by a CA, ensure that you plan for the CRL before you deploy any PKI certificates that Configuration Manager will use. By default, IIS always checks the CRL for client certificates, and you cannot change this configuration in Configuration Manager. By default, Configuration Manager clients always check the CRL for site systems; however, you can disable this setting by specifying a site property and by specifying a CCMSetup property. When you manage Intel AMT-based computers out of band,

2360

you can also enable CRL checking for the out of band service point and for computers that run the Out of Band Management console. If computers use certificate revocation checking but they cannot locate the CRL, they behave as if all certificates in the certification chain are revoked because their absence from the list cannot be verified. In this scenario, all connections that require certificates and use a CRL fail. Checking the CRL every time that a certificate is used offers more security against using a certificate that has been revoked, but it introduces a connection delay and additional processing on the client. You are more likely to require this additional security check when clients are on the Internet or on an untrusted network. Consult your PKI administrators before you decide whether Configuration Manager clients must check the CRL, and then consider keeping this option enabled in Configuration Manager when both of the following conditions are true: Your PKI infrastructure supports a CRL, and it is published where all Configuration Manager clients can locate it. Remember that this might include clients on the Internet if you are using Internet-based client management, and clients in untrusted forests. The requirement to check the CRL for each connection to a site system configured to use a PKI certificate is larger than the requirement for faster connections and efficient processing on the client, and is also larger than the risk of clients failing to connect to servers if they cannot locate the CRL.

Planning for the PKI Trusted Root Certificates and the Certificate Issuers List
If your IIS site systems use PKI client certificates for client authentication over HTTP or for client authentication and encryption over HTTPS, you might have to import root CA certificates as a site property. The two scenarios are as follows: You deploy operating systems by using Configuration Manager, and the management points only accept HTTPS client connections. You use PKI client certificates that do not chain to a root certification authority (CA) certificate that is trusted by management points. Note When you issue client PKI certificates from the same CA hierarchy that issues the server certificates that you use for management points, you do not have to specify this root CA certificate. However, if you use multiple CA hierarchies and you are not sure whether they trust each other, import the root CA for the clients CA hierarchy. If you must import root CA certificates for Configuration Manager, export them from the issuing CA or from the client computer. If you export the certificate from the issuing CA that is also the root CA, ensure that the private key is not exported. Store the exported certificate file in a secured location to prevent tampering. You must be able to access the file when you configure the site, so that if you access the file over the network, ensure that the communication is protected from tampering by using SMB signing or IPsec.

2361

If any of the root CA certificates that you import are renewed, you must import the renewed certificates. These imported root CA certificates and the root CA certificate of each management point create the certificate issuers list that Configuration Manager computers use in the following ways: When clients connect to management points, the management point verifies that the client certificate chains to a trusted root certificate in the sites certificate issuers list. If it does not, the certificate is rejected, and the PKI connection fails. When clients select a PKI certificate, if they have a certificate issuers list, they select a certificate that chains to a trusted root certificate in the certificate issuers list. If there is no match, the client does not select a PKI certificate. For more information about the client certificate process, see the Planning for PKI Client Certificate Selection section in this topic.

Independently from the site configuration, you might also have to import a root CA certificate when you enroll mobile devices or Mac computers, and when you provision Intel AMT-based computers for wireless networks.

Planning for PKI Client Certificate Selection

If your IIS site systems will use PKI client certificates for client authentication over HTTP or for client authentication and encryption over HTTPS, plan for how clients will select the certificate to use for Configuration Manager. In many cases, the default configuration and behavior will be sufficient. The Configuration Manager client filters multiple certificates by using the following criteria: 1. The certificate issuers list: The certificate chains to a root CA that is trusted by the management point. 2. The certificate is in the default certificate store of Personal. 3. The certificate is valid, not revoked, and not expired. The validity check includes verifying that the private key is accessible and that the certificate is not created by using a version 3 certificate template, which is not compatible with Configuration Manager. 4. The certificate has client authentication capability, or it is issued to the computer name. 5. The certificate has the longest validity period. Clients can be configured to use the certificate issuers list by using the following mechanisms: Is it published as Configuration Manager site information to Active Directory Domain Services. Clients are installed by using client push. Clients download it from the management point after they are successfully assigned to their site. It is specified during client installation, as a CCMSetup client.msi property of CCMCERTISSUERS.

If clients do not have the certificate issuers list when they are first installed and are not yet assigned to the site, they skip this check. When they do have the certificate issuers list and do not have a PKI certificate that chains to a trusted root certificate in the certificate issuers list, certificate selection fails, and clients do not continue with the other certificate selection criteria.
2362

In most cases, the Configuration Manager client correctly identifies a unique and appropriate PKI certificate to use. However, when this is not the case, instead of selecting the certificate based on the client authentication capability, you can configure two alternative selection methods: A partial string match on the client certificate Subject name. This is a case-insensitive match that is appropriate if you are using the fully qualified domain name (FQDN) of a computer in the subject field and want the certificate selection to be based on the domain suffix, for example contoso.com. However, you can use this selection method to identify any string of sequential characters in the certificate Subject name that differentiate the certificate from others in the client certificate store. Note You cannot use the partial string match with the Subject Alternative Name (SAN) as a site setting. Although you can specify a partial string match for the SAN by using CCMSetup, it will be overwritten by the site properties in the following scenarios: Clients retrieve site information that is published to Active Directory Domain Services. Clients are installed by using client push installation. Use a partial string match in the SAN only when you install clients manually, and when they do not retrieve site information from Active Directory Domain Services. For example, these conditions apply to Internet-only clients. A match on the client certificate Subject name attribute values or the Subject Alternative Name (SAN) attribute values. This is a case-sensitive match that is appropriate if you are using an X500 distinguished name or equivalent OIDs (Object Identifiers) in compliance with RFC 3280, and you want the certificate selection to be based on the attribute values. You can specify only the attributes and their values that you require to uniquely identify or validate the certificate and differentiate the certificate from others in the certificate store.

The following table shows the attribute values that Configuration Manager supports for the client certificate selection criteria.
OID Attribute Distinguished name attribute Attribute definition

0.9.2342.19200300.100.1.25 1.2.840.113549.1.9.1 2.5.4.3 2.5.4.4 2.5.4.5 2.5.4.6 2.5.4.7 2.5.4.8 2.5.4.9

DC E or E-mail CN SN SERIALNUMBER C L S or ST STREET

Domain component E-mail address Common name Subject name Serial number Country code Locality State or province name Street address
2363

OID Attribute

Distinguished name attribute

Attribute definition

2.5.4.10 2.5.4.11 2.5.4.12 2.5.4.42 2.5.4.43 2.5.29.17

O OU T or Title G or GN or GivenName I or Initials (no value)

Organization name Organizational unit Title Given name Initials Subject Alternative Name

If more than one appropriate certificate is located after the selection criteria is applied, you can override the default configuration to select the certificate with the longest validity period and instead, specify that no certificate is selected. In this scenario, the client will not be able to communicate with IIS site systems by using a PKI certificate. The client sends an error message to its assigned fallback status point to alert you to the certificate selection failure so that you can modify or refine your certificate selection criteria. The client behavior then depends on whether the failed connection was over HTTPS or HTTP: If the failed connection was over HTTPS: The client tries to make a connection over HTTP and uses the client self-signed certificate. If the failed connection was over HTTP: The client tries to make another connection over HTTP by using the self-signed client certificate.

To help identify a unique PKI client certificate, you can also specify a custom store, other than the default of Personal in the Computer store. However, you must create this store independently from Configuration Manager and must be able to deploy certificates to this custom store and renew them before the validity period expires.

Planning a Transition Strategy for PKI Certificates and InternetBased Client Management
The flexible configuration options in Configuration Manager let you gradually transition clients and the site to use PKI certificates to help secure client endpoints. PKI certificates provide better security and enable clients to be managed when they are on the Internet. Because of the number of configuration options and choices in Configuration Manager, there is no single way to transition a site so that all clients use HTTPS connections. However, you can follow these steps as guidance: 1. Install the Configuration Manager site and configure it so that site systems accept client connections over HTTPS and HTTP. 2. Configure the Client Computer Communication tab in the site properties so that the Site System Settings is HTTP or HTTPS, and select the Use PKI client certificate (client authentication capability) when available check box. Configure any other settings from this tab that you require. For more information, see the Configure Settings for Client PKI Certificates section in the Configuring Security for Configuration Manager topic.
2364

3. Pilot a PKI rollout for client certificates. For an example deployment, see the Deploying the Client Certificate for Computers section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. 4. Install clients by using the client push installation method. For more information, see the How to Install Configuration Manager Clients by Using Client Push section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic. 5. Monitor client deployment and status by using the reports and information in the Configuration Manager console. For more information, see How to Monitor Database Replication and SQL Server Status for Database Replication. 6. Track how many clients are using a client PKI certificate by viewing the Client Certificate column in the Assets and Compliance workspace, Devices node. You can also deploy the Configuration Manager HTTPS Readiness Assessment Tool (cmHttpsReadiness.exe) to computers and use the reports to view how many computers can use a client PKI certificate with Configuration Manager. Note When the Configuration Manager client installs on client computers, the cmHttpsReadiness.exe tool is installed in the %windir%\CCM folder. When you run this tool on clients, you can specify the following options: /Store:<name> /Issuers:<list> /Criteria:<criteria> /SelectFirstCert These options map to the CCMCERTSTORE, CCMCERTISSUERS, CCMCERTSEL, and CCMFIRSTCERT Client.msi properties, respectively. For more information about these options, see About Client Installation Properties in Configuration Manager. 7. When you are confident that a sufficient number of clients are successfully using their client PKI certificate for authentication over HTTP, do the following: a. Deploy a PKI web server certificate to a member server that will run an additional management point for the site, and configure that certificate in IIS. For more information, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. b. Install the management point role on this server and configure the Client connections option in the management point properties for HTTPS. 8. Monitor and verify that clients that have a PKI certificate use the new management point by using HTTPS. You can use IIS logging or performance counters to verify this. 9. Reconfigure other site system roles to use HTTPS client connections. If you want to manage clients on the Internet, ensure that site systems have an Internet FQDN and configure individual management points and distribution points to accept client connections from the Internet. Important
2365

Before you configure site system roles to accept connections from the Internet, review the planning information and prerequisites for Internet-based client management. For more information, see the Planning for Internet-Based Client Management section in the Planning for Communications in Configuration Manager topic. 10. Extend the PKI certificate rollout for clients and for site systems that run IIS, and configure the site system roles for HTTPS client connections and Internet connections, as required. 11. For the highest security: When you are confident that all clients are using a client PKI certificate for authentication and encryption, change the site properties to use HTTPS only. When you follow this plan to gradually introduce PKI certificates, first for authentication only over HTTP, and then for authentication and encryption over HTTPS, you reduce the risk that clients will become unmanaged. In addition, you will benefit from the highest security that Configuration Manager supports.

Planning for the Trusted Root Key

The Configuration Manager trusted root key provides a mechanism for Configuration Manager clients to verify that site systems belong to their hierarchy. Every site server generates a site exchange key to communicate with other sites. The site exchange key from the top-level site in the hierarchy is called the trusted root key. The function of the trusted root key in Configuration Manager resembles a root certificate in a public key infrastructure in that anything signed by the private key of the trusted root key is trusted further down the hierarchy. For example, by signing the management point certificate with the private key of the trusted root key pair, and by making a copy of the public key of the trusted root key pair available to the clients, clients can differentiate between management points that are in their hierarchy and management points that are not in their hierarchy. Clients use WMI to store a copy of the trusted root key in the namespace root\ccm\locationservices. Clients can automatically retrieve the public copy of the trusted root key by using two mechanisms: The Active Directory schema is extended for Configuration Manager, the site is published to Active Directory Domain Services, and clients can retrieve this site information from a global catalog server. Clients are installed by using client push.

If clients cannot retrieve the trusted root key by using one of these mechanisms, they trust the trusted root key that is provided by the first management point that they communicate with. In this scenario, a client might be misdirected to an attackers management point where it wou ld receive policy from the rogue management point. This would likely be the action of a sophisticated attacker and might occur only in a limited time before the client retrieves the trusted root key from a valid management point. However, to reduce this risk of an attacker misdirecting clients to a rogue management point, you can pre-provision the clients by using the trusted root key. Use the following procedures to pre-provision and verify the trusted root key for a Configuration Manager client:
2366

Pre-provision a client by using the trusted root key by using a file. Pre-provision a client by using the trusted root key without using a file. Verify the trusted root key on a client. Note You do not have to pre-provision client by using the trusted root key if they can obtain this from Active Directory Domain Services or they are installed by using client push. In addition, you do not have to pre-provision clients when they use HTTPS communication to management points because trust is established by using the PKI certificates.

You can remove the trusted root key from a client by using the Client.msi property RESETKEYINFORMATION = TRUE with CCMSetup.exe. To replace the trusted root key, reinstall the client together with the new trusted root key, for example, by using client push, or by specifying the Client.msi SMSPublicRootKey property by using CCMSetup.exe. To pre-provision a client with the trusted root key by using a file 1. In a text editor, open the file <Configuration Manager directory>\bin\mobileclient.tcf. 2. Locate the entry SMSPublicRootKey=, copy the key from that line, and close the file without any changes. 3. Create a new text file and paste the key information that you copied from the mobileclient.tcf file. 4. Save the file and place it somewhere where all computers can access it, but the file is secured to prevent tampering. 5. Install the client by using any installation method that accepts Client.msi properties, and specify the Client.msi property SMSROOTKEYPATH=<Full path and file name>. Important When you specify the trusted root key for additional security during client installation, you must also specify the site code, by using the Client.msi property SMSSITECODE=<site code>. To pre-provision a client with the trusted root key without using a file 1. In a text editor, open the file <Configuration Manager directory>\bin\mobileclient.tcf. 2. Locate the entry SMSPublicRootKey=, note the key from that line or copy it to the Clipboard, and then close the file without any changes. 3. Install the client by using any installation method that accepts Client.msi properties, and specify the Client.msi property SMSPublicRootKey=<key>, where <key> is the string that you copied from mobileclient.tcf. Important When you specify the trusted root key for additional security during client installation, you must also specify the site code, by using the Client.msi property SMSSITECODE=<site code>
2367

To verify the trusted root key on a client 1. On the Start menu, click Run, and then type Wbemtest. 2. In the Windows Management Instrumentation Tester dialog box, click Connect. 3. In the Connect dialog box, in the Namespace box, type root\ccm\locationservices, and then click Connect. 4. In the Windows Management Instrumentation Tester dialog box, in the IWbemServices section, click Enum Classes. 5. In the Superclass Info dialog box, select Recursive, and then click OK. 6. The Query Result window, scroll to the end of the list, and then double-click TrustedRootKey (). 7. In the Object editor for TrustedRootKey dialog box, click Instances. 8. In the new Query Result window that displays the instances of TrustedRootKey, double-click TrustedRootKey=@ 9. In the Object editor for TrustedRootKey=@ dialog box, in the Properties section, scroll down to TrustedRootKey CIM_STRING. The string in the right column is the trusted root key. Verify that it matches the SMSPublicRootKey value in the file <Configuration Manager directory>\bin\mobileclient.tcf.

Planning for Signing and Encryption

When you use PKI certificates for all client communications, you do not have to plan for signing and encryption to help secure client data communication. However, if you configure any site systems that run IIS to allow HTTP client connections, you must decide how to help secure the client communication for the site. To help protect the data that clients send to management points, you can require it to be signed. In addition, you can require that all signed data from clients that use HTTP is signed by using the SHA-256 algorithm. Although this is a more secure setting, do not enable this option unless all clients support SHA-256. Many operating systems natively support SHA-256, but older operating systems might require an update or hotfix. For example, computers that run Windows Server 2003 SP2 must install a hotfix that is referenced in the KB article 938397. Whereas signing helps protect the data from tampering, encryption helps protect the data from information disclosure. You can enable 3DES encryption for the inventory data and state messages that clients send to management points in the site. You do not have to install any updates on clients to support this option, but consider the additional CPU usage that will be required on clients and the management point to perform the encryption and decryption.

Planning for Role-Based Administration

Role-based administration lets you design and implement administrative security for the System Center 2012 Configuration Manager hierarchy by using any or all of the following: Security roles
2368

Collections Security scopes

These settings combine to define an administrative scope for an administrative user. The administrative scope controls the objects that an administrative user can view in the Configuration Manager console and the permissions that user has on those objects. Role-based administration configurations replicate to each site in the hierarchy as global data, and then are applied to all administrative connections. Important Intersite replication delays can prevent a site from receiving changes for role-based administration. For information about how to monitor intersite database replication, see the How to Monitor Database Replication and SQL Server Status for Database Replication section in the Monitor Configuration Manager Sites and Hierarchy topic.

Planning for Security Roles

Use security roles to grant security permissions to administrative users. Security roles are groups of security permissions that you assign to administrative users so that they can perform their administrative tasks. These security permissions define the administrative actions that an administrative user can perform and the permissions that are granted for particular object types. As a security best practice, assign the security roles that provide the least permissions. System Center 2012 Configuration Manager has several built-in security roles to support typical groupings of administrative tasks, and you can create your own custom security roles to support your specific business requirements. Examples of the built-in security roles: Full Administrator: This security role grants all permissions in Configuration Manager. Asset Analyst: This security role allows administrative users to view data collected by using Asset Intelligence, software inventory, hardware inventory, and software metering. Administrative users can create metering rules and Asset Intelligence categories, families, and labels. Software Update Manager: This security role grants permissions to define and deploy software updates. Administrative users who are associated with this role can create collections, software update groups, deployments, templates, and enable software updates for Network Access Protection (NAP). Tip You can view the list of built-in security roles and custom security roles you create, including their descriptions, in the Configuration Manager console. To do so, in the Administration workspace, expand Security, and select Security Roles. Each security role has specific permissions for different object types. For example, the Application Administrator security role has the following permissions for applications: Approve, Create, Delete, Modify, Modify Folders, Move Objects, Read/Deploy, Set Security Scope. You cannot change the permissions for the built-in security roles, but you can copy the role, make changes, and then save these changes as a new custom security role. You can also import
2369

security roles that you have exported from another hierarchy (for example, from a test network). Review the security roles and their permissions to determine whether you will use the built-in security roles or you have to create your own custom security roles. Use the following steps to help you plan for security roles: 1. Identify the tasks that the administrative users perform in System Center 2012 Configuration Manager. These tasks might relate to one or more groups of management tasks, such as deploying applications and packages, deploying operating systems and settings for compliance, configuring sites and security, auditing, remotely controlling computers, and collecting inventory data. 2. Map these administrative tasks to one or more of the built-in security roles. 3. If some of the administrative users perform the tasks of multiple security roles, assign the multiple security roles to these administrative users instead of in creating a new security role that combines the tasks. 4. If the tasks that you identified do not map to the built-in security roles, create and test new security roles.

Planning for Collections

Collections specify the user and computer resources that an administrative user can view or manage. For example, for administrative users to deploy applications or to run remote control, they must be assigned to a security role that grants access to a collection that contains these resources. You can select collections of users or devices. For more information about collections, see Introduction to Collections in Configuration Manager. Before you configure role-based administration, check whether you have to create new collections for any of the following reasons: Functional organization. For example, separate collections of servers and workstations. Geographic alignment. For example, separate collections for North America and Europe. Security requirements and business processes. For example, separate collections for production and test computers. Organization alignment. For example, separate collections for each business unit.

Planning for Security Scopes

Use security scopes to provide administrative users with access to securable objects. Security scopes are a named set of securable objects that are assigned to administrator users as a group. All securable objects must be assigned to one or more security scopes. Configuration Manager has two built-in security scopes: All: This built-in security scope grants access to all scopes. You cannot assign objects to this security scope. Default: This built-in security scope is used for all objects, by default. When you first install System Center 2012 Configuration Manager, all objects are assigned to this security scope.

2370

If you want to restrict the objects that administrative users can see and manage, you must create and use your own custom security scopes. Security scopes do not support a hierarchical structure and cannot be nested. Security scopes can contain one or more object types, which include the following: Alert subscriptions Antimalware policies Applications Boot images Boundary groups Configuration items Custom client settings Distribution points and distribution point groups Driver packages Global conditions Migration jobs Operating system images Operating system installation packages Packages Queries Sites Software metering rules Software update groups Software updates packages Task sequence packages Windows CE device setting items and packages

There are also some objects that you cannot include in security scopes because they are only secured by security roles. Administrative access to these cannot be limited to a subset of the available objects. For example, you might have an administrative user who creates boundary groups that are used for a specific site. Because the boundary object does not support security scopes, you cannot assign this user a security scope that provides access to only the boundaries that might be associated with that site. Because a boundary object cannot be associated to a security scope, when you assign a security role that includes access to boundary objects to a user, that user can access every boundary in the hierarchy. Objects that are not limited by security scopes include the following: Active Directory forests Administrative users Alerts Boundaries Computer associations
2371

Default client settings Deployment templates Device drivers Exchange Server connector Migration site-to-site mappings Mobile device enrollment profiles Security roles Security scopes Site addresses Site system roles Software titles Software updates Status messages User device affinities

Create security scopes when you have to limit access to separate instances of objects. For example: You have a group of administrative users who must be able to see production applications and not test applications. Create one security scope for production applications and another for the test applications. Different administrative users require different access for some instances of an object type. For example, one group of administrative users requires Read permission to specific software update groups, and another group of administrative users requires Modify and Delete permissions for other software update groups. Create different security scopes for these software update groups.

See Also
Planning for Configuration Manager Sites and Hierarchy

Configuring Security for Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. Use the information in this topic to help you configure the following security-related options: Configure Settings for Client PKI Certificates Configure Signing and Encryption
2372

Configure Role-Based Administration Manage Accounts that Are Used by Configuration Manager

Configure Settings for Client PKI Certificates

If you want to use public key infrastructure (PKI) certificates for client connections to site systems that use Internet Information Services (IIS), use the following procedure to configure settings for these certificates. To configure client PKI certificate settings 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then click the primary site to configure. 3. On the Home tab, in the Properties group, click Properties, and then click the Client Computer Communication tab. Note This tab is available on a primary site only. If you do not see the Client Computer Communication tab, check that you are not connected to a central administration site or a secondary site. 4. Click HTTPS only when you want clients that are assigned to the site to always use a client PKI certificate when they connect to site systems that use IIS. Or, click HTTPS or HTTP when you do not require clients to use PKI certificates. 5. If you selected HTTPS or HTTP, click Use client PKI certificate (client authentication capability) when available when you want to use a client PKI certificate for HTTP connections. The client uses this certificate instead of a self-signed certificate to authenticate itself to site systems. This option is automatically selected if you select HTTPS only. Note When clients are detected to be on the Internet, or they are configured for Internet-only client management, they always use a client PKI certificate. 6. Click Modify to configure your chosen client selection method for when more than one valid PKI client certificate is available on a client, and then click OK. Note For more information about the client certificate selection method, see Planning for PKI Client Certificate Selection. 7. Select or clear the check box for clients to check the Certificate Revocation list (CRL). Note For more information about CRL checking for clients, see Planning for PKI Certificate Revocation. 8. If you must specify trusted root certification authority (CA) certificates for clients, click
2373

Set, import the root CA certificate files, and then click OK. Note For more information about this setting, see Planning for the PKI Trusted Root Certificates. 9. Click OK to close the properties dialog box for the site. Repeat this procedure for all primary sites in the hierarchy.

Configure Signing and Encryption

Configure the most secure signing and encryption settings for site systems that all clients in the site can support. These settings are especially important when you let clients communicate with site systems by using self-signed certificates over HTTP. To configure signing and encryption for a site 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then click the primary site to configure. 3. On the Home tab, in the Properties group, click Properties, and then click the Signing and Encryption tab. Note This tab is available on a primary site only. If you do not see the Signing and Encryption tab, check that you are not connected to a central administration site or a secondary site. 4. Configure the signing and encryption options that you want, and then click OK. Warning Do not select Require SHA-256 without first verifying that all clients that might be assigned to the site can support this hash algorithm, or they have a valid PKI client authentication certificate. You might have to install updates or hotfixes on clients to support SHA-256. For example, computers that run Windows Server 2003 SP2 must install a hotfix that is referenced in the KB article 938397. If you select this option and clients cannot support SHA-256 and use self-signed certificates, Configuration Manager rejects them. In this scenario, the SMS_MP_CONTROL_MANAGER component logs the message ID 5443. 5. Click OK to close the Properties dialog box for the site. Repeat this procedure for all primary sites in the hierarchy.

2374

Configure Role-Based Administration

Use the information in this section to help you configure role-based administration in Configuration Manager. Role-based administration combines security roles, security scopes, and assigned collections to define the administrative scope for each administrative user. An administrative scope includes the objects that an administrative user can view in the Configuration Manager console, and the tasks related to those objects that the administrative user has permission to perform. Role-based administration configurations are applied at each site in a hierarchy. The information in the following procedures can help you create and configure role-based administration and related security settings. Create Custom Security Roles Configure Security Roles Configure Security Scopes for an Object Configure Collections to Manage Security Create a New Administrative User Modify the Administrative Scope of an Administrative User Important Role-based administration uses security roles, security scopes, and collections. These combine to define an administrative scope for each administrative user. Your own administrative scope defines the objects and settings that you can assign when you configure role-based administration for another administrative user.

Create Custom Security Roles

Configuration Manager provides several built-in security roles. If you require additional security roles, you can create a custom security role by creating a copy of an existing security role, and then modifying the copy. You might create a custom security role to grant administrative users the additional security permissions they require that are not included in a currently assigned security role. By using a custom security role, you can grant them only the permissions they require, and avoid assigning a security role that grants more permissions than they require. Use the following procedure to create a new security role by using an existing security role as a template. To create custom security roles 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Security Roles. Use one of the following processes to create the new security role: To create a new custom security role, perform the following actions:
2375

i. ii.

Select an existing security role to use as the source for the new security role. On the Home tab, in the Security Role group, click Copy. This creates a copy of the source security role.

iii. In the Copy Security Role wizard, specify a Name for the new custom security role. iv. In Security operation assignments, expand each Security Operations node to display the available actions. v. To change the setting for a security operation, click the down arrow in the Value column, and then select either Yes or No. Caution When you configure a custom security role, ensure not to grant permissions that are not required by administrative users that are associated with the new security role. For example, the Modify value for the Security Roles security operation grants administrative users permission to edit any accessible security role, even if they are not associated with that security role. vi. After you configure the permissions, click OK to save the new security role. To import a security role that was exported from another System Center 2012 Configuration Manager hierarchy, perform the following actions: i. ii. On the Home tab, in the Create group, click Import Security Role. Specify the .xml file that contains the security role configuration that you want to import, and click Open to complete the procedure and save the security role. Note After you import a security role, you can edit the security role properties to change the object permissions that are associated with the security role.

Configure Security Roles

The groups of security permissions that are defined for a security role are called security operation assignments. Security operation assignments represent a combination of object types and actions that are available for each object type. You can modify which security operations are available for any custom security role, but you cannot modify the built-in security roles that Configuration Manager provides. Use the following procedure to modify the security operations for a security role. To modify security roles 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Security Roles. 3. Select the custom security role that you want to modify.
2376

4. On the Home tab, in the Properties group, click Properties. 5. Click the Permissions tab. 6. In Security operation assignments, expand each Security Operations node to display the available actions. 7. To change the setting for a security operation, click the down arrow in the Value column, and then select either Yes or No. Caution When you configure a custom security role, ensure not to grant permissions that are not required by administrative users that are associated with the new security role. For example, the Modify value for the Security Roles security operation grants administrative users permission to edit any accessible security role, even if they are not associated with that security role. 8. When you have finished configuring security operation assignments, click OK to save the new security role.

Configure Security Scopes for an Object

You manage the association of a security scope for an object from the object and not from the security scope. The only direct configurations that security scopes support are changes to its name and description. To change the name and description of a security scope when you view the security scope properties, you must have the Modify permission for the Security Scopes securable object. When you create a new object in Configuration Manager, the new object is associated with each security scope that is associated with the security roles of the account that is used to create the object when those security roles provide the Create permission, or Set Security Scope permission. Only after the object is created, can you change the security scopes it is associated with. For example, you are assigned a security role that grants you permission to create a new boundary group. When you create a new boundary group, you have no option to which you can assign specific security scopes. Instead, the security scopes available from the security roles you are associated with are automatically assigned to the new boundary group. After you save the new boundary group, you can edit the security scopes associated with the new boundary group. Use the following procedure to configure the security scopes assigned to an object. To configure security scopes for an object 1. In the Configuration Manager console, select an object that supports assignment to a security scope. 2. On the Home tab, in the Classify group, click Set Security Scopes. 3. In the Set Security Scopes dialog box, select or clear the security scopes that this object is associated with. Each object that supports security scopes must be assigned to at least one security scope.
2377

4. Click OK to save the assigned security scopes. Note When you create a new object, you can assign the object to multiple security scopes. To modify the number of security scopes associated with the object, you must change this assignment after the object is created.

Configure Collections to Manage Security

There are no procedures to configure collections for role-based administration. Collections do not have a role-based administration configuration; instead, you assign collections to an administrative user when you configure the administrative user. The collection security operations that are enabled in the users assigned security roles determine the permissions an administrative user has for collections and collection resources (collection members). When an administrative user has permissions to a collection, they also have permissions to collections that are limited to that collection. For example, your organization uses a collection named All Desktops, and there exist a collection named All North America Desktops that is limited to the All Desktops collection. If an administrative user has permissions to All Desktops, they also have those same permissions to the All North America Desktops collection. In addition, an administrative user cannot use the Delete or Modify permission on collection that is directly assigned to them, but can use these permissions on the collections that are limited to that collection. Using the previous example, the administrative user can delete or modify the All North America Desktops collection, but cannot delete or modify the All Desktops collection.

Create a New Administrative User

To grant individuals or members of a security group access to manage Configuration Manager, create an administrative user in Configuration Manager and specify the Windows account of the User or User Group. Each administrative user in Configuration Manager must be assigned at least one security role and one security scope. You can also assign collections to limit the administrative scope of the administrative user. Use the following procedures to create new administrative users. To create a new administrative user 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Administrative Users. 3. On the Home tab, in the Create group, click Add User or Group. 4. Click Browse and then select the user account or group to use for this new administrative user. Note For console-based administration, only domain users or security groups can be
2378

specified as an administrative user. 5. For Associated security roles, click Add to open a list of the available security roles, select the check box for one or more security roles, and then click OK. 6. Select one of the following two options to define the securable object behavior for the new user: All securable objects that are relevant to their associated security roles : This option associates the administrative user with the All security scope and the root level, built-in collections for All Systems, and All Users and User Groups. The security roles assigned to the user define access to objects. New objects that this administrative user creates are assigned to the Default security scope. Only securable objects in specified security scopes or collections: By default, this option associates the administrative user with the Default security scope and the All Systems and All Users and User Groups collections. However, the actual security scopes and collections are limited to those that are associated with the account that you used to create the new administrative user. This option supports the addition or removal of security scopes and collections to customize the administrative scope of the administrative user. Important The preceding options associate each assigned security scope and collection to each security role assigned to the administrative user. A third option, Only securable objects as determined by the security roles of the administrative user, can be used to associate individual security roles to specific security scopes and collections. This third option is available after you create the new administrative user, when you modify the administrative user. 7. Depending on your selection in step 6, take the following action: If you selected All securable objects that are relevant to their associated security roles, click OK to complete this procedure. If you selected Only securable objects in specified security scopes or collections, you can click Add to select additional collections and security scopes, or select one or more objects in the list, and then click Remove to remove them. Click OK to complete this procedure.

Modify the Administrative Scope of an Administrative User

You can modify the administrative scope of an administrative user by adding or removing security roles, security scopes, and collections that are associated with the user. Each administrative user must be associated with at least one security role and one security scope. You might have to assign one or more collections to the administrative scope of the user. Most security roles interact with collections and do not function correctly without an assigned collection. When you modify an administrative user, you can change the behavior for how securable objects are associated with the assigned security roles. The three behaviors that you can select are as follows:
2379

All securable objects that are relevant to their associated security roles : This option associates the administrative user with the All scope and the root level built-in collections for All Systems, and All Users and User Groups. The security roles that are assigned to the user define access to objects. Only securable objects in specified security scopes or collections: This option associates the administrative user to the same security scopes and collections that are associated to the account you use to configure the administrative user. This option supports the addition or removal of security roles and collections to customize the administrative scope of the administrative user. Only securable objects as determined by the security roles of the administrative user : This option lets you create specific associations between individual security roles and specific security scopes and collections for the user. Note This option is available only when you modify the properties of an administrative user.

The current configuration for the securable object behavior changes the process that you use to assign additional security roles. Use the following procedures that are based on the different options for securable objects to help you manage an administrative user. Use the following procedure to view and manage the configuration for securable objects for an administrative user: To view and manage the securable object behavior for an administrative user 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Administrative Users. 3. Select the administrative user that you want to modify. 4. On the Home tab, in the Properties group, click Properties. 5. Click the Security Scopes tab to view the current configuration for securable objects for this administrative user. 6. To modify the securable object behavior, select a new option for securable object behavior. After you change this configuration, reference the appropriate procedure for further guidance to configure security scopes and collections, and security roles for this administrative user. 7. Click OK to complete the procedure. Use the following procedure to modify an administrative user that has the securable object behavior set to All securable objects that are relevant to their associated security roles : Option: All securable objects that are relevant to their associated security roles 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Administrative
2380

Users. 3. Select the administrative user that you want to modify. 4. On the Home tab, in the Properties group, click Properties. 5. Click the Security Scopes tab to confirm that the administrative user is configured for All securable objects that are relevant to their associated security roles. 6. To modify the assigned security roles, click the Security Roles tab. To assign additional security roles to this administrative user, click Add, select the check box for each additional security role that you want to assign, and then click OK. To remove security roles, select one or more security roles from the list, and then click Remove.

7. To modify the securable object behavior, click the Security Scopes tab and select a new option for the securable object behavior. After you change this configuration, reference the appropriate procedure for further guidance to configure security scopes and collections, and security roles for this administrative user. Note When the securable object behavior is set to All securable objects that are relevant to their associated security roles, you cannot add or remove specific security scopes and collections. 8. Click OK to complete this procedure. Use the following procedure to modify an administrative user that has the securable object behavior set to Only securable objects in specified security scopes or collections. Option: Only securable objects in specified security scopes or collections 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Administrative Users. 3. Select the administrative user that you want to modify. 4. On the Home tab, in the Properties group, click Properties. 5. Click the Security Scopes tab to confirm that the user is configured for Only securable objects in specified security scopes or collections. 6. To modify the assigned security roles, click the Security Roles tab. To assign additional security roles to this user, click Add, select the check box for each additional security role that you want to assign, and then click OK. To remove security roles, select one or more security roles from the list, and then click Remove.

7. To modify the security scopes and collections associated with security roles, click the Security Scopes tab. To associate new security scopes or collections with all security roles that are assigned to this administrative user, click Add and select one of the four options. If
2381

you select Security Scope or Collection, select the check box for one or more objects to complete that selection, and then click OK. To remove a security scope or collection, select the object, and then click Remove. 8. Click OK to complete this procedure. Use the following procedure to modify an administrative user that has the securable object behavior set to Only securable objects as determined by the security roles of the administrative user. Option: Only securable objects as determined by the security roles of the administrative user 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Administrative Users. 3. Select the administrative user that you want to modify. 4. On the Home tab, in the Properties group, click Properties. 5. Click the Security Scopes tab to confirm that the administrative user is configured for Only securable objects in specified security scopes or collections. 6. To modify the assigned security roles, click the Security Roles tab. To assign additional security roles to this administrative user, click Add. On the Add Security Role dialog box, select one or more available security roles, click Add, and select an object type to associate with the selected security roles. If you select Security Scope or Collection, select the check box for one or more objects to complete that selection, and then click OK. Note You must configure at least one security scope before the selected security roles can be assigned to the administrative user. When you select multiple security roles, each security scope and collection that you configure is associated with each of the selected security roles. To remove security roles, select one or more security roles from the list, and then click Remove.

7. To modify the security scopes and collections associated with a specific security role, click the Security Scopes tab, select the security role, and then click Edit. To associate new objects with this security role, click Add, and select an object type to associate with the selected security roles. If you select Security Scope or Collection, select the check box for one or more objects to complete that selection, and then click OK. Note You must configure at least a one security scope. To remove a security scope or collection that is associated with this security role, select the object, and then click Remove.
2382

When you have finished modifying the associated objects, click OK.

8. Click OK to complete this procedure. Caution When a security role grants administrative users the collection deployment permission, those administrative users can distribute objects from any security scope for which they have object read permissions, even if that security scope is associated with a different security role.

Manage Accounts that Are Used by Configuration Manager

Configuration Manager supports Windows accounts for many different tasks and uses. Use the following procedure to view which accounts are configured for different tasks, and to manage the password that Configuration Manager uses for each account. To manage accounts that are used by Configuration Manager 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Accounts to view the accounts that are configured for Configuration Manager. 3. To change the password for an account that is configured for Configuration Manager, select the account. 4. On the Home tab, in the Properties group, click Properties. 5. Click Set to open the Windows User Account dialog box and specify the new password for Configuration Manager to use for the account. Note The password that you specify must match the password that is specified for the account in Active Directory Users and Computers. 6. Click OK to complete the procedure.

See Also
Configure Sites and the Hierarchy in Configuration Manager

Microsoft System Center 2012 Configuration Manager Privacy Statement

Microsoft is committed to protecting your privacy, while delivering software that brings you the performance, power, and convenience you desire in your personal computing. This privacy
2383

statement explains many of the data collection and use practices of Microsoft System Center 2012 Configuration Manager (System Center 2012 Configuration Manager). This disclosure focuses on features that communicate with the Internet and is not intended to be an exhaustive list. It does not apply to other online or offline Microsoft sites, products, or services. End users (information workers) should consult their IT administrators for further information about their companys privacy policies. Microsoft is not responsible for the privacy practices of its customers or other companies. System Center 2012 Configuration Manager comprehensively assesses, deploys, and updates your servers, clients, and devicesacross physical, virtual, distributed, and mobile environments. Optimized for Windows and extensible beyond, it is the best choice for gaining enhanced insight into, and control over, your IT systems Built on key Microsoft technologies, such as Microsoft Windows Server Update Services (WSUS), Windows Server Active Directory, and the Windows architecture, System Center 2012 Configuration Manager maximizes infrastructure investments and drives greater efficiency. With System Center 2012 Configuration Manager, organizations can ensure that IT systems comply with desired configuration states to improve availability, security, and performance network-wide.

Collection and Use of Your Information

The information we collect from you will be used by Microsoft and its controlled subsidiaries and affiliates to enable the features you are using and provide the service(s) or carry out the transaction(s) you have requested or authorized. It may also be used to analyze and improve Microsoft products and services. We may send certain mandatory service communications such as welcome letters, billing reminders, information on technical service issues, and security announcements. Some Microsoft services may send periodic member letters that are considered part of the service. We may occasionally request your feedback, invite you to participate in surveys, or send you promotional mailings to inform you of other products or services available from Microsoft and its affiliates. In order to offer you a more consistent and personalized experience in your interactions with Microsoft, information collected through one Microsoft service may be combined with information obtained through other Microsoft services. We may also supplement the information we collect with information obtained from other companies. For example, we may use services from other companies that enable us to derive a general geographic area based on your IP address in order to customize certain services to your geographic area. In order to access some System Center 2012 Configuration Manager online services, you will be asked to enter an email address and password, which we refer to as your Windows account. After you create your Windows account, you can use the same credentials to sign in to many different Microsoft sites and services, as well as those of select Microsoft partners that display the Windows account logo. By signing in to one Microsoft site or service, you may be automatically signed in when you visit other Microsoft sites and services. To learn more about how your

2384

credential information is used when you sign in to participating sites, please read the Microsoft Online Privacy Statement at http://privacy.microsoft.com/. Except as described in this statement, personal information you provide will not be transferred to third parties without your consent. We occasionally hire other companies to provide limited services on our behalf, such as packaging, sending and delivering purchases and other mailings, answering customer questions about products or services, processing event registration, or performing statistical analysis of our services. We will only provide those companies the personal information they need to deliver the service, and they are prohibited from using that information for any other purpose. Microsoft may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the services; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers, or the public. We may also disclose personal information as part of a corporate transaction such as a merger or sale of assets. Information that is collected by or sent to Microsoft by System Center 2012 Configuration Manager may be stored and processed in the United States or any other country in which Microsoft or its affiliates, subsidiaries, or service providers maintain facilities. Microsoft abides by the safe harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of data from the European Union, the European Economic Area, and Switzerland.

Collection and Use of Information about Your Computer

When you use software with Internet-enabled features, information about your computer ("standard computer information") is sent to the Web sites you visit and online services you use. Microsoft uses standard computer information to provide you Internet-enabled services, to help improve our products and services, and for statistical analysis. Standard computer information typically includes information such as your IP address, operating system version, browser version, and regional and language settings. In some cases, standard computer information may also include hardware ID, which indicates the device manufacturer, device name, and version. If a particular feature or service sends information to Microsoft, standard computer information will be sent as well. The privacy details for each System Center 2012 Configuration Manager feature, software or service listed in this privacy statement describe what additional information is collected and how it is used.

2385

Security of your information

Microsoft is committed to helping protect the security of your information. We use a variety of security technologies and procedures to help protect your information from unauthorized access, use, or disclosure. For example, we store the information you provide on computer systems with limited access, which are located in controlled facilities.

Changes to this privacy statement

We will occasionally update this privacy statement to reflect changes in our products, services, and customer feedback. When we post changes, we will revise the "last updated" date at the top of this statement. If there are material changes to this statement or in how Microsoft will use your personal information, we will notify you either by posting a notice of such changes prior to implementing the change or by directly sending you a notification. We encourage you to periodically review this statement to be informed of how Microsoft is protecting your information.

For More Information

Microsoft welcomes your comments regarding this privacy statement. If you have questions about this statement or believe that we have not adhered to it, please contact us at [email protected]. Configuration Manager Privacy Response Microsoft Corporation One Microsoft Way Redmond, Washington 98052 USA

Specific features
The remainder of this document covers features that may transmit information to Microsoft and/or its affiliates. System Center 2012 Configuration Manager may be used to collect, store, and manage additional information and devices within your organization including the ability to erase all data from devices. For more information about device management, see the online topic, Microsoft System Center 2012 Configuration Manager Privacy Statement - Mobile Device Addendum. Use the Configuration Manager documentation library to learn more about the product features.

2386

What This Feature Does:

The Customer Experience Improvement Program (CEIP) collects basic information from the administration console about your hardware configuration and how you use our software and services in order to identify trends and usage patterns. CEIP also collects the type and number of errors you encounter, software and hardware performance, and the speed of services. We will not collect your name, address, or other contact information. No CEIP data is collected from client computers.

Information Collected, Processed, or Transmitted:

For more information about the information collected, processed, or transmitted by CEIP, see the CEIP privacy statement.

Use of Information:
We use this information to improve the quality, reliability, and performance of Microsoft software and services.

Choice/Control:
You are offered the opportunity to participate in CEIP during setup. If you choose to participate and later change your mind, you can turn off CEIP at any time by: 1. Open the Configuration Manager console. 2. Click the Application menu, click Customer Experience Improvement Program, click I dont want to join the program at this time and then click OK. Note Unless specifically set, all administrative console users inherit the CEIP choice made during initial installation. Changes to the CEIP setting from the Configuration Manager console are specific to the user and computer where they are made.

What This Feature Does:

At the conclusion of the site server setup, a Windows Update agent scan is automatically initiated. If you have opted in to Windows Update and/or Microsoft Update the agent will scan for any applicable updates for your site server and install them or notify you based on your preexisting Update Services preferences.

2387

Information Collected, Processed, or Transmitted:

For details about what information is collected and how it is used, see the Update Services Privacy Statement.

Use of Information:
For details about what information is collected and how it is used, see the Update Services Privacy Statement.

Choice/Control:
For details about what information is collected and how it is used, see the Update Services Privacy Statement.

What This Feature Does:

Microsoft Update is a service that provides Windows updates as well as updates for other Microsoft software.

Information Collected, Processed, or Transmitted:

For details about what information is collected and how it is used, see the Update Services Privacy Statement.

Use of Information:
For details about what information is collected and how it is used, see the Update Services Privacy Statement.

Choice/Control:
The Software Updates feature is not configured by default. When administrators install and configure a software update point on a Windows Update Services (WSUS) server, this action automatically configures WSUS on that server and other WSUS servers in the Configuration Manager hierarchy. Administrators can disable the synchronization of software updates with Microsoft Update. To disable the synchronization of software updates with Microsoft Update 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites.
2388

3. In the results pane, click the central administration site or stand-alone primary site. 4. On the Home tab, in the Settings group, expand Configure Site Components, and then click Software Update Point. 5. In the Software Update Point Component Properties dialog box, on the Sync Settings tab, click Do not synchronize from Microsoft Update or the upstream software update point, and then click OK. When you have a software update point that is configured to accept connections from the Internet, Configuration Manager Internet-based clients on the Internet always scan against this software update point, to determine which software updates are required. When these clients are on the Internet, they first try to download the software updates from Microsoft Update, rather than from an Internet-based distribution point. Only if this fails, will they try to download the required software updates from an Internet-based distribution point. In Configuration Manager SP1, the administrator can configure software deployments so that clients on the intranet can download update content from Microsoft Update if they cannot download the content from a distribution point. In Configuration Manager with no service pack, clients that are not configured for Internet-based client management never try to download the software updates from Microsoft Update.

What This Feature Does:

Silverlight is a prerequisite for the Configuration Manager client and the Application Catalog. Silverlight updates automatically and has additional data processing and transmitting practices. Configuration Manager does not control this functionality. For Configuration Manager with no service pack, the Microsoft Silverlight 4.0 Privacy Statement should be read in conjunction with this privacy statement. For Configuration Manager SP1, the Microsoft Silverlight 5.0 Privacy Statement should be read in conjunction with this privacy statement.

Information Collected, Processed, or Transmitted:

For details about what information is collected and how it is used, see the Silverlight Privacy Statement: For Configuration Manager with no service pack, see the Microsoft Silverlight 4.0 Privacy Statement. For Configuration Manager SP1, see the Microsoft Silverlight 5.0 Privacy Statement.

2389

Use of Information:
For details about what information is collected and how it is used, see the Silverlight Privacy Statement: For Configuration Manager with no service pack, see the Microsoft Silverlight 4.0 Privacy Statement. For Configuration Manager SP1, see the Microsoft Silverlight 5.0 Privacy Statement.

Choice/Control:
For details about choice and control for Silverlight, see the Silverlight Privacy Statement: For Configuration Manager with no service pack, see the Microsoft Silverlight 4.0 Privacy Statement. For Configuration Manager SP1, see the Microsoft Silverlight 5.0 Privacy Statement.

What This Feature Does:

Asset Intelligence lets IT administrators define, track, and proactively manage conformity with configuration standards. Metering and reporting on the deployment and use of both physical and virtual applications helps organizations make better business decisions about software licensing and maintain compliance with licensing agreements. After collecting usage data from Configuration Manager clients, administrators can use different features to view the data, including collections, queries, and reporting. This data, combined with data from software inventory, can assist in determining: How many copies of a particular software program have been deployed across the organization, and among those computers, how many users actually run the program. How many licenses of a particular software program are needed for purchase when renewing license agreements with a software vendor. Whether any users are still running a particular software program. If the program is not being used, an organization might consider retiring the program. Which times of the day a software program is most frequently used.

Information Collected, Processed, or Transmitted:

During each synchronization, a catalog of known software will be downloaded from Microsoft. The IT administrator can choose to send Microsoft information about uncategorized software titles discovered within their organization to be researched and added to the catalog. Prior to uploading this information, a dialog box shows exactly what data is going to be uploaded. Uploaded data cannot be recalled. Asset Intelligence does not send information about users and computers or license usage to Microsoft.
2390

Use of Information:
After a software title is uploaded, Microsoft researchers identify, categorize, and then make that knowledge available to all other customers that use this feature and other consumers of the catalog. Any software title uploaded becomes public, in the sense that the knowledge of that given application and its categorization become part of the catalog, and then can be downloaded to other consumers of the catalog. Before you configure Asset Intelligence data collection and decide whether to submit information to Microsoft, consider the privacy requirements of your organization.

Choice/Control:
Asset Intelligence is not enabled in System Center 2012 Configuration Manager by default. If the Configuration Manager administrator wants to send and receive data related to the Asset Intelligence feature then the administrator must create an Asset Intelligence synchronization point role. Without this role, no data related to this feature will be sent to or received from Microsoft. Even after creating the role, the administrator can enable or disable synchronization as well as set schedules to allow synchronization of data from the online catalog into the Configuration Manager database. Synchronization can be configured in the Asset Intelligence synchronization point role properties. Uploading of uncategorized titles never occurs automatically, and the system is not designed for this task to be automated. You must manually select and approve the upload of each software title.

What This Feature Does:

Endpoint Protection provides one familiar experience for desktop management and protection that helps protect and remediate endpoints from viruses and malware.

Information Collected, Processed, or Transmitted:

For details about what information is collected and how it is used, see the Microsoft System Center 2012 Endpoint Protection Privacy Statement .

Use of Information:
For details about what information is collected and how it is used, see the Microsoft System Center 2012 Endpoint Protection Privacy Statement .

Choice/Control:
Endpoint Protection is not enabled in System Center 2012 Configuration Manager by default. If the Configuration Manager administrator wants to enable the Endpoint Protection feature then the
2391

administrator must create an Endpoint Protection point role and deploy the Endpoint Protection agent to computers. To remove the Endpoint Protection point 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Servers and Site System Roles. 3. In the results pane, click the server that hosts the Endpoint Protection point. 4. In the Site System Roles details pane, select Endpoint Protection point and then, on the Site Role tab, in the Site Role settings group, click Remove Role, and click Yes to confirm. To remove the Endpoint Protection client 1. Set the Manage Endpoint Protection client on client computers client setting to False (Configuration Manager with no service pack) or No (Configuration Manager SP1). 2. Deploy a package and program to uninstall the Endpoint Protection client.

What This Feature Does:

The Configuration Manager Setup, or separately through the Configuration Manager Setup Downloader utility, can contact Microsoft websites to download required prerequisite redistributables, language packs, and the latest updates to setup. These files are copied to the site server during installation. Required files for remote role, secondary site, and client installations will be copied to the respective systems as part of those setups. They will be automatically installed only if an identical or a newer version of the component is not already installed on the target system. These files are persisted on the target system to support future repair operations.

Information Collected, Processed, or Transmitted:

Only standard computer information as described above is used during this process.

Use of Information:
The data is used to complete the necessary downloads.

Choice/Control:
Setup cannot complete without these downloads but they can be downloaded separately and a path to them provided to Setup.
2392

What This Feature Does:

Site Hierarchy geographical view allows you to view your Configuration Manager physical server topology using maps provided by Microsoft Bing Maps.

Information Collected, Processed, or Transmitted:

To enable this feature, location information you provide is sent from your server to the Bing Maps Web service.

Use of Information:
Microsoft uses the information to operate and improve Microsoft Bing Maps and other Microsoft sites and services. For more information, see the Microsoft Online Privacy Statement.

Choice/Control:
You can choose not to use the Geographical View for the Site Hierarchy. The Hierarchy Diagram view allows you to see the hierarchy and does not use the Bing Maps service.

What This Feature Does:

The cloud-based distribution point provisions a Configuration Manager distribution point designed to run in Windows Azure. Content assigned to a cloud-based distribution point is managed just like any other Configuration Manager distribution point.

Information Collected, Processed, or Transmitted:

The Windows Azure subscription ID, management certificate, and service certificate are stored in the Configuration Manager database when an administrator configures the feature. During configuration, a list of available geographic regions for hosting the cloud-based distribution point will be automatically retrieved from Windows Azure. All communications with cloud-based distribution points use HTTPS. Configuration Manager automatically encrypts and uploads packages assigned to a cloud-based distribution point. No information about the content assigned to the distribution point is collected by Microsoft. The Windows Azure subscription ID and management certificate are sent to Windows Azure to authenticate each communication from the site server.
2393

Client communications with a cloud-based distribution point use a Configuration Manager access token and do not contain Windows Azure subscription information. Clients use the service certificate to authenticate the cloud-based distribution point. For details about what information is collected and how it is used by Windows Azure, see the Windows Azure Trust Center and the Windows Azure Privacy Statement.

Use of Information:
The Windows Azure subscription ID and management certificate are sent to Windows Azure to authenticate each communication from the site server. Client communications with a cloud-based distribution point use a separate authentication method internal to Configuration Manager and do not contain Windows Azure subscription information. For details about what information is collected and how it is used by Windows Azure, see the Windows Azure Trust Center and the Windows Azure Privacy Statement.

Location and Security of Distribution Point Content

As part of the configuration step for each cloud-based distribution point, you must specify the geographic region of the Microsoft data centers in which the distribution point content will be stored. The location you chose will apply only to the cloud-based distribution point that is being configured. It will not change your geographic location selection for other Windows Azure services that you have in your account. You can configure multiple cloud-based distribution points in different geographies. Content uploaded to cloud-based distribution points is encrypted with a key unique to your organizations installation of Configuration Manager. Some content may be particularly sensitive to your organization or be subject to specific regulatory requirements. For details about the location and security of data stored in Windows Azure, see the Windows Azure Trust Center and the Windows Azure Privacy Statement.

Choice/Control:
This role is not installed by default. Configuration Manager administrators have control over what content is transferred to each cloud-based distribution point by using package assignment. Additionally, there is a client setting that must be enabled by the administrator for clients to use cloud-based distribution points. The service can be stopped from the Configuration Manager console and the role can be removed at any time. To uninstall a cloud-based distribution point, administrators can select the distribution point in the Configuration Manager console, and select Delete. When administrators delete a cloud-based distribution point from a hierarchy, Configuration Manager will attempt to remove the content from the cloud service in Windows Azure.

2394

What This Feature Does:

The Configuration Manager administrator can create a link to a specific application available from the Windows Store. When end users click the link to install an application, the online store is automatically launched directly to the specified application. To access the Windows Store, users must sign in with a Microsoft account. Links to applications in the Windows Store are not supported on operating systems that are earlier than Windows 8.

Information Collected, Processed, or Transmitted:

A request with the application ID is sent to the Windows Store. For details about what information is sent and collected and how it is used by the Windows Store, see the Windows Store topic in the Features Supplement of the Windows 8 Privacy Statement.

Use of Information:
For details about what information is sent and collected and how it is used by the Windows Store, see the Windows Store topic in the Windows 8 Features Privacy Statement features supplement.

Choice/Control:
Configuration Manager administrators can choose not to create applications that link to the Windows Store. To identify existing applications that link to the Windows Store 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, click Applications. 3. Search for the distribution type Windows app package (in the Windows Store).

What This Feature Does:

For supported alert types, Configuration Manager can be configured to send an email message to recipients you designate when an alert is triggered.

Information Collected, Processed, or Transmitted:

The following information is stored in the Configuration Manager database when an administrator enables the feature: SMTP server, the email address of the sender, and, if required, the user name and password to connect to the SMTP server. Additionally, you must provide one or more email addresses of recipients for each email alert. None of this information is sent to Microsoft.
2395

Choice/Control:
The email notification feature is off by default. Administrators can enable the email alert feature from the Configuration Manager console. For more information about how to configure email alerts, see Configuring Alerts in Configuration Manager. To disable email notification in Configuration Manager with no service pack 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. On the Home tab, in the Settings group, click Configure Site Components and then click Email Notification. 4. In the Email Notification Component Properties dialog box, clear the Enable email notification for Endpoint Protection alerts check box, and click OK. To disable email notification in Configuration Manager SP1 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Alerts, and then click Subscriptions. 3. On the Home tab, in the Create group, click Configure Email Notification. 4. In the Email Notification Component Properties dialog box, clear the Enable email notification for alerts check box, and click OK.

What This Feature Does:

Customers who have purchased a subscription to Windows Intune can use Configuration Manager to manage their mobile devices that connected through Windows Intune. The Windows Intune Privacy Statement should be read in conjunction with this privacy statement.

Information Collected, Processed, or Transmitted:

All communications with Windows Intune use HTTPS. To configure the Windows Intune subscription and to download the Certificate Signing Request (CSR) needed for configuration of iOS support, an administrator must sign in to Windows Intune by using their organizational account and password. These credentials are not stored within Configuration Manager. All other communications with Windows Intune are authenticated by using PKI certificates that are automatically generated by Windows Intune. In order to manage devices that are connected to Windows Intune, some information is sent to and received from Windows Intune. This information includes the User Principal Name (UPN) of all users that are assigned to the service and device inventory information for those devices that are managed by Windows Intune. Metadata, such as application name, publisher, and version,
2396

for content that is assigned to Manage.Microsoft.com distribution points is sent to Windows Intune. The actual binary content assigned to a Manage.Microsoft.com distribution point is encrypted before it is uploaded to Windows Intune.

Use of Information:
The information sent to Windows Intune is used only to provide and improve the Windows Intune services. No information about the content assigned to the distribution point is collected by Microsoft.

Security of Subscription-Related Data:

Content selected to be uploaded to the Manage.Microsoft.com distribution point is encrypted with a key that is unique to your organizations installation of Configuration Manager. Some content may be particularly sensitive to your organization or be subject to specific regulatory requirements. For more information, see the Windows Intune Privacy Statement.

Choice/Control:
This feature is not configured by default. Administrators have control over what content is transferred to the Manage.microsoft.com distribution point and which users are assigned to the service. The feature can be removed at any time. For information about how to retire devices that are managed by Windows Intune, see the Windows Intune Privacy Statement. To disable communication between Configuration Manager and Windows Intune, you can remove the Windows Intune connector. To remove the Windows Intune connector 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Servers and Site System Roles. 3. Select the server that hosts the Windows Intune connector. 4. In the Site System Roles details pane, select Windows Intune connector and then, on the Site Role tab, in the Site Role settings group, click Remove Role, and click Yes to confirm.

2397

Microsoft System Center 2012 Configuration Manager Privacy Statement - Mobile Device Addendum
Note This addendum is available in additional languages from the Microsoft Download Center. This privacy statement should be read in conjunction with the Microsoft System Center 2012 Configuration Manager Privacy Statement. Provisions in that document are applicable. This privacy statement covers the features for Enterprise Enrollment related to mobile device management in Microsoft System Center 2012 Configuration Manager. This disclosure focuses on the high-level aspects of the enrollment feature, and is not intended to be an exhaustive list.

Enterprise Enrollment allows you to enroll your device with a Microsoft System Center 2012 Configuration Manager server. After your phone is enrolled, your companys IT department can install software, configure settings, and view a list of all installed software on your phone. Your IT department also has the ability to reset your device to the manu facturers defaults wiping all personal settings and data.

Information Collected, Processed, or Transmitted:

Enterprise Enrollment will send your email address to your corporate Microsoft System Center 2012 Configuration Manager server. Enterprise Enrollment will also install a digital certificate from the corporate certification authority. Please note that no information is sent to or collected by Microsoft.

Choice/Control:
It is your choice to use Enterprise Enrollment; during enrollment you can stop the process at any time before you enter your password and agree to continue with the process. After that you remain enrolled until you reset your device back to the manufacturer's defaults. If your device becomes unenrolled by your corporate administrator, your device may be wiped of all personal settings and data and be reset back to the manufacturers defaults.

Security Best Practices and Privacy Information for Configuration Manager

Use the topics in this section for security best practices and privacy information for System Center 2012 Configuration Manager.
2398

In This Section
Security and Privacy for Site Administration in Configuration Manager Security and Privacy for Reporting in Configuration Manager Security and Privacy for Migration to System Center 2012 Configuration Manager Security and Privacy for Clients in Configuration Manager Security and Privacy for Content Management in Configuration Manager Security and Privacy for Application Management in Configuration Manager Security and Privacy for Software Updates in Configuration Manager Security and Privacy for Deploying Operating Systems in Configuration Manager Security and Privacy for Collections in Configuration Manager Security and Privacy for Queries in Configuration Manager Security and Privacy for Hardware Inventory in Configuration Manager Security and Privacy for Software Inventory in Configuration Manager Security and Privacy for Asset Intelligence in Configuration Manager Security and Privacy for Power Management in Configuration Manager Security and Privacy for Remote Control in Configuration Manager Security and Privacy for Software Metering in Configuration Manager Security and Privacy for Out of Band Management in Configuration Manager Security and Privacy for Compliance Settings in Configuration Manager Security and Privacy for Endpoint Protection in Configuration Manager

See Also
Security and Privacy for System Center 2012 Configuration Manager

Security and Privacy for Site Administration in Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This section contains security and privacy information for System Center 2012 Configuration Manager sites and the hierarchy: Security Best Practices for Site Administration Security Best Practices for the Site Server Security Best Practices for SQL Server
2399

Security Best Practices for Site Systems that Run IIS Security Best Practices for the Management Point Security Best Practices for the Fallback Status Point Security Issues for Site Administration

Privacy Information for Discovery

Security Best Practices for Site Administration

Use the following security best practices to help you secure System Center 2012 Configuration Manager sites and the hierarchy.
Security best practice More information

Run Setup only from a trusted source and secure the communication channel between the Setup media and the site server.

To help prevent tampering of the source files, run Setup from a trusted source. If you store the files on the network, secure the network location. If you do run Setup from a network location, to help prevent an attacker from tampering with the files as they are transmitted over the network, use IPsec or SMB signing between the source location of the Setup files and the site server. In addition, if you use the Setup Downloader to download the files that are required by Setup, make sure that you also secure the location where these files are stored and secure the communication channel for this location when you run Setup.

Extend the Active Directory schema for System Center 2012 Configuration Manager and publish sites to Active Directory Domain Services.

Schema extensions are not required to run Microsoft System Center 20 12 Configuration Manager,
2400

Security best practice

More information

but they do create a more secure environment because Configuration Manager clients and site servers can retrieve information from a trusted source. If clients are in an untrusted domain, deploy the following site system roles in the clients domain: Management point Distribution point Application Catalog website point Note A trusted domain for Configuration Manager requires Kerberos authentication so if clients are in another forest that does not have a two-way forest trust with the site servers forest, these clients are considered to be in untrusted domain. An external trust is not sufficient for this purpose. Use IPsec to secure communications between site system servers and sites. Although Configuration Manager does secure communication between the site server and the computer that runs SQL Server, Configuration Manager does not secure
2401

Security best practice

More information

communication between site system roles and SQL Server. Only some site systems (the enrollment point and the Application Catalog web service point) can be configured for HTTPS for intrasite communication. If you do not use additional controls to secure these server-to-server channels, attackers can use various spoofing and man-in-themiddle attacks against site systems. Use SMB signing when you cannot use IPsec. Note It is particularly important to secure the communication channel between the site server and the package source server. This communication uses SMB. If you cannot use IPsec to secure this communication, use SMB signing to ensure that the files are not tampered with before clients download and run them. Do not change the security groups that Configuration Manager creates and manages for site system communication: SMS_SiteSystemToSiteServerConnection_MP_<SiteCode> Configuration Manager automatically creates and manages these security
2402

Security best practice

More information

SMS_SiteSystemToSiteServerConnection_SMSProv_< SiteCode> SMS_SiteSystemToSiteServerConnection_Stat_<SiteC ode>

groups. This includes removing computer accounts when a site system role is removed. To ensure service continuity and least privileges, do not manually edit these groups. If clients cannot query the Global Catalog for Configuration Manager information, they must rely on the trusted root key to authenticate valid management points. The trusted root key is stored in the client registry and can be set by using Group Policy or manual configuration. If the client does not have a copy of the trusted root key before it contacts a management point for the first time, it trusts the first management point it communicates with. To reduce the risk of an attacker misdirecting clients to an unauthorized management point, you can pre-provision the clients with the trusted root key. For more information, see Planning for the Trusted Root Key.

If clients cannot query the Global Catalog server for Configuration Manager information, manage the trusted root key provisioning process.

Use non-default port numbers.

When you use non-default port numbers, this can provide additional security because it makes it harder for attackers to explore the
2403

Security best practice

More information

environment in preparation for an attack. If you decide to use non-default ports, plan for them before you install Configuration Manager and use them consistently across all sites in the hierarchy. Client request ports and Wake on LAN are examples where you can use non-default port numbers. Use role separation on site systems. Although you can install all the site system roles on a single computer, this practice is rarely used on production networks because it creates a single point of failure. When you isolate each site system role on a different server, this reduces the chance that an attack against vulnerabilities on one site system can be used against a different site system. Many site system roles require the installation of Internet Information Services (IIS) on the site system and this increases the attack surface. If you must combine site system roles to reduce hardware expenditure, combine IIS site system roles only with other site system roles that require IIS. Important The fallback status
2404

Reduce the attack profile.

Security best practice

More information

point role is an exception: Because this site system role accepts unauthenticated data from clients, the fallback status point role should never be assigned to any other Configuration Manager site system role. Follow security best practices for Windows Server and run the Security Configuration Wizard on all site systems. The Security Configuration Wizard (SCW) helps you to create a security policy that you can apply to any server on your network. After you install the System Center 2012 Configuration Manager template, SCW recognizes Configuration Manager site system roles, services, ports, and applications. It then permits the communication that is required for Configuration Manager, and blocks communication that is not required. The Security Configuration Wizard is included with the toolkit for System Center 2012 Configuration Manager, which you can download from the Microsoft Download Center: System Center 2012 Configuration Manager
2405

Security best practice

More information

Component Add-ons and Extensions. Configure static IP addresses for site systems. Static IP addresses are easier to protect from name resolution attacks. Static IP addresses also make the configuration of IPsec easier, which is a security best practice for securing communication between site systems in Configuration Manager. Do not install other applications on site system servers. When you install other applications on site system servers, you increase the attack surface for Configuration Manager and risk incompatibility issues. Enable the signing and encryption options for the site. Ensure that all clients can support the SHA-256 hash algorithm and then enable the option Require SHA-256. Grant administrative access to Configuration Manager only to users that you trust and then grant them minimum permissions by using the built-in security roles or by customizing the security roles. Administrative users who can create, modify, and deploy applications, task sequence, software updates, configuration items and configuration
2406

Require signing and enable encryption as a site option.

Restrict and monitor Configuration Manager administrative users and use role-based administration to grant these users the minimum permissions that they require.

Security best practice

More information

baselines, can potentially control devices in the Configuration Manager hierarchy. Periodically audit administrative user assignments and their authorization level to verify required changes. For more information about configuring role-based administration, see Configure Role-Based Administration. Secure Configuration Manager backups and secure the communication channel when you backup and restore. When you back up Configuration Manager, this information includes certificates and other sensitive data that could be used by an attacker for impersonation. Use SMB signing or IPsec when you transfer this data over the network, and secure the backup location. Whenever you export or import objects from the Configuration Manager console to a network location, secure the location and secure the network channel. Restrict who can access the network folder. Use SMB signing or IPsec between the network location and the site server, and between the computer that runs the Configuration Manager console and site server to prevent an attacker from tampering with the exported data. Use IPsec to encrypt the data on the network to prevent information disclosure.

2407

Security best practice

More information

If a site system fails to uninstall or stops functioning and cannot be restored, manually remove the Configuration Manager certificates for this server from other Configuration Manager servers.

To remove the PeerTrust that was originally established with the site system and site system roles, manually remove the Configuration Manager certificates for the failed server in the Trusted People certificate store on other site system servers. This is particularly important if you repurpose the server without reformatting it. For more information about these certificates, see the section Cryptographic Controls for Server Communication in Technical Reference for Cryptographic Controls Used in Configuration Manager.

Do not configure Internet-based site systems to bridge the perimeter network and the intranet.

Do not configure site system servers to be multihomed so that they connected to the perimeter network and the intranet. Although this configuration allows Internet-based site systems to accept client connections from the Internet and the intranet, it eliminates a security boundary between the perimeter network and the intranet. By default, site systems initiate connections to the site server to transfer data, which can be a security risk
2408

If the site system server is on an untrusted network (such as a perimeter network), configure the site server to initiate connections to the site system.

Security best practice

More information

when the connection initiation is from an untrusted network to the trusted network. When site systems accept connections from the Internet or reside in an untrusted forest, configure the site system option Require the site server to initiate connections to this site system so that after the installation of the site system and any site system roles, all connections are initiated from the trusted network. If you use a web proxy server for Internet-based client management, use SSL bridging to SSL, by using termination with authentication. When you configure SSL termination at the proxy web server, packets from the Internet are subject to inspection before they are forwarded to the internal network. The proxy web server authenticates the connection from the client, terminates it, and then opens a new authenticated connection to the Internetbased site systems. When Configuration Manager client computers use a proxy web server to connect to Internet-based site systems, the client identity (client GUID) is securely contained within the packet payload so that the management point does not consider the proxy web server to be the client. If
2409

Security best practice

More information

your proxy web server cannot support the requirements for SSL bridging, SSL tunneling is also supported. This is a less secure option because the SSL packets from the Internet are forwarded to the site systems without termination, so they cannot be inspected for malicious content. If your proxy web server cannot support the requirements for SSL bridging, you can use SSL tunneling. However, this is a less secure option because the SSL packets from the Internet are forwarded to the site systems without termination, so they cannot be inspected for malicious content. Warning Mobile devices that are enrolled by Configuration Manager cannot use SSL bridging and must use SSL tunneling only. If you configure the site to wake up computers to install software: Use AMT power commands rather than traditional wake-up packets If you use traditional wake-up packets, use unicast rather than subnet-directed broadcasts If you must use subnet-directed broadcasts, configure routers to allow IP-directed broadcasts only from the site server and
2410

For more information about the different wake on LAN technologies, see Planning for Client Communication in Configuration Manager.

Security best practice

More information

only on a non-default port number If you use email notification, configure authenticated access to the SMTP mail server. Whenever possible, use a mail server that supports authenticated access and use the computer account of the site server for authentication. If you must specify a user account for authentication, use an account that has the least privileges. Note In Configuration Manager SP1, email notifications are no longer restricted to Endpoint Protection.

Security Best Practices for the Site Server

Use the following security best practices to help you secure the Configuration Manager site server.
Security best practice More information

Install Configuration Manager on a member server instead of a domain controller.

The Configuration Manager site server and site systems do not require installation on a domain controller. Domain controllers do not have a local Security Accounts Management (SAM) database other than the domain database. When you install Configuration Manager on a member server, you can maintain Configuration Manager accounts in the local SAM database rather than in the domain database. This practice also lowers the attack surface on your domain controllers.
2411

Security best practice

More information

Install secondary sites by avoiding copying the files to the secondary site server over the network.

When you run Setup and create a secondary site, do not select the option to copy the files from the parent site to the secondary site, or use a network source location. When you copy files over the network, a skilled attacker could hijack the secondary site installation package and tamper with the files before they are installed, although timing this attack would be difficult. This attack can be mitigated by using IPsec or SMB when you transfer the files. Instead of copying the files over the network, on the secondary site server, copy the source files from media to a local folder. Then, when you run Setup to create a secondary site, on the Installation Source Files page, select Use the source files at the following location on the secondary site computer (most secure), and specify this folder. For more information, see the Install a Secondary Site section in the Install Sites and Create a Hierarchy for Configuration Manager topic.

Security Best Practices for SQL Server

Configuration Manager uses SQL Server as the back-end database. If the database is compromised, attackers could bypass Configuration Manager and access SQL Server directly to launch attacks through Configuration Manager. Consider attacks against the SQL Server to be very high risk and must be mitigated appropriately. Use the following security best practices to help you secure SQL Server for Configuration Manager.
Security best practice More information

Do not use the Configuration Manager site database server to run other SQL Server applications.

When you increase the access to the Configuration Manager site database server, this increases the risk to your Configuration Manager data. If the Configuration Manager site database is compromised, other applications on the same SQL Server computer
2412

Security best practice

More information

then also become at risk. Configure SQL Server to use Windows authentication. Although Configuration Manager accesses the site database by using a Windows account and Windows authentication, it is still possible to configure SQL Server to use SQL Server mixed mode. SQL Server mixed mode allows additional SQL logins to access the database, which is not required and increases the attack surface. When you install a primary site, Configuration Manager downloads SQL Server Express from the Microsoft Download Center and copies the files to the primary site server. When you install a secondary site and select the option that installs SQL Server Express, Configuration Manager installs the previously downloaded version and does not check whether new versions are available. To ensure that the secondary site has the latest versions, perform one of the following: After the secondary site is installed, run Windows Update on the secondary site server. Before you install the secondary site, manually install SQL Server Express on the computer that will run the secondary site server and ensure that you install the latest version and any software updates. Then install the secondary site and select the option to use an existing SQL Server instance.

Take additional steps to ensure that secondary sites that use SQL Server Express have the latest software updates.

Periodically run Windows Update for these sites and all installed versions of SQL Server to make sure that they have the latest software updates. Follow best practices for SQL Server. Identify and follow the best practices for your version of SQL Server. However, take into consideration the following requirements for Configuration Manager: The computer account of the site server
2413

Security best practice

More information

must be a member of the Administrators group on the computer that runs SQL Server. If you follow the SQL Server recommendation of provision admin principals explicitly, the account that you use to run Setup on the site server must be a member of the SQL Users group. If you install SQL Server by using a domain user account, make sure that the site server computer account is configured for a Service Principal Name (SPN) that is published to Active Directory Domain Services. Without the SPN, Kerberos authentication will fail and Configuration Manager Setup will fail.

Security Best Practices for Site Systems that Run IIS

Several site system roles in Configuration Manager require IIS. When you secure IIS, this allows Configuration Manager to operate correctly and it reduces the risk of security attacks. When it is practical, minimize the number of servers that require IIS. For example, run only the number of management points that you require to support your client base, taking into consideration high availability and network isolation for Internet-based client management. Use the following security best practices to help you secure the site systems that run IIS.
Security best practice. More information

Disable IIS functions that you do not require.

Install only the minimum IIS features for the site system role that you install. For more information, see the Site System Requirements in the Supported Configurations for Configuration Manager topic. When clients connect to a site system by using HTTP rather than by using HTTPS, they use Windows authentication, which might fall back to using NTLM authentication rather than Kerberos authentication. When NTLM authentication is used, clients might connect to a rogue server. The exception to this security best practice might be distribution points because package
2414

Configure the site system roles to require HTTPS.

Security best practice.

More information

access accounts do not work when the distribution point is configured for HTTPS. Package access accounts provide authorization to the content, so that you can restrict which users can access the content. For more information, see Security Best Practices for Content Management. Configure a certificate trust list (CTL) in IIS for the following site system roles: A distribution point that is configured for HTTPS. A management that is configured for HTTPS and enabled to support mobile devices. A certificate trust list (CTL) is a defined list of trusted root certification authorities. When you use a CTL with Group Policy and a PKI deployment, a CTL allows you to supplement the existing trusted root certification authorities that are configured on your network, such as those automatically installed with Microsoft Windows or added through Windows enterprise root certification authorities. However, when a CTL is configured in IIS, a CTL defines a subset of those trusted root certification authorities. This subset provides you with more control over security because the CTL restricts the client certificates that are accepted to only those that are issued from the list of certification authorities in the CTL. For example, Windows ships with a number of well-known third-party certification authority certificates, such as VeriSign and Thawte. By default, the computer that runs IIS trusts certificates that chain to these well-known certification authorities. When you do not configure IIS with a CTL for the listed site system roles, any device that has a client certificate issued from these certification authorities are accepted as a valid Configuration Manager client. If you configure IIS with a CTL that did not include these certification authorities, client connections are refused if the certificate chained to these certification authorities. However, for Configuration Manager clients to be accepted for the listed site system roles, you must configure IIS with a CTL that specifies the
2415

Security best practice.

More information

certification authorities that are used by Configuration Manager clients. Note Only the listed site system roles require you to configure a CTL in IIS; the certificate issuers list that Configuration Manager uses for management points provides the same functionality for client computers when they connect to HTTPS management points. For more information about how to configure a list of trusted certification authorities in IIS, refer to your IIS documentation. Do not put the site server on a computer with IIS. Role separation helps to reduce the attack profile and improve recoverability. In addition, the computer account of the site server typically has administrative privileges on all site system roles (and possibly on Configuration Manager clients, if you use client push installation). Although you can host multiple web-based applications on the IIS servers that are also used by Configuration Manager, this practice can significantly increase your attack surface. A poorly configured application could allow an attacker to gain control of a Configuration Manager site system, which could allow an attacker to gain control of the hierarchy. If you must run other web-based applications on Configuration Manager site systems, create a custom web site for Configuration Manager site systems. Use a custom web site. For site systems that run IIS, you can configure Configuration Manager to use a custom website instead of the default website for IIS. If you must run other web applications on the site system, you must use a custom website. This setting is a site -wide setting rather than a setting for a specific site system. In addition to providing additional security, you
2416

Use dedicated IIS servers for Configuration Manager.

Security best practice.

More information

must use a custom website if you run other web applications on the site system. If you switch from the default website to a custom website after any distribution point roles are installed, remove the default virtual directories. When you change from using the default website to using a custom website, Configuration Manager does not remove the old virtual directories. Remove the virtual directories that Configuration Manager originally created under the default website. For example, the virtual directories to remove for a distribution point are the following: Follow best practices for IIS Server. SMS_DP_SMSPKG$ SMS_DP_SMSSIG$ NOCERT_SMS_DP_SMSPKG$ NOCERT_SMS_DP_SMSSIG$

Identify and follow the best practices for your version of IIS Server. However, take into consideration any requirements that Configuration Manager has for specific site system roles. For more information, see the Site System Requirements section in the Supported Configurations for Configuration Manager topic.

Security Best Practices for the Management Point

Management points are the primary interface between devices and Configuration Manager. Consider attacks against the management point and the server that it runs on to be very high risk and to be mitigated appropriately. Apply all appropriate security best practices and monitor for unusual activity. Use the following security best practices to help secure a management point in Configuration Manager.
Security best practice More information

When you install a Configuration Manager client on the management point, assign it to that management points site.

Avoid the scenario where a Configuration Manager client that is on a management point site system is assigned to a site other than the management points site. If you migrate from Configuration Manager
2417

Security best practice

More information

2007 to System Center 2012 Configuration Manager, migrate the Configuration Manager 2007 client to System Center 2012 Configuration Manager as soon as possible.

Security Best Practices for the Fallback Status Point

Use the following security best practices if you install a fallback status point in Configuration Manager. For more information about the security considerations when you install a fallback status point, see Determine Whether You Require a Fallback Status Point.
Security best practice More information

Do not run other site system roles on the site system and do not install it on a domain controller.

Because the fallback status point is designed to accept unauthenticated communication from any computer, running this site system role with other site system roles or on a domain controller greatly increases the risk to that server.

When you use PKI certificates for client communication in Configuration Manager, If Configuration Manager site systems do not install the fallback status point before you install accept HTTP client communication, you might the clients. not know that clients are unmanaged because of PKI-related certificate issues. However, if clients are assigned to a fallback status point, these certificate issues will be reported by the fallback status point. For security reasons, you cannot assign a fallback status point to clients after they are installed; you can assign this role only during client installation. Avoid using the fallback status point in the perimeter network. By design, the fallback status point accepts data from any client. Although a fallback status point in the perimeter network could help you to troubleshoot Internet-based clients, you must balance the troubleshooting benefits with the risk of a site system that accepts unauthenticated data in a publicly accessible
2418

Security best practice

More information

network. If you do install the fallback status point in the perimeter network or any untrusted network, configure the site server to initiate data transfers rather than the default setting that allows the fallback status point to initiate a connection to the site server.

Security Issues for Site Administration

Review the following security issues for Configuration Manager: Configuration Manager has no defense against an authorized administrative user who uses Configuration Manager to attack the network. Unauthorized administrative users are a high security risk and could launch numerous attacks, which include the following: Use software deployment to automatically install and run malicious software on every Configuration Manager client computer in the enterprise. Use remote control to take remote control of a Configuration Manager client without client permission. Configure rapid polling intervals and extreme amounts of inventory to create denial of service attacks against the clients and servers. Use one site in the hierarchy to write data to another site's Active Directory data.

The site hierarchy is the security boundary; consider sites to be management boundaries only. Audit all administrative user activity and routinely review the audit logs. Require all Configuration Manager administrative users to undergo a background check before they are hired and require periodic rechecks as a condition of employment. If the enrollment point is compromised, an attacker could obtain certificates for authentication and steal the credentials of users who enroll their mobile devices. The enrollment point communicates with a certification authority and can create, modify, and delete Active Directory objects. Never install the enrollment point in the perimeter network and monitor for unusual activity. If you allow user policies for Internet-based client management or configure the Application Catalog website point for users when they are on the Internet, you increase your attack profile. In addition to using PKI certificates for client-to-server connections, these configurations require Windows authentication, which might fall back to using NTLM authentication rather than Kerberos. NTLM authentication is vulnerable to impersonation and replay attacks. To successfully authenticate a user on the Internet, you must allow a connection from the Internet-based site system server to a domain controller.
2419

The Admin$ share is required on site system servers. The Configuration Manager site server uses the Admin$ share to connect to and perform service operations on site systems. Do not disable or remove the Admin$ share.

Configuration Manager uses name resolution services to connect to other computers and these services are hard to secure against security attacks such as spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. Identify and follow any security best practices for the version of DNS and WINS that you use for name resolution.

Privacy Information for Discovery

Discovery creates records for network resources and stores them in the System Center 2012 Configuration Manager database. Discovery data records contain computer information such as IP address, operating system, and computer name. Active Directory discovery methods can also be configured to discover any information that is stored in Active Directory Domain Services. The only discovery method that is enabled by default is Heartbeat Discovery, but that method only discovers computers that are already have the System Center 2012 Configuration Manager client software installed. Discovery information is not sent to Microsoft. Discovery information is stored in the Configuration Manager database. Information is retained in the database until it is deleted by the site maintenance task Delete Aged Discovery Data every 90 days. You can configure the deletion interval. Before you configure additional discovery methods or extend Active Directory discovery, consider your privacy requirements.

See Also
Site Administration for System Center 2012 Configuration Manager

Security and Privacy for Reporting in Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security best practices and privacy information for reporting in System Center 2012 Configuration Manager. Configuration Manager reports display information that is collected during standard Configuration Manager management operations. For example, you can display a report of information that has
2420

been collected from discovery or inventory. Reports can also contain the current status information for client management operations, such as deploying software, and checking for compliance. For more information about any security best practices and privacy information for Configuration Manager operations that might generate data that can be displayed in reports, see Security Best Practices and Privacy Information for Configuration Manager.

See Also
Reporting in Configuration Manager

Security and Privacy for Migration to System Center 2012 Configuration Manager
This topic contains security best practices and privacy information for migration to your System Center 2012 Configuration Manager environment.

Security Best Practices for Migration

Use the following security best practice for migration.
Security best practice More information

Use the computer account for the Source Site SMS Provider Account and the Source Site SQL Server Account rather than a user account. Use IPsec when you migrate content from a distribution point in a source site to a distribution point in your destination site. Restrict and monitor the administrative users who can create migration jobs.

If you must use a user account for migration, remove the account details when migration is completed.

Although the migrated content is hashed to detect tampering, if the data is modified while it is transferred, the migration will fail. The integrity of the database of the destination hierarchy depends upon the integrity of data that the administrative user chooses to import from the source hierarchy. In addition, this administrative user can read all data from the source hierarchy.

Security Issues for Migration

Migration has the following security issues:
2421

Clients that are blocked from a source site might successfully assign to the destination hierarchy before their client record is migrated. Although Configuration Manager retains the blocked status of clients that you migrate, the client can successfully assign to the destination hierarchy if assignment occurs before the migration of the client record is completed.

Audit messages are not migrated. When you migrate data from a source site to a destination site, you lose any auditing information from the source hierarchy.

Privacy Information for Migration

Migration discovers information from the site databases that you identify in a source infrastructure and stores this data to the database in the destination hierarchy. The information that System Center 2012 Configuration Manager can discover from a source site or hierarchy depends upon the features that were enabled in the source environment, as well as the management operations that were performed in that source environment. For more information about security and privacy information, see one of the following topics: For more information about the privacy information for Configuration Manager 2007, see Security and Privacy for Configuration Manager 2007 in the Configuration Manager 2007 documentation library. For more information about the privacy information for System Center 2012 Configuration Manager, see Security and Privacy for System Center 2012 Configuration Manager in the System Center 2012 Configuration Manager documentation library.

You can migrate some or all of the supported data from a source site to a System Center 2012 Configuration Manager destination hierarchy. Migration is not enabled by default and requires several configuration steps. Migration information is not sent to Microsoft. Before you migrate data from a source hierarchy, consider your privacy requirements.

See Also
Migrating Hierarchies in System Center 2012 Configuration Manager

Security and Privacy for Clients in Configuration Manager

Note

2422

This topic appears in the Deploying Clients for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This section contains security and privacy information for clients in System Center 2012 Configuration Manager and for mobile devices that are managed by the Exchange Server connector: Security Best Practices for Configuration Manager Clients and for Mobile Devices that are Managed by the Exchange Server Connector Security Issues for Configuration Manager Clients Privacy Information for Configuration Manager Clients Privacy Information for Mobile Devices that are Managed by Using the Exchange Server Connector

Security Best Practices for Configuration Manager Clients and for Mobile Devices that are Managed by the Exchange Server Connector
When Configuration Manager accepts data from devices that run the Configuration Manager client, this introduces the risk that the clients could attack the site. For example, they could send malformed inventory, or attempt to overload the site systems. Deploy the Configuration Manager client only to devices that you trust. In addition, use the following security best practices to help protect the site from rogue or compromised devices:
Security best practice More information

Use public key infrastructure (PKI) certificates for client communications with site systems that run IIS:

These certificates are required for mobile device clients and for client computer connections on the Internet, and, with the exception of distribution As a site property, configure Site points, are recommended for all client connections system settings for HTTPS only. on the intranet. Install clients with the /UsePKICert CCMSetup property Use a certificate revocation list (CRL) and make sure that clients and communicating servers can always access it. For more information about the PKI certificate requirements and how they are used to help protect Configuration Manager, see PKI Certificate Requirements for Configuration Manager.

Automatically approve client computers from trusted domains and manually check and approve other computers

Approval identifies a computer that you trust to be managed by Configuration Manager when you cannot use PKI authentication. You can configure approval for the hierarchy as manual, automatic for computers in trusted
2423

Security best practice

More information

domains, or automatic for all computers. The most secure approval method is to automatically approve clients that are members of trusted domains, and then manually check and approve all other computers. Automatically approving all clients is not recommended unless you have other access controls to prevent untrustworthy computers from accessing your network. For more information about how to manually approve computers, see Managing Clients from the Devices Node. Do not rely on blocking to prevent clients from accessing the Configuration Manager hierarchy Blocked clients are rejected by the Configuration Manager infrastructure so that they cannot communicate with site systems to download policy, upload inventory data, or send state or status messages. However, do not rely on blocking to protect the Configuration Manager hierarchy from untrusted computers when site systems accept HTTP client connections. In this scenario, a blocked client could re-join the site with a new self-signed certificate and hardware ID. Blocking is designed to be used to block lost or compromised boot media when you deploy an operating system to clients and when all site systems accept HTTPS client connections. If you use a public key infrastructure (PKI) and it supports a certificate revocation list (CRL), always consider certificate revocation to be the primary line of defense against potentially compromised certificates. Blocking clients in Configuration Manager offers a second line of defense to protect your hierarchy. For more information, see Determine Whether to Block Clients in Configuration Manager. Use the most secure client installation methods that are practical for your environment: For domain computers, Group Policy client installation and software update-based client installation methods are more Of all the client installation methods, client push installation is the least secure because of the many dependencies it has, which includes local administrative permissions, the Admin$ share, and many firewall exceptions. These dependencies increase your attack surface. For more information about the different client
2424

Security best practice

More information

secure than client push installation. Imaging and manual installation can be very secure if you apply access controls and change controls.

installation methods, see Determine the Client Installation Method to Use for Windows Computers in Configuration Manager. In addition, wherever possible, select a client installation method that requires the least security permissions in Configuration Manager, and restrict the administrative users that are assigned security roles that include permissions that can be used for purposes other than client deployment. For example, automatic client upgrade requires the Full Administrator security role, which grants an administrative user all security permissions. For more information about the dependencies and security permissions required for each client installation method, see Installation Method Dependencies in the Prerequisites for Computer Clients section in the Prerequisites for Windows Client Deployment in Configuration Manager topic.

If you must use client push installation, take additional steps to secure the Client Push Installation Account

Although this account must be a member of the local Administrators group on each computer that will install the Configuration Manager client software, never add the Client Push Installation Account to the Domain Admins group. Instead, create a global group and add that global group to the local Administrators group on your client computers. You can also create a Group Policy object to add a Restricted Group setting to add the Client Push Installation Account to the local Administrators group. For additional security, create multiple Client Push Installation Accounts, each with administrative access to a limited number of computers so that if one account is compromised, only the client computers to which that account has access are compromised.

Remove certificates prior to imaging client computer

If you plan to deploy clients by using imaging technology, always remove certificates such as PKI certificates that include client authentication and self-signed certificates prior to capturing the image. If you do not remove these certificates, clients might
2425

Security best practice

More information

impersonate each other and you would not be able to verify the data for each client. For more information about using Sysprep to prepare a computer for imaging, see your Windows deployment documentation.. Ensure that the Configuration Manager computer clients get an authorized copy of these certificates: The Configuration Manager trusted root key The site server signing certificate Trusted root key: If you have not extended the Active Directory schema for Configuration Manager, and clients do not use PKI certificates when they communicate with management points, clients rely on the Configuration Manager trusted root key to authenticate valid management points. In this scenario, clients have no way to verify that the management point is a trusted management point for the hierarchy unless they use the trusted root key. Without the trusted root key, a skilled attacker could direct clients to a rogue management point. When clients cannot download the Configuration Manager trusted root key from the Global Catalog or by using PKI certificates, preprovision the clients with the trusted root key to make sure that they cannot be directed to a rogue management point. For more information, see the Planning for the Trusted Root Key section in the Planning for Security in Configuration Manager topic. Site server signing certificate: Clients use the site server signing certificate to verify that the site server signed the client policy that they download from a management point. This certificate is self-signed by the site server and published to Active Directory Domain Services. When clients cannot download the site server signing certificate from the Global Catalog, by default they download it from the management point. When the management point is exposed to an untrusted network (such as the Internet), manually install the site server signing
2426

Security best practice

More information

certificate on clients to make sure that they cannot run client policies that have been tampered with from a compromised management point. To manually install the site server signing certificate, use the CCMSetup client.msi property SMSSIGNCERT. For more information, see About Client Installation Properties in Configuration Manager. Do not use automatic site assignment if the client will download the trusted root key from the first management point it contacts This security best practice is linked to the preceding entry. To avoid the risk of a new client downloading the trusted root key from a rogue management point, use automatic site assignment in the following scenarios only: The client can access Configuration Manager site information that is published to Active Directory Domain Services. You pre-provision the client with the trusted root key. You use PKI certificates from an enterprise certification authority to establish trust between the client and the management point.

For more information about the trusted root key, see the Planning for the Trusted Root Key section in the Planning for Security in Configuration Manager topic. Install client computers with the CCMSetup Client.msi option SMSDIRECTORYLOOKUP=NoWINS The most secure service location method for clients to find sites and management points is to use Active Directory Domain Services. If this is not possible, for example, because you cannot extend the Active Directory schema for Configuration Manager, or because clients are in an untrusted forest or a workgroup, you can use DNS publishing as an alternative service location method. If both these methods fail, clients can fall back to using WINS when the management point is not configured for HTTPS client connections. Because publishing to WINS is less secure than the other publishing methods, configure client computers to not fall back to using WINS by
2427

Security best practice

More information

specifying SMSDIRECTORYLOOKUP=NoWINS. If you must use WINS for service location, use SMSDIRECTORYLOOKUP=WINSSECURE (the default setting), which uses the Configuration Manager trusted root key to validate the self-signed certificate of the management point. Note When the client is configured for SMSDIRECTORYLOOKUP=WINSSECURE and finds a management point from WINS, the client checks its copy of the Configuration Manager trusted root key that is in WMI. If the signature on the management point certificate matches the clients copy of the trusted root key, the certificate is validated, and the client communicates with the management point that it found by using WINS. If the signature on the management point certificate does not match the clients copy of the trusted root key, the certificate is not valid and the client will not communicate with the management point that it found by using WINS.

Make sure that maintenance windows are large enough to deploy critical software updates

You can configure maintenance windows for device collections to restrict the times that Configuration Manager can install software on these devices. If you configure the maintenance window to be too small, the client might not be able to install critical software updates, which leaves the client vulnerable to the attack that is mitigated by the software update. When write filters are enabled on Windows Embedded devices, any software installations or changes are made to the overlay only and do not persist after the device restarts. If you use Configuration Manager to temporarily disable the write filters to persist software installations and changes, during this period, the embedded device is
2428

For Windows embedded devices that have write filters, take additional security precautions to reduce the attack surface if Configuration Manager disables the write filters to persist software installations and

Security best practice

More information

changes

vulnerable to changes to all volumes, which includes shared folders. Although Configuration Manager locks the computer during this period so that only local administrators can log on, whenever possible, take additional security precautions to help protect the computer. For example, enable additional restrictions on the firewall and disconnect the device from the network. If you use maintenance windows to persist changes, plan these windows carefully to minimize the time that write filters might be disabled but long enough to allow software installations and restarts to complete.

If you use software update-based client installation and install a later version of the client on the site, update the software update that is published on the software update point so that clients receive the latest version

If you install a later version of the client on the site, for example, you upgrade the site, the software update for client deployment that is published to the software update point is not automatically updated. You must republish the Configuration Manager client to the software update point and click Yes to update the version number. For more information, see the procedure To publish the Configuration Manager client to the software update point in the How to Install Configuration Manager Clients by Using Software Update-Based Installation section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic.

Configure the Computer Agent client device setting Suspend BitLocker PIN entry on restart to be Always only for computers that you trust and that have restricted physical access

When you set this client setting to Always, Configuration Manager can complete the installation of software to help to ensure that critical software updates are installed and that services are resumed. However, if an attacker intercepts the restart process, she could take control of the computer. Use this setting only when you trust the computer and when physical access to the computer is restricted. As an example, this setting might be appropriate for servers in a data center. This client setting allows the Configuration Manager client to run unsigned PowerShell scripts, which could allow malware to run on client computers. If
2429

Do not configure the Computer Agent client device setting PowerShell execution policy to be

Security best practice

More information

Bypass.

you must select this option, use a custom client setting and assign it to only the client computers that must run unsigned PowerShell scripts. This role separation helps to protect the enrollment point from attack. If the enrollment point is compromised, an attacker could obtain certificates for authentication and steal the credentials of users who enroll their mobile devices.

For mobile devices that you enroll with Configuration Manager and will support on the Internet: Install the enrollment proxy point in a perimeter network and the enrollment point in the intranet For mobile devices: Configure the password settings to help protect mobile devices from unauthorized access

For mobile devices that are enrolled by Configuration Manager: Use a mobile device configuration item to configure the password complexity to be the PIN and at least the default length for the minimum password length. For mobile devices that do not have the Configuration Manager client installed but that are managed by the Exchange Server connector: Configure the Password Settings for the Exchange Server connector such that the password complexity is the PIN and specify at least the default length for the minimum password length.

For mobile devices: Help prevent tampering of inventory information and status information by allowing applications to run only when they are signed by companies that you trust and do not allow unsigned files to be installed

For more mobile devices that are enrolled by Configuration Manager: Use a mobile device configuration item to configure the security setting Unsigned applications as Prohibited and configure Unsigned file installations to be a trusted source. For mobile devices that do not have the Configuration Manager client installed but that are managed by the Exchange Server connector: Configure the Application Settings for the Exchange Server connector such that Unsigned file installation and Unsigned applications are configured as Prohibited. For more mobile devices that are enrolled by Configuration Manager: Use a mobile device configuration item to configure the password setting Idle time in minutes before mobile device is locked.
2430

For mobile devices: Help prevent elevation of privilege attacks by locking the mobile device when it is not used

Security best practice

More information

For mobile devices that do not have the Configuration Manager client installed but that are managed by the Exchange Server connector: Configure the Password Settings for the Exchange Server connector to configure Idle time in minutes before mobile device is locked. For mobile devices: Help prevent elevation of privileges by restricting the users who can enroll their mobile devices. For mobile devices: Do not deploy applications to users who have mobile devices enrolled by Configuration Manager or Windows Intune in the following scenarios: When the mobile device is used by more than one person. When the device is enrolled by an administrator on behalf of a user. When the device is transferred to another person without retiring and then re-enrolling the device. Use a custom client setting rather than default client settings to allow only authorized users to enroll their mobile devices.

A user device affinity relationship is created during enrollment, which maps the user who performs enrollment to the mobile device. If another user uses the mobile device, they will be able to run the applications that you deploy to the original user, which might result in an elevation of privileges. Similarly, if an administrator enrolls the mobile device for a user, applications deployed to the user will not be installed on the mobile device and instead, applications that are deployed to the administrator might be installed. Unlike user device affinity for Windows computers, you cannot manually define the user device affinity information for mobile devices that are enrolled by Windows Intune. If you transfer ownership of a mobile device that is enrolled by Windows Intune, retire the mobile device from Windows Intune to remove the user device affinity, and then ask the current user to enroll the device again.

For mobile devices: Make sure that users enroll their own mobile devices for Windows Intune.

Because a user device affinity relationship is created during enrollment, which maps the user who performs enrollment to the mobile device, if an administrator enrolls the mobile device for a user, applications deployed to the user will not be installed on the mobile device and instead, applications that are deployed to the administrator might be installed. Use IPsec if the Exchange Server is on-premise;
2431

For the Exchange Server connector:

Security best practice

More information

Make sure that the connection between the Configuration Manager site server and the Exchange Server computer is protected

hosted Exchange automatically secures the connection by using SSL.

For the Exchange Server connector: For a list of the minimum cmdlets that the Exchange Use the principle of least privileges for Server connector requires, see How to Manage the connector Mobile Devices by Using the Exchange Server Connector in Configuration Manager. For Mac computers in Configuration Manager SP1: Independently from Configuration Manager, monitor and track the validity period of the certificate that enrolled to users To ensure business continuity, monitor and track the validity period of the certificates that you use for Mac computers. Configuration Manager SP1 does not support automatic renewal of this certificate or warn you that the certificate is about to expire. A typical validity period is 1 year. For information about how to renew the certificate, see the Renewing the Mac Client Certificate sections in the How to Install Clients on Mac Computers in Configuration Manager topic.

Security Issues for Configuration Manager Clients

The following security issues have no mitigation: Status messages are not authenticated No authentication is performed on status messages. When a management point accepts HTTP client connections, any device can send status messages to the management point. If the management point accepts HTTPS client connections only, a device must obtain a valid client authentication certificate from a trusted root certification authority, but could also then send any status message. If a client sends an invalid status message it will be discarded. There are a few potential attacks against this vulnerability. An attacker could send a bogus status message to gain membership in a collection that is based on status message queries. Any client could launch a denial of service against the management point by flooding it with status messages. If status messages are triggering actions in status message filter rules, an attacker could trigger the status message filter rule. An attacker could also send status message that would render reporting information inaccurate. Policies can be retargeted to non-targeted clients There are several methods that attackers could use to make a policy targeted to one client apply to an entirely different client. For example, an attacker at a trusted client could send false inventory or discovery information to have the computer added to a collection it should
2432

not belong to, and then receive all the deployments to that collection. While controls exist to help prevent attackers from modifying policy directly, attackers could take an existing policy to reformat and redeploy an operating system and send it to a different computer, creating a denial of service. These types of attacks would require precise timing and extensive knowledge of the Configuration Manager infrastructure. Client logs allow user access All the client log files allow users Read access and Interactive Users Write access. If you enable verbose logging, attackers might read the log files to look for information about compliance or system vulnerabilities. Processes such as software installation that are performed in a user's context must be able to write to logs with a low-rights user account. This means an attacker could also write to the logs with a low rights account. The most serious risk is that an attacker could remove information in the log files that an administrator might need for auditing and intruder detection. A computer could be used to obtain a certificate that is designed for mobile device enrollment When Configuration Manager process an enrollment request, it cannot verify that the request originated from a mobile device rather than from a computer. If the request is from a computer, it can install a PKI certificate that then allows it to register with Configuration Manager. To help prevent an elevation of privilege attack in this scenario, only allow trusted users to enroll their mobile devices and carefully monitor enrollment activities. The connection from a client to the management point is not dropped if you block a client and the blocked client could continue to send client notification packets to the management point, as keep-alive messages For Configuration Manager SP1 only: When you block a client that you no longer trust, and it has established a client notification communication, Configuration Manager does not disconnect the session. The blocked client can continue to send packets to its management point until the client disconnects from the network. These packets are only small, keep-alive packets and these clients cannot be managed by Configuration Manager until they are unblocked. When you use automatic client upgrade and the client is directed to a management point to download the client source files, the management point is not verified as a trusted source For Configuration Manager SP1 only: If you use automatic client upgrade in a Configuration Manager hierarchy where some sites run Configuration Manager SP1 and some site run Configuration Manager with no service pack, a client in a Configuration Manager site with no service pack is directed to download the client source files from its assigned management point rather than from distribution points. This ensures that clients that are assigned to sites that run Configuration Manager with no service pack do not install Configuration Manager SP1 client source files, which would result in the client being unmanaged. In this scenario, the management point is not verified by the clients as a trusted source and it is possible to redirect clients to a rogue management point for the client installation files. However, this risk is low because clients will

2433

reject any client installation files that are not signed by Microsoft. Clients always verify trust before they download client policy from management points. If you use the options to commit changes on Windows Embedded devices in Configuration Manager SP1, accounts might be locked out sooner than expected If the Windows Embedded device is running an operating system that is prior to Windows 7 and a user attempts to log on while the write filters are disabled to commit changes made by Configuration Manager SP1, the number of incorrect logon attempts that are allowed before the account is locked out is effectively halved. For example, if the Account Lockout Threshhold is configured as 6 and a user mistypes their password 3 times, the account is locked out, effectively creating a denial of service situation. If users must log on to embedded devices in this scenario, caution them about the potential for a reduced lockout threshold.

Privacy Information for Configuration Manager Clients

When you deploy the Configuration Manager client, you enable client settings so you can use Configuration Manager management features. The settings that you use to configure the features can apply to all clients in the Configuration Manager hierarchy, regardless of whether they are directly connected to the corporate network, connected through a remote session, or connected to the Internet but supported by Configuration Manager. Client information is stored in the Configuration Manager database and is not sent to Microsoft. The client information is stored in the Configuration Manager database. Information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Discovery Data every 90 days. You can configure the deletion interval. Before you configure the Configuration Manager client, consider your privacy requirements.

Privacy Information for Mobile Device Clients that are Enrolled by Configuration Manager
For privacy information for when you enroll a mobile device by Configuration Manager, see Microsoft System Center 2012 Configuration Manager Privacy Statement - Mobile Device Addendum.

Client Status
Configuration Manager monitors the activity of clients and periodically evaluates and can remediate the Configuration Manager client and its dependencies. Client status is enabled by default, and it uses server-side metrics for the client activity checks, and client-side actions for self-checks, remediation, and for sending client status information to the Configuration Manager site. The client runs the self-checks according to a schedule that you can configure. The client sends the results of the checks to the Configuration Manager site. This information is encrypted during transfer.
2434

Client status information is stored in the Configuration Manager database and is not sent to Microsoft. The information is not stored in encrypted format in the site database. This information is retained in the database until it is deleted according to the value that is configured for the Retain client status history for the following number of days client status setting. The default value for this setting is every 31 days. Before you install the Configuration Manager client with client status checking, consider your privacy requirements.

Privacy Information for Mobile Devices that are Managed by Using the Exchange Server Connector
The Exchange Server Connector finds and manages devices that connect to Exchange Server (on-premise or hosted) by using the ActiveSync protocol. The records found by the Exchange Server Connector are stored in the Configuration Manager database. The information is collected from Exchange Server. It does not contain any additional information from what the mobile devices send to Exchange Server. The mobile device information is not sent to Microsoft. The mobile device information is stored in the Configuration Manager database. Information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Discovery Data every 90 days. You can configure the deletion interval. Before you install and configure the Exchange Server connector, consider your privacy requirements.

See Also
Deploying Clients for System Center 2012 Configuration Manager

Security and Privacy for Content Management in Configuration Manager

Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security and privacy information for content management in System Center 2012 Configuration Manager. Read it in conjunction with the following topics: Security and Privacy for Application Management in Configuration Manager Security and Privacy for Software Updates in Configuration Manager
2435

Security and Privacy for Deploying Operating Systems in Configuration Manager

Security Best Practices for Content Management

Use the following security best practices for content management:
Security best practice More information

For distribution points on the intranet, consider the advantages and disadvantages of using HTTPS and HTTP

Differences between HTTPS and HTTP for distribution points: When you use HTTPS for a distribution point, Configuration Manager does not use package access accounts to authorize access to the content, but the content is encrypted when it transferred over the network. When you use HTTP for a distribution point, you can use package access accounts for authorization, but the content is not encrypted when it is transferred over the network.

In most scenarios, using HTTP and package access accounts for authorization provides more security than using HTTPS with encryption but without authorization. However, if you have sensitive data in your content that you want to encrypt during transfer, use HTTPS. If you use a PKI client authentication certificate rather than a self-signed certificate for the distribution point, protect the certificate file (.pfx) with a strong password. If you store the file on the network, secure the network channel when you import the file into Configuration Manager. When you require a password to import the client authentication certificate that you use for the distribution point to communicate with management points, this helps to protect the certificate from an attacker. Use SMB signing or IPsec between the network location and the site server to prevent an attacker from tampering with the certificate file. By default, a distribution point is installed on the same server as the site server. Clients do not have to communicate directly with the site server, so to reduce the attack surface, assign the distribution point role to other site systems and remove it from the site server.
2436

Remove the distribution point role from the site server.

Security best practice

More information

Secure content at the package access level. Note This does not apply to cloud-based distribution points on Configuration Manager SP1, which do not support package access accounts.

The distribution point share allows Read access to all users. To restrict which users can access the content, use package access accounts when the distribution point is configured for HTTP. For more information about the Package Access Account, see the Manage Accounts to Access Package Content section in the Operations and Maintenance for Content Management in Configuration Manager topic The distribution point does not require HTTP Redirection and IIS Management Scripts and Tools. To reduce the attack surface, remove these role services for the web server (IIS) role. For more information about the role services for the web server (IIS) role for distribution points, see the Site System Requirements section in the Supported Configurations for Configuration Manager topic. Because changes to the access accounts on the package files become effective only when you redistribute the package, set the package access permissions carefully when you first create the package. This is particularly important for the following scenarios: The package is large. You are distributing the package to many distribution points. The network bandwidth capacity for content distribution is limited.

If Configuration Manager installs IIS when you add a distribution point site system role, remove HTTP Redirection and IIS Management Scripts and Tools when the distribution point installation is complete

Set package access permissions when you create the package

Implement access controls to protect media that contains prestaged content

Prestaged content is compressed but not encrypted. An attacker could read and modify the files that are then downloaded to devices. Configuration Manager clients will reject content that is tampered with, but they still download it. To avoid tampering and elevation of privileges, use only the authorized command-line tool that is supplied with Configuration Manager.
2437

Import prestaged content by using only the ExtractContent command-line tool (ExtractContent.exe) that is supplied with

Security best practice

More information

Configuration Manager and make sure that is signed by Microsoft Secure the communication channel between the site server and the package source location Use IPsec or SMB signing between the site server and the package source location for when you create applications and packages. This helps to prevent an attacker from tampering with the source files. When you change from using the default website to using a custom website, Configuration Manager does not remove the old virtual directories. Remove the virtual directories that Configuration Manager originally created under the default website: For cloud-based distribution points in Configuration Manager SP1: Protect your subscription details and certificates SMS_DP_SMSPKG$ SMS_DP_SMSSIG$ NOCERT_SMS_DP_SMSPKG$ NOCERT_SMS_DP_SMSSIG$

If you change the site configuration option to use a custom website rather than the default website after any distribution point roles are installed, remove the default virtual directories

When you use cloud-based distribution points in Configuration Manager SP1, protect the following high-value items: The user name and password for your Windows Azure subscription. The Windows Azure management certificate. The cloud-based distribution point service certificate.

Store the certificates securely and if you browse to them over the network when you configure the cloud-based distribution point, use IPsec or SMB signing between the site system server and the source location. For cloud-based distribution points in Configuration Manager SP1: For service continuity, monitor the expiry date of the certificates Configuration Manager SP1 does not warn you when the imported certificates for management or the cloud-based distribution point service is about to expire. You must monitor the expiry dates independently from Configuration Manager and make sure that you renew and then import the new certificate before the expiry date. This is particularly important if you
2438

Security best practice

More information

purchase a Configuration Manager cloud-based distribution point service certificate from an external certification authority (CA), because you might need additional time to obtain a renewed certificate. Note If either certificate expires, Cloud Services Manager generates the status message ID 9425 and the CloudMgr.log file contains an entry to indicate that the certificate is in expired state, with the expiry date also logged in UTC.

Security Issues for Content Management

Content management has the following security issues: Clients do not validate content until after it is downloaded Configuration Manager clients validate the hash on content only after it is downloaded to their client cache. If an attacker tampers with the list of files to download or with the content itself, the download process can take up considerable network bandwidth for the client to then discard the content when it encounters the invalid hash. You cannot restrict access to content hosted by cloud-based distribution points to users or groups When you use cloud-based distribution points in Configuration Manager SP1, access to the content is automatically restricted to your enterprise and you cannot restrict it further to selected users or groups. A blocked client can continue to download content from a cloud-based distribution point for up to 8 hours When you use cloud-based distribution points in Configuration Manager SP1, clients are authenticated by the management point and then use a Configuration Manager token to access cloud-based distribution points. The token is valid for 8 hours so if you block a client because it is no longer trusted, it can continue to download content from a cloud-based distribution point until the validity period of this token is expired. At this point, the management point will not issue another token for the client because the client is blocked. To avoid a blocked client from downloading content within this 8 hour window, you can stop the cloud service from the Cloud node, Hierarchy Configuration, in the Administration workspace in the Configuration Manager console. For more information, see Manage Cloud Services for Configuration Manager.
2439

Privacy Information for Content Management

Configuration Manager does not include any user data in content files, although an administrative user might choose to do this. Before you configure content management, consider your privacy requirements.

See Also
Content Management in Configuration Manager

Security and Privacy for Application Management in Configuration Manager

Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains information about security and privacy for application management in System Center 2012 Configuration Manager. This topic also includes the Application Catalog and Software Center. Use the following sections for more information: Security best practices for application management Security issues for application management Certificates for Microsoft Silverlight 5, and elevated trust mode required for the Application Catalog Privacy information for application management User device affinity Application Catalog

Security best practices for application management

Use the following security best practices for application management:
Security best practice More information

Configure the Application Catalog points to use HTTPS connections and educate users about the dangers of malicious websites.

Configure the Application Catalog website point and the Application Catalog web service point to accept HTTPS connections so that the server is authenticated to users and the data
2440

Security best practice

More information

that is transmitted is protected from tampering and viewing. Help to prevent social engineering attacks by educating users to connect to trusted websites only. Note Do not use the branding configuration options that display the name of your organization in the Application Catalog as proof of identify when you do not use HTTPS. Use role separation, and install the Application Catalog website point and the Application Catalog service point on separate servers. If the Application Catalog website point is compromised, install it on a separate server to the Application Catalog web service point. This will help to protect the Configuration Manager clients and the Configuration Manager infrastructure. This is particularly important if the Application Catalog website point accepts client connections from the Internet because this configuration makes the server vulnerable to attack. If users browse to an external website in the same browser window that they used for the Application Catalog, the browser continues to use the security settings that are suitable for trusted sites in the intranet. Do not consider the information that is collected from users or from the device to be authoritative. If you deploy software by using user device affinity that is not specified by a trusted administrative user, the software might be installed on computers and to users who are not authorized to receive that software. When you configure deployments to download content from a distribution point and run locally, the Configuration Manager client verifies the package hash after it downloads the content, and it discards the package if the hash does not match the hash in the policy. In comparison, if you configure the deployment to run directly
2441

Educate users to close the browser window when they finish using the Application Catalog.

Manually specify the user device affinity instead of allowing users to identify their primary device; and do not enable usage-based configuration.

Always configure deployments to download content from distribution points rather than run from distribution points.

Security best practice

More information

from a distribution point, the Configuration Manager client does not verify the package hash, which means that the Configuration Manager client can install software that has been tampered with. If you must run deployments directly from distribution points, use NTFS least permissions on the packages on the distribution points, and use IPsec to secure the channel between the client and the distribution points and between the distribution points and the site server. Do not allow users to interact with programs if the option Run with administrative rights is required. When you configure a program, you can set the option Allow users to interact with this program so that users can respond to any required prompts in the user interface. If the program is also configured to Run with administrative rights, an attacker at the computer that runs the program could use the user interface to escalate privileges on the client computer. Use Windows Installer-based setup programs with per-user elevated privileges for software deployments that require administrative credentials, but that must be run in the context of a user who does not have administrative credentials. Windows Installer per-user elevated privileges provides the most secure way to deploy applications that have this requirement. Restrict whether users can install software interactively by using the Installation permissions client setting. Configure the Computer Agent client device setting Install permissions to restrict the types of users that can install software by using the Application Catalog or Software Center. For example, create a custom client setting with Install permissions set to Only administrators. Then apply this client setting to a collection of servers to prevent users without administrative permissions from installing software on those computers. Deploy mobile device applications only if they
2442

For mobile devices, deploy only applications

Security best practice

More information

that are signed

are code signed by a certification authority (CA) that is trusted by the mobile device. For example: An application from a vendor, which is signed by a well-known CA, such as VeriSign. An internal application that you sign independently from Configuration Manager, by using your internal CA. An internal application that you sign by using Configuration Manager when you create the application type and use a signing certificate.

If you sign mobile device applications by using the Create Application Wizard in Configuration Manager, secure the location of the signing certificate file, and secure the communication channel.

To help protect against elevation of privileges and against man-in-the-middle attacks, store the signing certificate file in a secured folder and use IPsec or SMB between the following computers: The computer that runs the Configuration Manager console. The computer that stores the certificate signing file. The computer that stores the application source files.

Alternatively, sign the application independently from Configuration Manager and before you run the Create Application Wizard. Implement access controls to protect reference computers. When an administrative user configures the detection method in a deployment type by browsing to a reference computer, make sure that the computer has not been compromised.

Restrict and monitor the administrative users who are granted the role-based security roles that are related to application management: Application Administrator Application Author Application Deployment Manager

Even when you configure role-based administration, administrative users who create and deploy applications might have more permissions than you realize. For example, when administrative users create or modify an application, they can select dependent applications that are not in their security scope.
2443

Note For Configuration Manager SP1 only: When you configure Microsoft Application Virtualization (App-V) virtual environments, select applications in the virtual environment that have the same trust level.

Because applications in an App-V virtual environment can share resources, such as the clipboard, configure the virtual environment such that the selected applications have the same trust level. For more information, see How to Create App-

V Virtual Environments in Configuration Manager. Because the .cmmac file that the CMAppUtil tool generates and that you import into Configuration Manager is not signed or validated, to help prevent tampering of this file, store it in a secured folder and use IPsec or SMB between the following computers: The computer that runs the Configuration Manager console. The computer that stores the .cmmac file.

Note For Configuration Manager SP1 only: If you deploy applications for Mac computers in Configuration Manager SP1, secure the location of the .cmmac file and secure the communication channel when you import this file into Configuration Manager.

Security issues for application management

Application management has the following security issues: Low-rights users can copy files from the client cache on the client computer. Users can read the client cache, but cannot write to it. With read permissions, a user can copy application installation files from one computer to another. Low-rights users can modify files that record software deployment history on the client computer. Because the application history information is not protected, a user can modify files that report whether an application installed. App-V packages are not signed. App-V packages in Configuration Manager do not support signing to verify that the content is from a trusted source and that it has not been altered in transit. There is no mitigation for this security issue; make sure that you follow the security best practice to download the content from a trusted source and from a secure location. Published App-V applications can be installed by all users on the computer. When an App-V application is published on a computer, all users who log on to that computer can install the application. This means that you cannot restrict which users can install the application after it is published.

2444

Certificates for Microsoft Silverlight 5, and elevated trust mode required for the Application Catalog
Note Applies only to System Center 2012 Configuration Manager SP1. System Center 2012 Configuration Manager SP1 clients require Microsoft Silverlight 5, which must run in elevated trust mode for users to install software from the Application Catalog. By default, Silverlight applications run in partial trust mode to prevent applications from accessing user data. Configuration Manager automatically installs Microsoft Silverlight 5 on clients if it is not already installed, and by default, it configures the Computer Agent client setting Allow Silverlight applications to run in elevated trust mode to Yes. This setting allows signed and trusted Silverlight applications to request elevated trust mode. When you install the Application Catalog website point site system role, the client also installs a Microsoft signing certificate in the Trusted Publishers computer certificate store on each Configuration Manager client computer. This certificate allows Silverlight applications that are signed by this certificate to run in the elevated trust mode that computers require to install software from the Application Catalog. Configuration Manager automatically manages this signing certificate. To ensure service continuity, do not manually delete or move this Microsoft signing certificate. Warning When enabled, the client setting Allow Silverlight applications to run in elevated trust mode allows all Silverlight applications that are signed by certificates in the Trusted Publishers certificate store in either the computer store or the user store to run in elevated trust mode. The client setting cannot enable elevated trust mode specifically for the Configuration Manager Application Catalog or for the Trusted Publishers certificate store in the computer store. If malware adds a rogue certificate in the Trusted Publishers store, for example, in the user store, malware that uses its own Silverlight application can now also run in elevated trust mode. If you configure the client setting Allow Silverlight applications to run in elevated trust mode to be No, this does not remove the Microsoft signing certificate from clients. For more information about trusted applications in Silverlight, see Trusted Applications.

Privacy information for application management

Application management allows you to run any application, program, or script on any client computer or client mobile device in the hierarchy. Configuration Manager has no control over what types of applications, programs, or scripts you run or what type of information they transmit. During the application deployment process, Configuration Manager might transmit information between clients and servers that identify the device and logon accounts.
2445

Configuration Manager maintains status information about the software deployment process. Software deployment status information is not encrypted during transmission unless the client communicates by using HTTPS. The status information is not stored in encrypted form in the database. The use of Configuration Manager software installation to remotely, interactively, or silently install software on clients might be subject to software license terms for that software, and is separate from the Software License Terms for System Center 2012 Configuration Manager. Always review and agree to the Software Licensing Terms before you deploy software by using Configuration Manager. Software deployment does not happen by default and requires several configuration steps. Two optional features that help efficient software deployment are user device affinity and the Application Catalog: User device affinity maps a user to devices so that a Configuration Manager administrator can deploy software to a user, and the software is automatically installed on one or more computers that the user uses most often. The Application Catalog is a website that allows users to request software to install.

View the following sections for privacy information about user device affinity and the Application Catalog. Before you configure application management, consider your privacy requirements.

User device affinity

Configuration Manager might transmit information between clients and management point site systems that identify the computer and logon account and the summarized usage for logon accounts. The information that is transmitted between the client and server is not encrypted unless the management point is configured to require clients communicate by using HTTPS. The computer and logon account usage information that is used to map a user to a device is stored on client computers, sent to management points, and then stored in the Configuration Manager database. The old information is deleted from the database by default after 90 days. The deletion behavior is configurable by setting the Delete Aged User Device Affinity Data site maintenance task. Configuration Manager maintains status information about user device affinity. Status information is not encrypted during transmission unless clients are configured to communicate with management points by using HTTPS. Status information is not stored in encrypted form in the database. Computer, logon account usage information, and status information is not sent to Microsoft. Computer and logon usage information that is used to establish user and device affinity is always enabled. In addition, users and administrative users can supply user device affinity information.

2446

Application Catalog
The Application Catalog allows the Configuration Manager administrator to publish any application or program or script for users to run. Configuration Manager has no control over what types of programs or scripts are published in the catalog, or what type of information they transmit. Configuration Manager might transmit information between clients and the Application Catalog site system roles that identify the computer and logon accounts. The information that is transmitted between the client and servers is not encrypted unless these site system roles are configured to require that clients connect by using HTTPS. The information about the application approval request is stored in the Configuration Manager database. The requests that are canceled or denied are deleted by default after 30 days, along with the corresponding request history entries. The deletion behavior is configurable by setting the Delete Aged Application Request Data site maintenance task. The application approval requests that are in approved and pending states are never deleted. Information that is sent to and from the Application Catalog is not sent to Microsoft. The Application Catalog is not installed by default. This installation requires several configuration steps.

See Also
Application Management in Configuration Manager

Security and Privacy for Software Updates in Configuration Manager

Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security and privacy information for software updates in System Center 2012 Configuration Manager.

Security Best Practices for Software Updates

Use the following security best practices when you deploy software updates to clients:
Security best practice More information

Do not change the default permissions on

By default, software update packages are set to allow administrators Full Control and users to
2447

Security best practice

More information

software update packages.

have Read access. If you change these permissions, it might allow an attacker to add, remove, or delete software updates. The computer accounts for the SMS Provider, the site server, and the administrative user who will actually download the software updates to the download location require Write access to the download location. Restrict access to the download location to reduce the risk of attackers tampering with the software updates source files in the download location. In addition, if you use a UNC share for the download location, secure the network channel by using IPsec or SMB signing to prevent tampering of the software updates source files when they are transferred over the network.

Control access to the download location for software updates.

Use UTC for evaluating deployment times.

If you use local time instead of UTC, users could potentially delay installation of software updates by changing the time zone on their computers Identify and follow the security best practices for the version of WSUS that you use with Configuration Manager. Important If you configure the software update point to enable SSL communications for the WSUS server, you must configure virtual roots for SSL on the WSUS server.

Enable SSL on WSUS and follow the best practices for securing Windows Server Update Services (WSUS).

Enable CRL checking.

By default, Configuration Manager does not check the certificate revocation list (CRL) to verify the signature on software updates before they are deployed to computers. Checking the CRL each time a certificate is used offers more security against using a certificate that has been revoked, but it introduces a connection delay and incurs additional processing on the computer performing the CRL check. For more information about how to enable CRL
2448

Security best practice

More information

checking for software updates, see How to Enable CRL Checking for Software Updates. Configure WSUS to use a custom website. When you install WSUS on the software update point, you have the option to use the existing IIS Default Web site or to create a custom WSUS website. Create a custom website for WSUS so that IIS hosts the WSUS services in a dedicated virtual website instead of sharing the same web site that is used by the other Configuration Manager site systems or other applications. For more information, see the Configuring WSUS to Use a Custom Web Site section in the Planning for Software Updates in Configuration Manager topic. Network Access Protection (NAP): Do not rely on NAP to secure a network from malicious users. Network Access Protection is designed to help administrators maintain the health of the computers on the network, which in turn helps maintain the networks overall integrity. For example, if a computer has all the software updates required by the Configuration Manager NAP policy, the computer is considered compliant, and it will be granted the appropriate access to the network. Network Access Protection does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or disabling the NAP agent. Use DHCP NAP in a secured, testing environment or for monitoring purposes only. When you use DHCP NAP, attackers can modify the statement of health packets between the client and the NAP health policy server, and users can circumvent the NAP process. Misconfigured NAP policy could result in clients accessing the network when they should be restricted or valid clients being erroneously restricted. The more complicated your NAP policy design, the higher the risk of
2449

Network Access Protection (NAP): Do not use DHCP NAP enforcement in a production environment.

Network Access Protection (NAP): Use consistent NAP policies throughout the hierarchy to minimize confusion.

Security best practice

More information

misconfiguration. Configure the Configuration Manager NAP client agent and Configuration Manager System Health Validator points to use the same settings throughout the hierarchy, or through additional hierarchies in the organization if clients might roam between them. Important If a Configuration Manager client with the Network Access Protection client agent enabled roams into a different Configuration Manager hierarchy and has its client statement of health validated by a System Health Validator point from outside its hierarchy, the validation process will fail the site check. This will result in a client health state of unknown, which by default is configured on the NAP health policy server as non-compliant. If the NAP health policy server has network policies configured for limited network access, these clients cannot be remediated and risk being unable to access the full network. An exemption policy on the NAP health policy server could give Configuration Manager clients that roam outside their Configuration Manager hierarchy unrestricted network access. Network Access Protection (NAP): Do not enable Network Access Protection as a client setting immediately on new Configuration Manager sites. Although the site servers publish the Configuration Manager health state reference to a domain controller when Configuration Manager NAP policies are modified, this new data might not be immediately available for retrieval by the System Health Validator point until Active Directory replication has completed. If you enable Network Access Protection on Configuration Manager clients before replication has completed, and if your NAP
2450

Security best practice

More information

health policy server will give noncompliant clients limited network access, you can potentially cause a denial of service attack against yourself. Network Access Protection (NAP): If you store the health state reference in a designated forest, specify two different accounts for publishing and retrieving the health state reference. When you designate an Active Directory forest to store the health state reference, specify two different accounts because they require different sets of permissions: The Health State Reference Publishing Account requires Read, Write, and Create permissions to the Active Directory forest that stores the health state reference. The Health State Reference Querying Account requires only Read permission to the Active Directory forest that stores the health state reference. Do not grant this account interactive logon rights.

Network Access Protection (NAP): Do not rely on Network Access Protection as an instantaneous or real-time enforcement mechanism.

There are inherent delays in the NAP enforcement mechanism. While NAP helps keep computers compliant over the long run, typical enforcement delays may be on the order of several hours or more due to a variety of factors, including the settings of various configuration parameters.

Privacy Information for Software Updates

Software updates scans your client computers to determine which software updates you require, and then sends that information back to the site database. During the software updates process, Configuration Manager might transmit information between clients and servers that identify the computer and logon accounts. Configuration Manager maintains state information about the software deployment process. State information is not encrypted during transmission or storage. State information is stored in the Configuration Manager database and it is deleted by the database maintenance tasks. No state information is sent to Microsoft. The use of Configuration Manager software updates to install software updates on client computers might be subject to software license terms for those updates, which is separate from the Software License Terms for Microsoft System Center 2012 Configuration Manager. Always review and agree to the Software Licensing Terms prior to installing the software updates by using Configuration Manager.
2451

Configuration Manager does not implement software updates by default and requires several configuration steps before information is collected. Before you configure software updates, consider your privacy requirements.

See Also
Software Updates in Configuration Manager

Security and Privacy for Deploying Operating Systems in Configuration Manager

Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security and privacy information for operating system deployment in System Center 2012 Configuration Manager.

Security Best Practices for Operating System Deployment

Use the following security best practices for when you deploy operating systems with Configuration Manager:
Security best practice More information

Implement access controls to protect bootable media

When you create bootable media, always assign a password to help secure the media. However, even with a password, only files that contain sensitive information are encrypted and all files can be overwritten. Control physical access to the media to prevent an attacker from using cryptographic attacks to obtain the client authentication certificate. Note In Configuration Manager SP1, to help prevent a client from installing content or client policy that has been tampered
2452

Security best practice

More information

with, the content is hashed and must be used with the original policy. If the content hash fails or the check that the content matches the policy, the client will not use the bootable media. Only the content is hashed; the policy is not but it is encrypted and secured when you specify a password, which makes it more difficult for an attacker to successfully modify the policy. Use a secured location when you create media for operating system images If unauthorized users have access to the location, they can tamper with the files that you create and also use all the available disk space so that the media creation fails. When you require a password to import the client authentication certificate that you use for bootable media, this helps to protect the certificate from an attacker. Use SMB signing or IPsec between the network location and the site server to prevent an attacker from tampering with the certificate file. If the client certificate is compromised, block the certificate from Configuration Manager and revoke it if it is a PKI certificate To deploy an operating system by using bootable media and PXE boot, you must have a client authentication certificate with a private key. If that certificate is compromised, block the certificate in the Certificates node in the Administration workspace, Security node. For more information about the difference between blocking a certificate and revoking it, see Comparing Blocking Clients and Revoking Client Certificates. When the SMS Provider is on a computer or computers other than the site server, secure the communication channel to protect boot images When boot images are modified and the SMS Provider is running on a server that is not the site server, the boot images are vulnerable to attack. Protect the network channel between these computers by using SMB signing or IPsec. When a client sends a PXE boot request, you have no way to ensure that the request is
2453

Protect certificate files (.pfx) with a strong password and if you store them on the network, secure the network channel when you import them into Configuration Manager

Enable distribution points for PXE client communication only on secure network

Security best practice

More information

segments

serviced by a valid PXE-enabled distribution point. This scenario has the following security risks: A rogue distribution point that responds to PXE requests could provide a tampered image to clients. An attacker could launch a man-in-themiddle attack against the TFTP protocol that is used by PXE and send malicious code with the operating system files, or she could create a rogue client to make TFTP requests directly to the distribution point. An attacker could use a malicious client to launch a denial of service attack against the distribution point.

Use defense in depth to protect the network segments where clients will access distribution points for PXE requests. Warning Because of these security risks, do not enable a distribution point for PXE communication when it is in an untrusted network, such as a perimeter network. Configure PXE-enabled distribution points to respond to PXE requests only on specified network interfaces If you allow the distribution point to respond to PXE requests on all network interfaces, this configuration might expose the PXE service to untrusted networks When you require a password for PXE boot, this configuration adds an extra level of security to the PXE boot process, to help safeguard against rogue clients joining the Configuration Manager hierarchy. Because of the inherent security risks involved with PXE boot and multicast, reduce the risks if rogue computer downloads the operating system image.

Require a password to PXE boot

Do not include line of business applications or software that contains sensitive data into an image that will be used for PXE boot or multicast

Do not include line of business applications or

When you deploy software packages by using

2454

Security best practice

More information

software that contains sensitive data in software packages that are installed by using task sequences variables

task sequences variables, software might be installed on computers and to users who are not authorized to receive that software.

When you migrate user state, secure the network channel between the client and the state migration point by using SMB signing or IPsec

After the initial connection over HTTP, user state migration data is transferred by using SMB. If you do not secure the network channel, an attacker can read and modify this data. The latest version of USMT provides security enhancements and greater control for when you migrate user state data. When you remove a state migration point folder in the Configuration Manager console on the state migration point properties, the physical folder is not deleted. To protect the user state migration data from information disclosure, you must manually remove the network share and delete the folder. If you configure the deletion policy on the state migration point to remove data that is marked for deletion immediately, and if an attacker manages to retrieve the user state data before the valid computer does, the user state data would be deleted immediately. Set the Delete after interval to be long enough to verify the successful restore of user state data. Configuration Manager does not automatically remove computer associations. Help to protect the identify of user state data by manually deleting computer associations that are no longer required. Configuration Manager Backup does not include the user state migration data. If a computer supports BitLocker, you must disable it by using a task sequence step if you want to install the operating system unattended. Configuration Manager does not enable
2455

Use the latest version of the User State Migration Tool (USMT) that Configuration Manager supports Manually delete folders on state migration point when they are decommissioned

Do not configure the deletion policy to delete user state immediately

Manually delete computer associations when the user state migration data restore is complete and verified

Manually back up the user state migration data on the state migration point Remember to enable BitLocker after the operating system is installed

Security best practice

More information

BitLocker after the operating system is installed, so you must manually re-enable BitLocker. Implement access controls to protect the prestaged media Control physical access to the media to prevent an attacker from using cryptographic attacks to obtain the client authentication certificate and sensitive data. Ensure that the reference computer that you use to capture operating system images is in a secure environment with appropriate access controls so that unexpected or malicious software cannot be installed and inadvertently included in the captured image. When you capture the image, ensure that the destination network file share location is secure so that the image cannot be tampered with after it is captured. When the reference computer has current security updates, it helps to reduce the window of vulnerability for new computers when they first start up. Although provisioning unknown computers provides a convenient method to deploy new computers on demand, it can also allow an attacker to efficiently become a trusted client on your network. Restrict physical access to the network, and monitor clients to detect unauthorized computers. Also, computers responding to PXE-initiated operating system deployment might have all data destroyed during the operating system deployment, which could result in a loss of availability of systems that are inadvertently reformatted. For every operating system deployment package, you have the option to enable encryption when Configuration Manager transfers the package by using multicast. This configuration helps prevent rogue computers from joining the multicast session and helps
2456

Implement access controls to protect the reference computer imaging process

Always install the most recent security updates on the reference computer

If you must deploy operating systems to an unknown computer, implement access controls to prevent unauthorized computers from connecting to the network

Enable encryption for multicast packages

Security best practice

More information

prevent attackers from tampering with the transmission. Monitor for unauthorized multicast-enabled distribution points If attackers can gain access to your network, they can configure rogue multicast servers to spoof operating system deployment. Restrict who can access the network folder. Use SMB signing or IPsec between the network location and the site server to prevent an attacker from tampering with the exported task sequence. Take the following precautionary steps if you use the Task Sequence Run As Account: Use an account with the least possible permissions. Do not use the Network Access account for this account. Never make the account a domain administrator. Never configure roaming profiles for this account. When the task sequence runs, it will download the roaming profile for the account, which leaves the profile vulnerable to access on the local computer. Limit the scope of the account. For example, create different Task Sequence Run As Accounts for each task sequence, so that if one account is compromised, only the client computers to which that account has access are compromised. If the command line requires administrative access on the computer, consider creating a local administrator account solely for the Task Sequence Run As Account on all computers that will run the task sequence, and delete the account as soon as it is no longer required.

When you export task sequences to a network location, secure the location and secure the network channel

If you must use the Task Sequence Run As Account, take additional security precautions

In addition:

Restrict and monitor the administrative users who are granted the Operating System

Administrative users who are granted the Operating System Deployment Manager
2457

Security best practice

More information

Deployment Manager security role

security role can create self-signed certificates that can then be used to impersonate a client and obtain client policy from Configuration Manager.

Security Issues for Operating System Deployment

Although operating system deployment can be a convenient way to deploy the most secure operating systems and configurations for computers on your network, it does have the following security risks: Information disclosure and denial of service If an attacker can obtain control of your Configuration Manager infrastructure, she could run any task sequences, which might include formatting the hard drives of all client computers. Task sequences can be configured to contain sensitive information, such as accounts that have permissions to join the domain and volume licensing keys. Impersonation and elevation of privileges Task sequences can join a computer to domain, which can provide a rogue computer with authenticated network access. Another important security consideration for operating system deployment is to protect the client authentication certificate that is used for bootable task sequence media and for PXE boot deployment. When you capture a client authentication certificate, this gives an attacker an opportunity to obtain the private key in the certificate and then impersonate a valid client on the network. If an attacker obtains the client certificate that is used for bootable task sequence media and for PXE boot deployment, this certificate can be used to impersonate a valid client to Configuration Manager. In this scenario, the rogue computer can download policy, which can contain sensitive data. If clients use the Network Access Account to access data stored on the state migration point, these clients effectively share the same identity and could access state migration data from another client that uses the Network Access Account. The data is encrypted so only the original client can read it, but the data could be tampered with or deleted. The state migration point does not use authentication in Configuration Manager with no service pack In Configuration Manager with no service pack, the state migration point does not authenticate connections, so anybody can send data to the state migration point and anybody can retrieve data that is stored on there. Although only the original computer can read the retrieved user state data, do not consider this data secured. In Configuration Manager SP1, client authentication to the state migration point is achieved by using a Configuration Manager token that is issued by the management point.

2458

In addition, Configuration Manager does not limit or manage the amount of data that is stored on the state migration point and an attacker could fill up the available disk space and cause a denial of service. If you use collection variables, local administrators can read potentially sensitive information Although collection variables offer a flexible method to deploy operating systems, this might result in information disclosure.

Privacy Information for Operating System Deployment

In addition to deploying operating systems to computers with no operating system, Configuration Manager can be used to migrate users files and settings from one computer to another. The administrator configures which information to transfer, including personal data files, configuration settings, and browser cookies. The information is stored on a state migration point and is encrypted during transmission and storage. The information is allowed to be retrieved by the new computer associated with the state information. If the new computer loses the key to retrieve the information, a Configuration Manager administrator with the View Recovery Information right on computer association instance objects can access the information and associate it with a new computer. After the new computer restores the state information, it deletes the data after one day by default. You can configure when the state migration point removes data marked for deletion. The state migration information is not stored in the site database and is not sent to Microsoft. If you use boot media to deploy operating system images, always use the default option to password-protect the boot media. The password encrypts any variables stored in the task sequence, but any information not stored in a variable might be vulnerable to disclosure. Operating system deployment can use task sequences to perform many different tasks during the deployment process, which includes installing applications and software updates. When you configure task sequences, you should also be aware of the privacy implications of installing software. Configuration Manager does not implement operating system deployment by default and requires several configuration steps before you collect user state information or create task sequences or boot images. Before you configure operating system deployment, consider your privacy requirements.

See Also
Operating System Deployment in Configuration Manager

2459

Security and Privacy for Collections in Configuration Manager

This topic contains security best practices and privacy information for collections in System Center 2012 Configuration Manager. There is no privacy information specifically for collections in Configuration Manager. Collections are containers for resources, such as users and devices. Collection membership often depends on the information that Configuration Manager collects during standard operation. For example, by using resource information that has been collected from discovery or inventory, a collection can be configured to contain the devices that meet specified criteria. Collections might also be based on the current status information for client management operations, such as deploying software and checking for compliance. In addition to these query-based collections, administrative users can also add resources to collections. For more information about collections, see Introduction to Collections in Configuration Manager. For more information about any security best practices and privacy information for Configuration Manager operations that can be used to configure collection membership, see Security Best Practices and Privacy Information for Configuration Manager.

Security Best Practices for Collections

Use the following security best practice for collections.
Security best practice More information

When you export or import a collection by using a Managed Object Format (MOF) file that is saved to a network location, secure the location, and secure the network channel.

Restricts who can access the network folder. Use Server Message Block (SMB) signing or Internet Protocol security (IPsec) between the network location and the site server to prevent an attacker from tampering with the exported collection data. Use IPsec to encrypt the data on the network to prevent information disclosure.

Security Issues for Collections

Collections have the following security issues: If you use collection variables, local administrators can read potentially sensitive information. Collection variables can be used when you deploy an operating system.

2460

See Also
Collections in Configuration Manager

Security and Privacy for Queries in Configuration Manager

Queries in Configuration Manager let you retrieve information from the site database based on the criteria that you specify. Configuration Manager collects the site database information during standard operation. For example, by using information that has been collected from discovery or inventory, you can configure a query to identify devices that meet specified criteria. For more information about queries, see Introduction to Queries in Configuration Manager. For more information about any security best practices and privacy information for Configuration Manager operations that collect the information that you can retrieve by using queries, see Security Best Practices and Privacy Information for Configuration Manager.

Security Best Practices for Queries

Use the following security best practice for queries.
Security best practice More information

When you export or import a query that is Restrict who can access the network folder. saved to a network location, secure the location Use server message block (SMB) signing or and secure the network channel. Internet Protocol Security (IPsec) between the network location and the site server to prevent an attacker from tampering with the query data before it is imported.

See Also
Queries in Configuration Manager

Security and Privacy for Hardware Inventory in Configuration Manager

This topic contains security and privacy information for hardware inventory in System Center 2012 Configuration Manager.
2461

Security Best Practices for Hardware Inventory

Use the following security best practices for when you collect hardware inventory data from clients:
Security best practice More information

Sign and encrypt inventory data

When clients communicate with management points by using HTTPS, all data that they send is encrypted by using SSL. However, when client computers use HTTP to communicate with management points on the intranet, client inventory data and collected files can be sent unsigned and unencrypted. Make sure that the site is configured to require signing and use encryption. In addition, if clients can support the SHA-256 algorithm, select the option to require SHA-256.

Do not collect IDMIF and NOIDMIF files in high- You can use IDMIF and NOIDMIF file collection security environments to extend hardware inventory collection. When necessary, Configuration Manager creates new tables or modifies existing tables in the Configuration Manager database to accommodate the properties in IDMIF and NOIDMIF files. However, Configuration Manager does not validate IDMIF and NOIDMIF files, so these files could be used to alter tables that you do not want altered. Valid data could be overwritten by invalid data. In addition, large amounts of data could be added and the processing of this data might cause delays in all Configuration Manager functions. To mitigate these risks, configure the hardware inventory client setting Collect MIF files as None.

Security Issues for Hardware Inventory

Collecting inventory exposes potential vulnerabilities. Attackers can perform the following: Send invalid data, which will be accepted by the management point even when the software inventory client setting is disabled and file collection is not enabled. Send excessively large amounts of data in a single file and in lots of files, which might cause a denial of service.
2462

Access inventory information as it is transferred to Configuration Manager.

Because a user with local administrative privileges can send any information as inventory data, do not consider inventory data that is collected by Configuration Manager to be authoritative. Hardware inventory is enabled by default as a client setting.

Privacy Information for Hardware Inventory

Note The information in this section also appears in Security and Privacy for Software Inventory in Configuration Manager. Hardware inventory allows you to retrieve any information that is stored in the registry and in WMI on Configuration Manager clients. Software inventory allows you to discover all files of a specified type or to collect any specified files from clients. Asset Intelligence enhances the inventory capabilities by extending hardware and software inventory and adding new license management functionality. Hardware inventory is enabled by default as a client setting and the WMI information collected is determined by options that you select. Software inventory is enabled by default but files are not collected by default. Asset Intelligence data collection is automatically enabled, although you can select the hardware inventory reporting classes to enable.. Inventory information is not sent to Microsoft. Inventory information is stored in the Configuration Manager database. When clients use HTTPS to connect to management points, the inventory data that they send to the site is encrypted during the transfer. If clients use HTTP to connect to management points, you have the option to enable inventory encryption. The inventory data is not stored in encrypted format in the database. Information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Inventory History or Delete Aged Collected Files every 90 days. You can configure the deletion interval. Before you configure hardware inventory, software inventory, file collection, or Asset Intelligence data collection, consider your privacy requirements.

See Also
Hardware Inventory in Configuration Manager

Security and Privacy for Software Inventory in Configuration Manager

This topic contains security and privacy information for software inventory in System Center 2012 Configuration Manager.
2463

Security Best Practices for Software Inventory

Use the following security best practices for when you collect software inventory data from clients:
Security best practice More information

Sign and encrypt inventory data

When clients communicate with management points by using HTTPS, all data that they send is encrypted by using SSL. However, when client computers use HTTP to communicate with management points on the intranet, client inventory data and collected files can be sent unsigned and unencrypted. Make sure that the site is configured to require signing and use encryption. In addition, if clients can support the SHA-256 algorithm, select the option to require SHA-256. Configuration Manager software inventory uses all the rights of the LocalSystem account, which has the ability to collect copies of critical system files, such as the registry or security account database. When these files are available at the site server, someone with the Read Resource rights or NTFS rights to the stored file location could analyze their contents and possibly discern important details about the client in order to be able to compromise its security. A user with local administrative rights can send invalid data as inventory information.

Do not use file collection to collect critical files or sensitive information

Restrict local administrative rights on client computers

Security Issues for Software Inventory

Collecting inventory exposes potential vulnerabilities. Attackers can perform the following: Send invalid data, which will be accepted by the management point even when the software inventory client setting is disabled and file collection is not enabled. Send excessively large amounts of data in a single file and in lots of files, which might cause a denial of service. Access inventory information as it is transferred to Configuration Manager.

If users know that they can create a hidden file named Skpswi.dat and place it in the root of a client hard drive to exclude it from software inventory, you will not be able to collect software inventory data from that computer.
2464

Because a user with local administrative privileges can send any information as inventory data, do not consider inventory data that is collected by Configuration Manager to be authoritative. Software inventory is enabled by default as a client setting.

Privacy Information for Software Inventory

Note The information in this section also appears in Security and Privacy for Hardware Inventory in Configuration Manager. Hardware inventory allows you to retrieve any information that is stored in the registry and in WMI on Configuration Manager clients. Software inventory allows you to discover all files of a specified type or to collect any specified files from clients. Asset Intelligence enhances the inventory capabilities by extending hardware and software inventory and adding new license management functionality. Hardware inventory is enabled by default as a client setting and the WMI information collected is determined by options that you select. Software inventory is enabled by default but files are not collected by default. Asset Intelligence data collection is automatically enabled, although you can select the hardware inventory reporting classes to enable. Inventory information is not sent to Microsoft. Inventory information is stored in the Configuration Manager database. When clients use HTTPS to connect to management points, the inventory data that they send to the site is encrypted during the transfer. If clients use HTTP to connect to management points, you have the option to enable inventory encryption. The inventory data is not stored in encrypted format in the database. Information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Inventory History or Delete Aged Collected Files every 90 days. You can configure the deletion interval. Before you configure hardware inventory, software inventory, file collection, or Asset Intelligence data collection, consider your privacy requirements.

See Also
Software Inventory in Configuration Manager

Security and Privacy for Asset Intelligence in Configuration Manager

This topic contains security and privacy information for Asset Intelligence in Configuration Manager.

2465

Security Best Practices for Asset Intelligence

Use the following security best practices for when you use Asset Intelligence.
Security best practice More information

When you import a license file (Microsoft Volume Licensing file or a General License Statement file), secure the file and communication channel.

Use NTFS file system permissions to ensure that only authorized users can access the license files and use Server Message Block (SMB) signing to ensure the integrity of the data when it is transferred to the site server during the import process. Use role-based administration to grant the Manage Asset Intelligence permission to the administrative user who imports license files. The built-in role of Asset Manager includes this permission.

Use the principle of least permissions to import the license files.

Privacy Information for Asset Intelligence

Asset Intelligence extends the inventory capabilities of Configuration Manager to provide a higher level of asset visibility in the enterprise. Asset Intelligence information collection is not automatically enabled. You can modify the type of information collected by enabling hardware inventory reporting classes. For more information, see Enable Asset Intelligence Hardware Inventory Reporting Classes. Asset Intelligence information is stored in the Configuration Manager database in the same manner as inventory information. When clients connect to management points by using HTTPS, the data is always encrypted during transfer to the management point. When clients connect by using HTTP, you can configure the inventory data transfer to be signed and encrypted. Inventory data is not stored in encrypted format in the database. Information is retained in the database, until the site maintenance task Delete Aged Inventory History deletes it in intervals of every 90 days. You can configure the deletion interval. Asset Intelligence does not send information about users and computers or license usage to Microsoft. You can choose to send System Center Online requests for categorization, which means that you can tag one or more software titles that are uncategorized and send them to System Center Online for research and categorization. After a software title is uploaded, Microsoft researchers identify, categorize, and then make that knowledge available to all customers who use the on-line service. You should be aware of the following privacy implications of submitting information to System Center Online: Upload applies only to generic software title information (name, publisher, and so on) that you choose to send to System Center Online. Inventory information is not sent with an upload.

2466

Upload never occurs automatically, and the system is not designed for this task to be automated. You must manually select and approve the upload of each software title. A dialog box shows you exactly what data is going to be uploaded, before the upload process starts. License information is not sent to Microsoft. The license information is stored in a separate area of the Configuration Manager database, and it cannot be sent to Microsoft. Any software title that is uploaded becomes public, in the sense that the knowledge of that given application and its categorization become part of the System Center Online Asset Intelligence catalog, and then is downloaded to other consumers of the catalog. The source of the software title is not recorded in the Asset Intelligence catalog, and it is not made available to other customers. However, you must still verify that you do not load any application titles that contain any private information. Uploaded data cannot be recalled.

Before you configure Asset Intelligence data collection and decide whether to submit information to System Center Online, consider the privacy requirements of your organization.

See Also
Asset Intelligence in Configuration Manager

Security and Privacy for Power Management in Configuration Manager

This section contains security and privacy information for power management in System Center 2012 Configuration Manager.

Security Best Practices for Power Management

There are no security-related best practices for power management.

Privacy Information for Power Management

Power management uses features that are built into Windows to monitor power usage and to apply power settings to computers during business hours and nonbusiness hours. Configuration Manager collects power usage information from computers, which includes data about when a user is using a computer. Although Configuration Manager monitors power usage for a collection rather than for each computer, a collection can contain just one computer. Power management is not enabled by default and must be configured by an administrator. The power usage information is stored in the Configuration Manager database and is not sent to Microsoft. Detailed information is retained in the database for 31 days and summarized information is retained for 13 months. You cannot configure the deletion interval.
2467

Before you configure power management, consider your privacy requirements.

See Also
Power Management in Configuration Manager

Security and Privacy for Remote Control in Configuration Manager

This topic contains security and privacy information for remote control in System Center 2012 Configuration Manager.

Security Best Practices for Remote Control

Use the following security best practices when you manage client computers by using remote control.
Security best practice More information

When you connect to a remote computer, do not continue if NTLM instead of Kerberos authentication is used.

When Configuration Manager detects that the remote control session is authenticated by using NTLM instead of Kerberos, you see a prompt that warns you that the identity of the remote computer cannot be verified. Do not continue with the remote control session. NTLM authentication is a weaker authentication protocol than Kerberos and is vulnerable to replay and impersonation. The Clipboard supports objects such as executable files and text and could be used by the user on the host computer during the remote control session to run a program on the originating computer. Software that observes keyboard input could capture the password. Or, if the program that is being run on the client computer is not the program that the remote control user assumes, the program might be capturing the password. When accounts and passwords are required, the end user should enter them.
2468

Do not enable Clipboard sharing in the remote control viewer.

Do not enter passwords for privileged accounts when remotely administering a computer.

Security best practice

More information

Lock the keyboard and mouse during a remote control session.

If Configuration Manager detects that the remote control connection is terminated, Configuration Manager automatically locks the keyboard and mouse so that a user cannot take control of the open remote control session. However, this detection might not occur immediately and does not occur if the remote control service is terminated. Select the action Lock Remote Keyboard and Mouse in the ConfigMgr Remote Control window.

Do not let users configure remote control settings in Software Center.

Do not enable the client setting Users can change policy or notification settings in Software Center to help prevent users from being spied on. Note This setting is for the computer and not the logged-on user.

Enable the Domain Windows Firewall profile.

Enable the client setting Enable remote control on clients Firewall exception profiles and then select the Domain Windows Firewall for intranet computers.

If you log off during a remote control session If you do not log off in this scenario, the session and log on as a different user, ensure that you remains open. log off before you disconnect the remote control session. Do not give users local administrator rights. When you give users local administrator rights, they might be able to take over your remote control session or compromise your credentials. You can use Configuration Manager and Group Policy to make configuration changes to the Remote Assistance settings. When Group Policy is refreshed on the client, by default, it optimizes the process by changing only the policies that have changed on the server. Configuration Manager changes the settings in the local security policy, which might not be
2469

Use either Group Policy or Configuration Manager to configure Remote Assistance settings, but not both.

Security best practice

More information

overwritten unless the Group Policy update is forced. Setting policy in both places might lead to inconsistent results. Choose one of these methods to configure your Remote Assistance settings. Enable the client setting Prompt user for Remote Control permission. Although there are ways around this client setting that prompts a user to confirm a remote control session, enable this setting to reduce the chance of users being spied upon while working on confidential tasks. In addition, educate users to verify the account name that is displayed during the remote control session and disconnect the session if they suspect that the account is unauthorized. Limit the Permitted Viewers list. Local administrator rights are not required for a user to be able to use remote control.

Security Issues for Remote Control

Managing client computers by using remote control has the following security issues: Do not consider remote control audit messages to be reliable. If you start a remote control session and then log on by using alternative credentials, the original account sends the audit messages, not the account that used the alternative credentials. Audit messages are not sent if you copy the binary files for remote control rather than install the Configuration Manager console, and then run remote control at the command prompt.

Privacy Information for Remote Control

Remote control lets you view active sessions on Configuration Manager client computers and potentially view any information stored on those computers. By default, remote control is not enabled. Although you can configure remote control to provide prominent notice and get consent from a user before a remote control session begins, it can also monitor users without their permission or awareness. You can configure View Only access level so that nothing can be changed on the remote control, or Full Control. The account of the connecting administrator is displayed in the remote control session, to help users identify who is connecting to their computer.

2470

By default, Configuration Manager grants the local Administrators group Remote Control permissions. Before you configure remote control, consider your privacy requirements.

See Also
Remote Control in Configuration Manager

Security and Privacy for Software Metering in Configuration Manager

This topic contains security and privacy information for software metering in System Center 2012 Configuration Manager.

Security Best Practices for Software Metering

There are currently no security-related best practices for software metering.

Security Issues for Software Metering

An attacker could send invalid software metering information to Configuration Manager, which will be accepted by the management point even when the software metering client setting is disabled. This might result in a large number of metering rules that are replicated throughout the hierarchy, causing a denial of service on the network and to Configuration Manager site servers. Because an attacker can create invalid software metering data, do not consider software metering information to be authoritative. Software metering is enabled by default as a client setting.

Privacy Information for Software Metering

Software metering monitors the usage of applications on client computers. Software metering is enabled by default. You must configure which applications to meter. Metering information is stored in the Configuration Manager database. The information is encrypted during transfer to a management point but it is not stored in encrypted form in the Configuration Manager database. This information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Software Metering Data (every five days) and Delete Aged Software Metering Summary Data (every 270 days). You can configure the deletion interval. Metering information is not sent to Microsoft. Some additional metering information is collected through hardware inventory. For more information, see Security and Privacy for Hardware Inventory in Configuration Manager. Before you configure software metering, consider your privacy requirements.
2471

See Also
Software Metering in Configuration Manager

Security and Privacy for Out of Band Management in Configuration Manager

This topic contains security and privacy information for out of band management in System Center 2012 Configuration Manager.

Security Best Practices for Out of Band Management

Use the following security best practices when you manage Intel AMT-based computers out of band.
Security best practice More information

Request customized firmware before you purchase Intel AMT-based computers.

Computers that can be managed out of band have BIOS extensions that can set customized values to significantly increase security when these computers are on your network. Check which BIOS extension settings are available from your computer manufacturer, and specify your values. For more information, see Determine Whether to Use a Customized Firmware Image From Your Computer Manufacturer. If your AMT-based computers do not have the firmware values that you want to use, you might be able to manually specify them. For more information about manually configuring the BIOS extensions, see the Intel documentation or the documentation from your computer manufacturer. For additional information, see Intel vPro Expert Center: Microsoft vPro Manageability. Customize the following options to increase your security: Replace all certificate thumbprints of external certification authorities (CAs) with the certificate thumbprint of your own
2472

Security best practice

More information

internal CA. This prevents rogue provisioning servers from attempting to provision your AMT-based computers, and you do not have to purchase provisioning certificates from external CAs. Use a custom password for the MEBx Account so that the default value of admin is not used. Then specify this password with an AMT Provisioning and Discovery Account in Configuration Manager. This prevents rogue provisioning servers from attempting to provision your AMT-based computers with the known default password.

Control the request and installation of the provisioning certificate.

Request the provisioning certificate directly from the provisioning server by using the computer security context so that the certificate is installed directly into the local computer store. If you must request the certificate from another computer, you have to export the private key, and then use additional security controls when you transfer and import the certificate into a certificate store.

Ensure that you request a new provisioning An expired AMT provisioning certificate results certificate before the existing certificate expires. in a provisioning failure. If you are using an external CA for your provisioning certificate, allow for additional time to complete the renewal process and reconfigure the out of band management point.

Use a dedicated certificate template for provisioning AMT-based computers.

If you are use an Enterprise version of Windows Server for your enterprise CA, create a new certificate template by duplicating the default Web Server certificate template, ensure that only the security group that you specify in the out of band management component properties has Read and Enroll permissions, and do not add additional capabilities to the default of server authentication. A dedicated certificate template allows you to better manage and control access to help
2473

Security best practice

More information

prevent elevation of privileges. If you have a Standard version of Windows Server for your enterprise CA, you cannot create a duplicate certificate template. In this scenario, you must add Read and Enroll permissions to the security group that you specify in the out of band management component properties and remove any permission that you do not require. Use AMT power on commands instead of wake-up packets. Although both solutions support waking up computers for software installation, AMT power on commands are more secure than transmitting wake-up packets because they provide authentication and encryption by using standard industry security protocols. By using AMT power on commands with out of band management, this solution can also integrate with an existing public key infrastructure (PKI) deployment, and the security controls can be managed independently from the product. For more information, see Planning How to Wake Up Clients in Planning for Client Communication in Configuration Manager. Even when AMT-based computers have a supported version of AMT, there are some scenarios that out of band management does not support. These scenarios include workgroup computers, computers that have a different namespace, and computers that have a disjoint namespace. To ensure that these AMT-based computers are not published to Active Directory Domain Services and do not have a PKI certificate requested for them, disable AMT in the firmware. AMT provisioning in Configuration Manager creates domain credentials for the accounts published to Active Directory Domain Services, which risks the elevation of privileges when the computers are not part of your Active Directory forest. Use a dedicated OU to publish AMT-based Do not use an existing container or
2474

Disable AMT in the firmware if the computer is not supported for out of band management.

Security best practice

More information

computer accounts.

organizational unit (OU) to publish the Active Directory accounts that are created during AMT provisioning. A separate OU lets you manage and control these accounts better and helps ensure that site servers and these accounts are not granted more permissions than they require. In addition to allowing the site server computer accounts Create all child objects and Delete all child objects permissions for the OU and apply to This object only, allow the following permissions for the site server computer accounts: For the OU: Write all properties permission and apply to This object and all descendant objects. For the Domain Computers group: Write all properties permission and apply to This object only. For the Domain Guest group: Write all properties permissions and apply to This object only.

Allow the site server computer accounts Write permission to the OU, the Domain Computers group, and the Domain Guests group in each domain that contains AMT-based computers.

Use a dedicated collection for AMT provisioning.

Do not use an existing collection that contains more computers than you want to provision for AMT. Instead, create a query-based collection by using the AMT status of Not Provisioned. For more information about the AMT Status and how to construct a query for Not Provisioned, see About the AMT Status and Out of Band Management in Configuration Manager.

Retrieve and store image files securely when you boot from alternative media to use the IDE redirection function.

When you boot from alternative media to use the IDE redirection function, whenever possible, store the image files locally on the computer running the out of band management console. If you must store them on the network, ensure that connections to retrieve the files over the network use SMB signing to help prevent the files being tampered with during the network transfer. In both scenarios, secure the stored files to help prevent unauthorized access, for
2475

Security best practice

More information

example, by using NTFS permissions and the encrypted file system. Retrieve and store AMT audit log files securely. If you save AMT audit log files, whenever possible, store the files locally on the computer that is running the out of band management console. If you must store them on the network, ensure that connections to retrieve the files over the network use SMB signing to help prevent the files being tampered with during the network transfer. In both scenarios, secure the stored files to help prevent unauthorized access, for example, by using NTFS permissions and the encrypted file system. Although you can specify multiple AMT Provisioning and Discovery Accounts so that Configuration Manager can discover computers that have AMT management controllers and provision them for out of band management, do not specify accounts that are not currently required and delete accounts that are no longer required. Specify only the accounts that you require to help ensure that these accounts are not granted more permissions than they require and to reduce unnecessary network traffic and processing. For more information about the AMT Provisioning and Discovery Account, see Configuring the Out of Band Management Component. The AMT Provisioning Removal Account helps ensure service continuity if you must restore the Configuration Manager site. After you restore the site, request and configure a new AMT provisioning certificate, use the AMT Provisioning and Removal Account to remove provisioning information from AMT-based computers, and then reprovision the computers. You might also be able to use this account if an AMT-based computer was reassigned from another site and the provisioning information was not removed.
2476

Minimize the number of AMT Provisioning and Discovery Accounts.

For service continuity, specify a user account as the AMT Provisioning Removal Account and ensure that this user account is also specified as an AMT User Account.

Security best practice

More information

For more information about how to remove AMT provisioning information, see How to Remove AMT Information. Use a single certificate template for client authentication certificates whenever practical. Although you can specify different certificate templates for each of the wireless profiles, use a single certificate template unless you have a business requirement for different settings to be used for different wireless networks, specify only client authentication capability, and dedicate this certificate template for use with Configuration Manager out of band management. For example, if one wireless network required a higher key size or shorter validity period than another, you would have to create a separate certificate template. A single certificate template lets you control its use more easily and guards against elevation of privileges. Depending on the AMT version, Configuration Manager might stop writing new entries to the AMT audit log when it is nearly full or might overwrite old entries. To ensure that new entries are logged and old entries are not overwritten, periodically clear the audit log if required, and save the auditing entries. For more information about how to manage the audit log and monitor auditing activities, see How to Manage the Audit Log for AMT-Based Computers in Configuration Manager. Use the Remote Tools Operator security role to grant administrative users the Control AMT permission, which allows them to view and manage computers by using the out of band management console, and initiate power control actions from the Configuration Manager console. For more information about the security permissions that you might require to manage AMT-based computers, see Configuration Manager Dependencies in Prerequisites for
2477

Ensure that only authorized administrative users perform AMT auditing actions and manage the AMT audit logs as required.

Use the principle of least privileges and rolebased administration to grant administrative users permissions to manage AMT-based computers out of band.

Security best practice

More information

Out of Band Management in Configuration Manager.

Security Issues for Out of Band Management

Managing AMT-based computers out of band has the following security issues: An attacker might fake a provisioning request, which results in the creation of an Active Directory account. Monitor the OU where the AMT accounts are created to ensure that only expected accounts are created. You cannot configure web proxy access for the out of band service point to check the certificate revocation list (CRL) that is published on the Internet. If you enable CRL checking for the AMT provisioning certificate, and the CRL cannot be accessed, the out of band service point does not provision AMT-based computers. The option to disable automatic AMT provisioning is stored on the Configuration Manager client and not in AMT. This means that the AMT-based computer can still be provisioned. For example, the Configuration Manager client might be uninstalled, or the computer might be provisioned by another management product. Even though you select the option to disable automatic provisioning for an AMT-based computer, the out of band service point accepts a provisioning request from that computer.

Privacy Information for Out of Band Management

The out of band management console manages computers that have the Intel vPro chip set and Intel Active Management Technology (Intel AMT) with a firmware version that is supported by Configuration Manager. Configuration Manager temporarily collects information about the computer configuration and settings, such as the computer name, IP address, and MAC address. Information is transferred between the managed computer and the out of band management console by using an encrypted channel. By default, this feature is not enabled, and typically no information is retained after the management session is ended. If you enable AMT auditing, you can save auditing information to a file that includes the IP address of the AMT-based computer that is managed and the domain and user account that performed the management action on the recorded date and time. This information is not sent to Microsoft. You have the option to enable Configuration Manager to discover computers with management controllers that can be managed by the out of band management console. Discovery creates records for the manageable computers and stores them in the database. Data discovery records contain computer information, such as the IP address, operating system, and computer name. By default, discovery of management controllers is not enabled. Discovery information is not sent to Microsoft. Discovery information is stored in the site database. Information is retained in the database until the site maintenance task Delete Aged Discovery Data deletes it in intervals of every 90 days. You can configure the deletion interval. Before you configure out of band management, consider your privacy requirements.
2478

See Also
Compliance Settings in Configuration Manager

Security and Privacy for Compliance Settings in Configuration Manager

This topic contains security and privacy information for compliance settings in System Center 2012 Configuration Manager.

Security Best Practices for Compliance Settings

Use the following security best practices when you manage compliance settings on clients.
Security best practice More information

Do not monitor sensitive data.

To help avoid information disclosure, do not configure configuration items to monitor potentially sensitive information. If you create a compliance rule based on data that users can modify, such as registry settings for configuration choices, the compliance results will not be reliable. Published configuration data can be digitally signed so that you can verify the publishing source and ensure that the data has not been tampered with. If the digital signature verification check fails, you are warned and prompted to continue with the import. Do not import unsigned data if you cannot verify the source and integrity of the data. Ensure that when an administrative user configures a registry or file system setting by browsing to a reference computer, the reference computer had not been compromised. To prevent tampering of the data when it is transferred over the network, use Internet Protocol security (IPsec) or server message block (SMB) between the computer that runs
2479

Do not configure compliance rules that use data that can be modified by end users.

Import Microsoft System Center configuration packs and other configuration data from external sources only if they have a valid digital signature from a trusted publisher.

Implement access controls to protect reference computers.

Secure the communication channel when you browse to a reference computer.

Security best practice

More information

the Configuration Manager console and the reference computer. Restrict and monitor the administrative users who are granted the Compliance Settings Manager role-based security role. Administrative users who are granted the Compliance Settings Manager role can deploy configuration items to all devices and all users in the hierarchy. Configuration items can be very powerful and can include, for example, scripts and registry reconfiguration.

Privacy Information for Compliance Settings

You can use compliance settings to evaluate whether your client devices are compliant with configuration items that you deploy in configuration baselines. Some settings can be automatically remediated if they out of compliance. Compliance information is sent to the site server by the management point and stored in the site database. The information is encrypted when devices send it to the management point, but it is not stored in encrypted format in the site database. Information is retained in the database until the site maintenance task Delete Aged Configuration Management Data deletes it every 90 days. You can configure the deletion interval. Compliance information is not sent to Microsoft. By default, devices do not evaluate compliance settings. In addition, you must configure the configuration items and configuration baselines, and then deploy them to devices. Before you configure compliance settings, consider your privacy requirements.

See Also
Compliance Settings in Configuration Manager

Security and Privacy for Endpoint Protection in Configuration Manager

This topic contains information about security best practices and privacy information for Endpoint Protection in System Center 2012 Configuration Manager. Because Endpoint Protection uses software updates to deliver definition updates to client computers, make sure that you also read Security and Privacy for Software Updates in Configuration Manager.

2480

Security Best Practices for Endpoint Protection

Use the following security best practices for Endpoint Protection.
Security best practice More information

Use automatic deployment rules to deliver definition updates to client computers.

Use the software updates automatic deployment rules to ensure that clients automatically receive the latest definition updates. Because Endpoint Protection clients use status messages to send information about any malware that they detect, prevent others from reading this information on the network by encrypting the data. To configure encryption for the site, see the Configure Signing and Encryption section in the Configuring Security for Configuration Manager topic. For management points to support HTTPS client connections, you must deploy PKI certificates. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

Make sure that the site is configured to use encryption, or that all management points are configured for HTTPS client connections.

If you use email notification, configure authenticated access to the SMTP mail server.

Whenever possible, use a mail server that supports authenticated access and use the computer account of the site server for authentication. If you must specify a user account for authentication, use an account that has the least privileges. Although it is always a security best practice to grant end users the least privileges that they need and not to grant them local administrative privileges, this is especially important for Endpoint Protection. When users have local administrative rights on computers that run the Endpoint Protection client, they might be able to do the following: They can delete the reported instances of malware on their computer before this information is sent to Configuration Manager. Information about malware
2481

Ensure that end users do not have local administrative privileges.

Security best practice

More information

detection is collected and sent to the Configuration Manager site every five minutes. It is possible for a local administrator to delete the information on their computer that malware was detected, and if this happens within the five minutes, Configuration Manager will have no information about the detected malware. They can uninstall the Endpoint Protection client or stop dependent services. Although Configuration Manager can detect that the Endpoint Protection is no longer installed and will automatically reinstall it, and client status can restart a stopped service and set it back to automatic, this still leaves a potential window of vulnerability when the computer is unprotected by Endpoint Protection.

Security Issues for Endpoint Protection

Endpoint Protection has the following security issues: Email notification uses SMTP, which is a protocol that lacks security protection. When you use email notification for Endpoint Protection, this can be a convenient method to quickly learn about the malware that is detected on computers so that you can take remedial action as soon as possible. However, before you enable notifications by using email, consider the advantages and disadvantages according to your security risk profile and infrastructure capacity. For example, anybody can send email from your specified sender address and tamper with the message. In addition, an attacker could flood the network and email server with spoofed emails that appear to come from Configuration Manager.

Privacy Information for Endpoint Protection

You see privacy information for Endpoint Protection when you install the Endpoint Protection point, and you can read the Microsoft System Center 2012 Endpoint Protection Privacy Statement online.

See Also
Endpoint Protection in Configuration Manager

2482

Technical Reference for Cryptographic Controls Used in Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. System Center 2012 Configuration Manager uses signing and encryption to help protect the management of the devices in the Configuration Manager hierarchy. Signing ensures that if data has been altered in transit, the data will be discarded. Encryption prevents an attacker from reading the data by using a network protocol analyzer. The primary hashing algorithm that Configuration Manager uses for signing is SHA-256. When two Configuration Manager sites communicate with each other, they sign their communications by using SHA-256 and you can require that all clients use SHA-256. The primary encryption algorithm implemented in Configuration Manager is 3DES. This is used for storing data in the Configuration Manager database and for when clients communicate by using HTTP. When you use client communication over HTTPS, you can configure your public key infrastructure (PKI) to use RSA certificates with the maximum hashing algorithms and key lengths that are documented in PKI Certificate Requirements for Configuration Manager. For most cryptographic operations, Configuration Manager uses the SHA-2, 3DES, and RSA algorithms from the Windows CryptoAPI library rsaenh.dll. Use the following sections for more information. Cryptographic Controls for Configuration Manager Operations Certificates Used by Configuration Manager Cryptographic Controls for Server Communication Cryptographic Controls for Clients That Use HTTPS Communication to Site Systems Cryptographic Controls for Clients That Use HTTP Communication to Site Systems

Cryptographic Controls for Configuration Manager Operations

Information in Configuration Manager can be signed and encrypted, regardless of whether you use PKI certificates with Configuration Manager.

Policy Signing and Encryption

Client policy assignments are signed by the self-signed site server signing certificate to help prevent the security risk of a compromised management point sending policies that have been tampered with. This safeguard is particularly relevant if you are using Internet-based client

2483

management because this environment requires a management point that is exposed to Internet communication. Policy is encrypted by using 3DES when it contains sensitive data. Policy that contains sensitive data is sent to authorized clients only. Policy that does not have sensitive data is not encrypted.

Policy Hashing
When Configuration Manager clients request policy, they first get a policy assignment so that they know which policies apply to them, and then request only those policy bodies. Each policy assignment contains the calculated hash for the corresponding policy body. The client retrieves the applicable policy bodies and then calculates the hash on that body. If the hash on the downloaded policy body does not match the hash in the policy assignment, the client discards the policy body. The hashing algorithm for policy is SHA-256.

Content Hashing
The distribution manager service on the site server hashes the content files for all packages. The policy provider includes the hash in the software distribution policy. When the Configuration Manager client downloads the content, the client regenerates the hash locally and compares it to the one supplied in the policy. If the hashes match, the content has not been altered and the client installs it. If a single byte of the content has been altered, the hashes will not match and the software will not be installed. This check helps to ensure that the correct software is installed because the actual content is crosschecked with the policy. The default hashing algorithm for content is SHA-256. To change this default, see the documentation for the Configuration Manager Software Development Kit (SDK). Not all devices can support content hashing. The exceptions include the following: Windows clients when they stream App-V content. Windows Phone clients: However, these clients verify the signature of an application that is signed by a trusted source. Windows RT clients: However, these clients verify the signature of an application that is signed by a trusted source and also use package full name (PFN) validation. iOS: However, these devices verify the signature of an application that is signed by any developer certificate from a trusted source. Nokia clients: However, these clients verify the signature of an application that uses a selfsigned certificate. Or, the signature of a certificate from a trusted source and the certificate can sign Nokia Symbian Installation Source (SIS) applications. Android. In addition, these devices do not use signature validation for application installation. Clients that run on versions of Linux and UNIX that do not support SHA-256. For more information, see the About Linux and UNIX Operating Systems That do not Support SHA-256 section in the Planning for Client Deployment for Linux and UNIX Servers topic.

2484

Inventory Signing and Encryption

Inventory that clients send to management points is always signed by devices, regardless of whether they communicate with management points over HTTP or HTTPS. If they use HTTP, you can choose to encrypt this data, which is a security best practice.

State Migration Encryption

Data stored on state migration points for operating system deployment is always encrypted by the User State Migration Tool (USMT) by using 3DES.

Encryption for Multicast Packages to Deploy Operating Systems

For every operating system deployment package, you can enable encryption when the package is transferred to computers by using multicast. The encryption uses Advanced Encryption Standard (AES). If you enable encryption, no additional certificate configuration is required. The multicast-enabled distribution point automatically generates symmetric keys for encrypting the package. Each package has a different encryption key. The key is stored on the multicastenabled distribution point by using standard Windows APIs. When the client connects to the multicast session, the key exchange occurs over a channel encrypted with either the PKI-issued client authentication certificate (when the client uses HTTPS) or the self-signed certificate (when the client uses HTTP). The client stores the key in memory only for the duration of the multicast session.

Encryption for Media to Deploy Operating Systems

When you use media to deploy operating systems and specify a password to protect the media, the environment variables are encrypted by using Advanced Encryption Standard (AES). Other data on the media, including packages and content for applications, is not encrypted.

Encryption for Content that is Hosted on Cloud-Based Distribution Points

When you use cloud-based distribution points in Configuration Manager SP1, the content that you upload to these distribution points is encrypted by using Advanced Encryption Standard (AES) with a 256-bit key size. The content is re-encrypted whenever you update it. When clients download the content, it is encrypted and protected by the HTTPS connection.

Signing in Software Updates

All software updates must be signed by a trusted publisher to protect against tampering. On client computers, the Windows Update Agent (WUA) scans for the updates from the catalog, but will not install the update if it cannot locate the digital certificate in the Trusted Publishers store on the local computer. If a self-signed certificate was used for publishing the updates catalog, such as WSUS Publishers Self-signed, the certificate must also be in the Trusted Root Certification Authorities certificate store on the local computer to verify the validity of the certificate. WUA also
2485

checks whether the Allow signed content from intranet Microsoft update service location Group Policy setting is enabled on the local computer. This policy setting must be enabled for WUA to scan for the updates that were created and published with Updates Publisher. When software updates are published in System Center Updates Publisher, a digital certificate signs the software updates when they are published to an update server. You can either specify a PKI certificate or configure Updates Publisher to generate a self-signed certificate to sign the software update.

Signed Configuration Data for Compliance Settings

When you import configuration data, Configuration Manager verifies the file's digital signature. If the files have not been signed, or if the digital signature verification check fails, you will be warned and prompted whether to continue with the import. Continue to import the configuration data only if you explicitly trust the publisher and the integrity of the files.

Encryption and Hashing for Client Notification

This section applies to Configuration Manager SP1 only. If you use client notification, all communication uses TLS and the highest encryption that the server and client operating systems can negotiate. For example, a client computer running Windows 7 and a management point running Windows Server 2008 R2 can support 128-bit AES encryption, whereas a client computer running Vista to the same management point but will negotiate down to 3DES encryption. The same negotiation occurs for hashing the packets that are transferred during client notification, which uses SHA-1 or SHA-2.

Certificates Used by Configuration Manager

For a list of the public key infrastructure (PKI) certificates that can be used by Configuration Manager, any special requirements or limitations, and how the certificates are used, see PKI Certificate Requirements for Configuration Manager. This list includes the supported hash algorithms and key lengths. Most certificates support SHA-256 and 2048 bits key length. Note All certificates that Configuration Manager uses must contain only single-byte characters in the subject name or subject alternative name. PKI certificates are required for the following scenarios: When you manage Configuration Manager clients on the Internet. When you manage Configuration Manager clients on mobile devices. When you manage Mac computers. When you use cloud-based distribution points. When you manage Intel AMT-based computers out of band.

2486

For most other Configuration Manager communications that require certificates for authentication, signing, or encryption, Configuration Manager automatically uses PKI certificates if they are available. If they are not available, Configuration Manager generates self-signed certificates. Configuration Manager does not use PKI certificates when it manages mobile devices by using the Exchange Server connector.

Mobile Device Management and PKI Certificates

If the mobile device has not been locked by the mobile operator, you can use Configuration Manager or Windows Intune to request and install a client certificate. This certificate provides mutual authentication between the client on the mobile device and Configuration Manager site systems or Windows Intune services. If your mobile device is locked, you cannot use Configuration Manager or Windows Intune to deploy certificates. For more information, see How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager. If you enable hardware inventory for mobile devices, Configuration Manager or Windows Intune also inventories the certificates that are installed on the mobile device.

Out of Band Management and PKI Certificates

Out of band management for Intel AMT-based computers uses at least two types of PKI-issued certificates: an AMT provisioning certificate and a web server certificate. The out of band service point uses an AMT provisioning certificate to prepare computers for out of band management. The AMT-based computers that will be provisioned must trust the certificate presented by the out of band management point. By default, AMT-based computers are configured by the computer manufacturer to use external certification authorities (CAs), such as VeriSign, Go Daddy, Comodo, and Starfield. If you purchase a provisioning certificate from one of the external CAs and configure Configuration Manager to use this provisioning certificate, AMT-based computers will trust the CA of the provisioning certificate and provisioning can succeed. However, it is a security best practice to use your own internal CA to issue the AMT provisioning certificate. For more information, see Security Best Practices for Out of Band Management. The AMT-based computers run a web server component within their firmware and that web server component encrypts the communication channel with the out of band service point by using Transport Layer Security (TLS). There is no user interface into the AMT BIOS to manually configure a certificate, so you must have a Microsoft enterprise certification authority that automatically approves certificate requests from requesting AMT-based computers. The request uses PKCS#10 for the request format, which in turn, uses PKCS#7 for transmitting the certificate information to the AMT-based computer. Although the AMT-based computer is authenticated to the computer managing it, there is no corresponding client PKI certificate on the computer managing it. Instead, these communications use either Kerberos or HTTP Digest authentication. When HTTP Digest is used, it is encrypted by using TLS.

2487

An additional type of certificate might be required for managing AMT-based computers out of band: an optional client certificate for 802.1X authenticated wired networks and wireless networks. The client certificate might be required by the AMT-based computer for authentication to the RADIUS server. When the RADIUS server is configured for EAP-TLS authentication, a client certificate is always required. When the RADIUS server is configured for EAPTTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2, the RADIUS configuration specifies whether a client certificate is required or not. This certificate is requested by the AMT-based computer by using the same processes as the web server certificate request.

Operating System Deployment and PKI Certificates

When you use Configuration Manager to deploy operating systems and a management point requires HTTPS client connections, the client computer must also have a certificate to communicate with the management point, even though it is in a transitional phase such as booting from task sequence media or a PXE-enabled distribution point. To support this scenario, you must create a PKI client authentication certificate and export it with the private key and then import it to the site server properties and also add the management points trusted root CA certificate. If you create bootable media, you import the client authentication certificate when you create the bootable media. Configure a password on the bootable media to help protect the private key and other sensitive data configured in the task sequence. Every computer that boots from the bootable media will present the same certificate to the management point as required for client functions such as requesting client policy. If you use PXE boot, you import the client authentication certificate to the PXE-enabled distribution point and it uses the same certificate for every client that boots from that PXE-enabled distribution point. As a security best practice, require users who connect their computers to a PXE service to supply a password to help protect the private key and other sensitive data in the task sequences. If either of these client authentication certificates is compromised, block the certificates in the Certificates node in the Administration workspace, Security node. To manage these certificates, you must have the Manage operating system deployment certificate right. After the operating system is deployed and the Configuration Manager is installed, the client will require its own PKI client authentication certificate for HTTPS client communication.

ISV Proxy Solutions and PKI Certificates

Independent Software Vendors (ISVs) can create applications that extend Configuration Manager. For example, an ISV could create extensions to support non-Windows client platforms such as Macintosh or UNIX computers. However, if the site systems require HTTPS client connections, these clients must also use PKI certificates for communication with the site. Configuration Manager includes the ability to assign a certificate to the ISV proxy that enables communications between the ISV proxy clients and the management point. If you use extensions that require ISV proxy certificates, consult the documentation for that product. For more
2488

information about how to create ISV proxy certificates, see the Configuration Manager Software Developer Kit (SDK). If the ISV certificate is compromised, block the certificate in the Certificates node in the Administration workspace, Security node.

Asset Intelligence and Certificates

Configuration Manager installs with an X.509 certificate that the Asset Intelligence synchronization point uses to connect to Microsoft. Configuration Manager uses this certificate to request a client authentication certificate from the Microsoft certificate service. The client authentication certificate is installed on the Asset Intelligence synchronization point site system server and it is used to authenticate the server to Microsoft. Configuration Manager uses the client authentication certificate to download the Asset Intelligence catalog and to upload software titles. This certificate has a key length of 1024 bits.

Cloud-Based Distribution Points and Certificates

Cloud-based distribution points in Configuration Manager SP1 require a management certificate (self-signed or PKI) that you upload to Windows Azure. This management certificate requires server authentication capability and a certificate key length of 2048 bits. In addition, you must configure a service certificate for each cloud-based distribution point, which cannot be self-signed but also has server authentication capability and a minimum certificate key length of 2048 bits. Note The self-signed management certificate is for testing purposes only and not for use on production networks. Clients do not require a client PKI certificate to use cloud-based distribution points; they authenticate to the management by using either a self-signed certificate or a client PKI certificate. The management point then issues a Configuration Manager access token to the client, which the client presents to the cloud-based distribution point. The token is valid for 8 hours.

The Windows Intune Connector and Certificates

When Windows Intune enrolls mobile devices, you can manage these mobile devices in Configuration Manager SP1 by creating a Windows Intune connector. The connector uses a PKI certificate with client authentication capability to authenticate Configuration Manager to Windows Intune and to transfer all information between them by using SSL. The certificate key size is 2048 bits and uses the SHA-1 hash algorithm. When Windows Intune enrolls mobile devices, it installs a PKI certificate onto the mobile device. This certificate has client authentication capability, uses a key size of 2048 bits, and uses the SHA-1 hash algorithm. These PKI certificates are automatically requested, generated, and installed by Windows Intune.
2489

CRL Checking for PKI Certificates

A PKI certificate revocation list (CRL) increases administrative and processing overhead but it is more secure. However, if CRL checking is enabled but the CRL is inaccessible, the PKI connection fails. For more information, see the Planning for PKI Certificate Revocation section in the Planning for Security in Configuration Manager topic. Certificate revocation list (CRL) checking is enabled by default in IIS, so if you are using a CRL with your PKI deployment, there is nothing additional to configure on most Configuration Manager site systems that run IIS. The exception is for software updates, which requires a manual step to enable CRL checking to verify the signatures on software update files. CRL checking is enabled by default for client computers when they use HTTPS client connections. CRL checking is not enabled by default when you run the Out of Band Management console to connect to AMT-based computer, and you can enable this option. You cannot disable CRL checking for clients on Mac computers in Configuration Manager SP1. CRL checking is not supported for the following connections in Configuration Manager: Server-to-server connections. Mobile devices that are enrolled by Configuration Manager. Mobile devices that are enrolled by Windows Intune.

Cryptographic Controls for Server Communication

Configuration Manager uses the following cryptographic controls for server communication.

Server Communication Within a Site

Each site system server uses a certificate to transfer data to other site systems in the same Configuration Manager site. Some site system roles also use certificates for authentication. For example, if you install the enrollment proxy point on one server and the enrollment point on another server, they can authenticate one another by using this identity certificate. When Configuration Manager uses a certificate for this communication, if there is a PKI certificate available that has server authentication capability, Configuration Manager automatically uses it; if not, Configuration Manager generates a self-signed certificate. This self-signed certificate has server authentication capability, uses SHA-256, and has a key length of 2048 bits. Configuration Manager copies the certificate to the Trusted People store on other site system servers that might need to trust the site system. Site systems can then trust one another by using these certificates and PeerTrust. In addition to this certificate for each site system server, Configuration Manager generates a selfsigned certificate for most site system roles. When there is more than one instance of the site system role in the same site, they share the same certificate. For example, you might have multiple management points or multiple enrollment points in the same site. This self-signed certificate also uses SHA-256 and has a key length of 2048 bits. It is also copied to the Trusted
2490

People Store on site system servers that might need to trust it. The following site system roles generate this certificate: Application Catalog web service point Application Catalog website point Asset Intelligence synchronization point Endpoint Protection point Enrollment point Fallback status point Management point Multicast-enabled distribution point Out of band service point Reporting services point Software update point State migration point System Health Validator point Windows Intune connector

These certificates are managed automatically by Configuration Manager, and where necessary, automatically generated. Configuration Manager also uses a client authentication certificate to send status messages from the distribution point to the management point. When the management point is configured for HTTPS client connections only, you must use a PKI certificate. If the management point accepts HTTP connections, you can use a PKI certificate or select the option to use a self-signed certificate that has client authentication capability, uses SHA-256, and has a key length of 2048 bits.

Server Communication Between Sites

Configuration Manager transfers data between sites by using database replication and file-based replication. For more information, see Technical Reference for Site Communications in Configuration Manager. Configuration Manager automatically configures the database replication between sites and uses PKI certificates that have server authentication capability if these are available; if not, Configuration Manager creates self-signed certificates for server authentication. In both cases, authentication between sites is established by using certificates in the Trusted People Store that uses PeerTrust. This certificate store is used to ensure that only the SQL Server computers that are used by the Configuration Manager hierarchy participate in site-to-site replication. Whereas primary sites and the central administration site can replicate configuration changes to all sites in the hierarchy, secondary sites can replicate configuration changes only to their parent site. Site servers establish site-to-site communication by using a secure key exchange that happens automatically. The sending site server generates a hash and signs it with its private key. The receiving site server checks the signature by using the public key and compares the hash with a
2491

locally generated value. If they match, the receiving site accepts the replicated data. If the values do not match, Configuration Manager rejects the replication data. Database replication in Configuration Manager uses the SQL Server Service Broker to transfer data between sites by using the following mechanisms: SQL Server to SQL Server connection: This uses Windows credentials for server authentication and self-signed certificates with 1024 bits to sign and encrypt the data by using Advanced Encryption Standard (AES). If PKI certificates with server authentication capability are available, these will be used. The certificate must be located in the Personal store for the Computer certificate store. SQL Service Broker: This uses self-signed certificates with 2048 bits for authentication and to sign and encrypt the data by using Advanced Encryption Standard (AES). The certificate must be located in the SQL Server master database.

File-based replication uses the Server Message Block (SMB) protocol, and uses SHA-256 to sign this data that is not encrypted but does not contain any sensitive data. If you want to encrypt this data, you can use IPsec and must implement this independently from Configuration Manager.

Cryptographic Controls for Clients That Use HTTPS Communication to Site Systems
When site system roles accept client connections, you can configure them to accept HTTPS and HTTP connections, or only HTTPS connections. Site system roles that accept connections from the Internet only accept client connections over HTTPS. Client connections over HTTPS offer a higher level of security by integrating with a public key infrastructure (PKI) to help protect client-to-server communication. However, configuring HTTPS client connections without a thorough understanding of PKI planning, deployment, and operations could still leave you vulnerable. For example, if you do not secure your root CA, attackers could compromise the trust of your entire PKI infrastructure. Failing to deploy and manage the PKI certificates by using controlled and secured processes might result in unmanaged clients that cannot receive critical software updates or packages. Important The PKI certificates that are used for client communication protect the communication only between the client and some site systems. They do not protect the communication channel between the site server and site systems or between site servers.

Communication That Is Unencrypted When Clients Use HTTPS Communication

When clients communicate with site systems by using HTTPS, communications are usually encrypted over SSL. However, in the following situations, clients communicate with site systems without using encryption: Client fails to make an HTTPS connection on the intranet and fall back to using HTTP when site systems allow this configuration
2492

Communication to the following site system roles: Client sends state messages to the fallback status point Client sends PXE requests to a PXE-enabled distribution point Client sends notification data to a management point

Reporting services points are configured to use HTTP or HTTPS independently from the client communication mode.

Cryptographic Controls for Clients That Use HTTP Communication to Site Systems
When clients use HTTP communication to site system roles, they can use PKI certificates for client authentication, or self-signed certificates that Configuration Manager generates. When Configuration Manager generates self-signed certificates, they have client authentication capability, use SHA-256, and have a key length of 2048 bits.

Operating System Deployment and Self-signed Certificates

When you use Configuration Manager to deploy operating systems with self-signed certificates, a client computer must also have a certificate to communicate with the management point, even if the computer is in a transitional phase such as booting from task sequence media or a PXEenabled distribution point. To support this scenario for HTTP client connections, Configuration Manager generates self-signed certificates that have client authentication capability, use SHA256, and 2048 bits. If the self-signed certificates are compromised, to prevent attackers from using them to impersonate trusted clients, block the certificates in the Certificates node in the Administration workspace, Security node.

Client and Server Authentication

When clients connect over HTTP, they authenticate the management points by using either Active Directory Domain Services or by using the Configuration Manager trusted root key. Clients do not authenticate other site system roles, such as state migration points or software update points. When a management point first authenticates a client by using the self-signed client certificate, this mechanism provides minimal security because any computer can generate a self-signed certificate. In this scenario, the client identity process must be augmented by approval. Only trusted computers must be approved, either automatically by Configuration Manager, or manually, by an administrative user. For more information, see the approval section in Planning for Client Communication to Site Systems.

See Also
Technical Reference for Site Administration in Configuration Manager
2493

Technical Reference for Ports Used in Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. System Center 2012 Configuration Manager is a distributed client/server system. The distributed nature of Configuration Manager means that connections can be established between site servers, site systems, and clients. Some connections use ports that are not configurable, and some support custom ports you specify. You must verify that the required ports are available if you use any port filtering technology such as firewalls, routers, proxy servers, and IPsec. Note If you support Internet-based clients by using SSL bridging, in addition to port requirements, you might have to also allow some HTTP verbs and headers to traverse your firewall. For more information, see Prerequisites for Internet-Based Client Management in the Planning for Communications in Configuration Manager topic. The port listings that follow are used by Configuration Manager and do not include information for standard Windows services, such as Group Policy settings for Active Directory Domain Services and Kerberos authentication. For information about Windows Server services and ports, see Service overview and network port requirements for the Windows Server system. Configurable Ports Non-Configurable Ports Ports Used by Configuration Manager Clients and Site Systems Additional Lists of Ports AMT Out of Band Management Ports Client to Server Shares Connections to Microsoft SQL Server External Connections made by Configuration Manager Installation Requirements for Site Systems that Support Internet-Based Clients Ports Used by Configuration Manager Client Installation Ports Used by Windows Server

Configurable Ports
Configuration Manager allows you to configure the ports for the following types of communication: Application Catalog Website point to Application Catalog web service point Enrollment proxy point to enrollment point
2494

Client to site systems that run IIS Client to Internet (as proxy server settings) Software update point to Internet (as proxy server settings) Software update point to WSUS server Site server to site database server Reporting services points Note The ports in use for the reporting services point site system role are configured in SQL Server Reporting Services. These ports are then used by Configuration Manager during communications to the reporting services point. Be sure to review these ports defining the IP filter information for IPsec policies or for configuring firewalls.

By default, the HTTP port used for client to site system communication is port 80, and the default HTTPS port is 443. Ports for client-to-site system communication over HTTP or HTTPS can be changed during Setup or in the Site Properties for your Configuration Manager site. The ports in use for the reporting services point site system role are configured in SQL Server Reporting Services. These ports are then used by Configuration Manager during communications to the reporting services point. Be sure to review these ports defining the IP filter information for IPsec policies or for configuring firewalls.

Non-Configurable Ports
Configuration Manager does not allow you to configure ports for the following types of communication: Site to site Site server to site system Configuration Manager console to SMS Provider Configuration Manager console to the Internet Connections to cloud services, such as Windows Intune and cloud-based distribution points

Ports Used by Configuration Manager Clients and Site Systems

The following sections detail the ports used for communication in Configuration Manager. The arrows in the section title, between the computers, represent the direction of the communication: -- > indicates one computer initiates communication and the other computer always responds < -- > indicates that either computer can initiate communication

Asset Intelligence Synchronization Point < -- > Microsoft

2495

Description

UDP

TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Application Catalog Web Service Point -- > SQL Server

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

Application Catalog Website Point -- > Application Catalog Web Service Point
Description UDP TCP

Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)

--

80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available)

--

Endpoint Protection Point -- > Internet

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80

Enrollment Proxy Point -- > Enrollment Point

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443 (See note 2, Alternate Port Available)

Enrollment Point -- > SQL Server

2496

Description

UDP

TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

Exchange Server Connector -- > Exchange Online

Description UDP TCP

Windows Remote Management over HTTPS

--

5986

Exchange Server Connector -- > On Premises Exchange Server

Description UDP TCP

Windows Remote Management over HTTP

--

5985

Client -- > Application Catalog Website Point

Description UDP TCP

Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)

--

80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available)

--

Client -- > Client

In addition to the ports listed in the following table, wake-up proxy also uses Internet Control Message Protocol (ICMP) echo request messages from one client to another client when they are configured for wake-up proxy. This communication is used to confirm whether the other client computer is awake on the network. ICMP is sometimes referred to as TCP/IP ping commands. ICMP does not have a UDP or TCP protocol number, and so it is not listed in the following table. However, any host-based firewalls on these client computers or intervening network devices within the subnet must permit ICMP traffic for wake-up proxy communication to succeed.

2497

Description

UDP

TCP

Wake on LAN

9 (See note 2, Alternate Port Available) 25536 (See note 2, Alternate Port Available)

--

Wake-up proxy

--

Client -- > Cloud-Based Distribution Point

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Client -- > Distribution Point

Description UDP TCP

Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)

--

80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available)

--

Client -- > Distribution Point Configured for Multicast

Description UDP TCP

Server Message Block (SMB) Multicast Protocol

-63000-64000

445 --

Client -- > Distribution Point Configured for PXE

Description UDP TCP

Dynamic Host Configuration Protocol (DHCP) Trivial File Transfer Protocol

67 and 68

--

69 (See note 4 Trivial FTP

-2498

Description

UDP

TCP

(TFTP) Boot Information Negotiation Layer (BINL)

(TFTP) Daemon) 4011 --

Client -- > Fallback Status Point

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 2, Alternate Port Available)

Client -- > Global Catalog Domain Controller

A Configuration Manager client does not contact a global catalog server when it is a workgroup computer or when it is configured for Internet-only communication.
Description UDP TCP

Global Catalog LDAP Global Catalog LDAP SSL

---

3268 3269

Client -- > Management Point

Description UDP TCP

Client notification (default communication before falling back to HTTP or HTTPS) Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)

--

10123 (See note 2, Alternate Port Available)

--

80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available)

--

Client -- > Software Update Point

2499

Description

UDP

TCP

Hypertext Transfer Protocol (HTTP)

--

80 or 8530 (See note 3, Windows Server Update Services) 443 or 8531 (See note 3, Windows Server Update Services)

Secure Hypertext Transfer Protocol (HTTPS)

--

Client -- > State Migration Point

Description UDP TCP

Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS) Server Message Block (SMB)

--

80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available) 445

--

--

Client -- > System Health Validator

The client requires the ports established by the Windows Network Access Protection client, which is dependent upon the enforcement client being used. For example, DHCP enforcement will use ports UDP 67 and 68. IPsec enforcement will use ports TCP 80 or 443 to the Health Registration Authority, port UDP 500 for IPsec negotiation and the additional ports needed for the IPsec filters. For more information, see the Windows Network Access Protection documentation. For help with configuring firewalls for IPsec, see How to Enable IPsec Traffic Through a Firewall.

Configuration Manager Console -- > Client

Description UDP TCP

Remote Control (control) Remote Assistance (RDP and RTC)

---

2701 3389

Configuration Manager Console -- > Internet

2500

Description

UDP

TCP

Hypertext Transfer Protocol (HTTP)

--

80

Configuration Manager Console -- > Reporting Services Point

Description Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS) UDP -TCP 80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available)

--

Configuration Manager Console -- > Site Server

Description UDP TCP

RPC (initial connection to WMI to locate provider system)

--

135

Configuration Manager Console -- > SMS Provider

Description UDP TCP

RPC Endpoint Mapper RPC

135 --

135 DYNAMIC

Mac Computer -- > Enrollment Proxy Point

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Management Point -- > Domain Controller

2501

Description

UDP

TCP

Lightweight Directory Access Protocol (LDAP) LDAP (Secure Sockets Layer [SSL] connection) Global Catalog LDAP Global Catalog LDAP SSL RPC Endpoint Mapper RPC

--

389

636

636

--135 --

3268 3269 135 DYNAMIC

Management Point < -- > Site Server

(See note 5, Communication between the site server and site systems)
Description UDP TCP

RPC Endpoint mapper RPC Server Message Block (SMB)

----

135 DYNAMIC 445

Management Point -- > SQL Server

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

Mobile Device -- > Enrollment Proxy Point

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Mobile Device -- > Windows Intune

2502

Description

UDP

TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Out of Band Service Point --> Enrollment Point

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Out of Band Service Point --> AMT Management Controller

Description UDP TCP

Power control, provisioning, and discovery

--

16993

Out of Band Management Console --> AMT Management Controller

Description UDP TCP

General management tasks Serial over LAN and IDE redirection

---

16993 16995

Reporting Services Point -- > SQL Server

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

Site Server < -- > Application Catalog Web Service Point

2503

Description

UDP

TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC

Site Server < -- > Application Catalog Website Point

Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC

Site Server < -- > Asset Intelligence Synchronization Point

Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC

Site Server -- > Client

Description UDP TCP

Wake on LAN

9 (See note 2, Alternate Port Available)

--

Site Server -- > Cloud-Based Distribution Point

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

2504

Site Server -- > Distribution Point

(See note 5, Communication between the site server and site systems)
Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC

Site Server -- > Domain Controller

Description UDP TCP

Lightweight Directory Access Protocol (LDAP) LDAP (Secure Sockets Layer [SSL] connection) Global Catalog LDAP Global Catalog LDAP SSL RPC Endpoint Mapper RPC

--

389

636

636

--135 --

3268 3269 135 DYNAMIC

Site Server < -- > Endpoint Protection Point

Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC

Site Server < -- > Enrollment Point

Description UDP TCP

Server Message Block (SMB)

--

445
2505

Description

UDP

TCP

RPC Endpoint Mapper RPC

135 --

135 DYNAMIC

Site Server < -- > Enrollment Proxy Point

Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC

Site Server -- > Internet

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 1, Proxy Server port)

Site Server < -- > Fallback Status Point

(See note 5, Communication between the site server and site systems)
Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC

Site Server < -- > Reporting Services Point

(See note 5, Communication between the site server and site systems)
Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper

-135

445 135
2506

Description

UDP

TCP

RPC

--

DYNAMIC

Site Server < -- > Site Server

Description UDP TCP

Server Message Block (SMB)

--

445

Site Server -- > SQL Server

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

Site Server -- > SMS Provider

Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC

Site Server < -- > Software Update Point

(See note 5, Communication between the site server and site systems)
Description UDP TCP

Server Message Block (SMB) Hypertext Transfer Protocol (HTTP)

---

445 80 or 8530 (See note 3, Windows Server Update Services) 443 or 8531 (See note 3, Windows Server Update Services)
2507

Secure Hypertext Transfer Protocol (HTTPS)

--

Site Server < -- > State Migration Point

(See note 5, Communication between the site server and site systems)
Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper

-135

445 135

Site Server < -- > System Health Validator

(See note 5, Communication between the site server and site systems)
Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC

SMS Provider -- > SQL Server

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

Software Update Point -- > Internet

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 1, Proxy Server port)

Software Update Point -- > Upstream WSUS Server

2508

Description

UDP

TCP

Hypertext Transfer Protocol (HTTP)

--

80 or 8530 (See note 3, Windows Server Update Services) 443 or 8531 (See note 3, Windows Server Update Services)

Secure Hypertext Transfer Protocol (HTTPS)

--

SQL Server --> SQL Server

Intersite database replication requires the SQL Server at one site to communicate directly with the SQL Server of its parent or child site.
Description UDP TCP

SQL Server Service Broker

--

4022 (See note 2, Alternate Port Available)

Windows Intune Connector -- > Windows Intune

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Notes for Ports Used by Configuration Manager Clients and Site Systems
1. Proxy Server port: This port cannot be configured but can be routed through a configured proxy server. 2. Alternate Port Available: An alternate port can be defined within Configuration Manager for this value. If a custom port has been defined, substitute that custom port when defining the IP filter information for IPsec policies or for configuring firewalls. 3. Windows Server Update Services: WSUS can be installed either on the default Web site (port 80) or a custom Web site (port 8530). After installation, the port can be changed. You do not have to use the same port number throughout the site hierarchy. If the HTTP port is 80, the HTTPS port must be 443. If the HTTP port is anything else, the HTTPS port must be 1 higher for example, 8530 and 8531.
2509

4. Trivial FTP (TFTP) Daemon: The Trivial FTP (TFTP) Daemon system service does not require a user name or password and is an integral part of the Windows Deployment Services (WDS). The Trivial FTP Daemon service implements support for the TFTP protocol defined by the following RFCs: RFC 350TFTP RFC 2347Option extension RFC 2348Block size option RFC 2349Time-out interval, and transfer size options

Trivial File Transfer Protocol is designed to support diskless boot environments. TFTP Daemons listen on UDP port 69 but respond from a dynamically allocated high port. Therefore, enabling this port will allow the TFTP service to receive incoming TFTP requests but will not allow the selected server to respond to those requests. Allowing the selected server to respond to inbound TFTP requests cannot be accomplished unless the TFTP server is configured to respond from port 69. 5. Communication between the site server and site systems: By default, communication between the site server and site systems is bi-directional. The site server initiates communication to configure the site system, and then most site systems connect back to the site server to send status information. Reporting service points and distribution points do not send status information. If you select Require the site server to initiate connections to this site system on the site system properties, after the site system is installed, it will not initiate communication to the site server. Instead, the site server initiates the connections and uses the Site System Installation Account for authentication to the site system server.

Additional Lists of Ports

The following sections provide additional information about ports used by Configuration Manager.

AMT Out of Band Management Ports

The following information lists the ports used by out of band management: Out of Band Service Point --&gt; Enrollment Point Out of Band Service Point --&gt; AMT Management Controller Out of Band Management Console --&gt; AMT Management Controller

Client to Server Shares

Clients use Server Message Block (SMB) whenever they connect to UNC shares. For example: Manual client installation that specifies the CCMSetup.exe /source: command line property. Endpoint Protection clients that download definition files from a UNC path.
UDP TCP

Description

Server Message Block (SMB)

--

445
2510

Connections to Microsoft SQL Server

For communication to the SQL Server database engine and for intersite replication, you can use the default SQL Server port or specify custom ports: Intersite communications use the SQL Server Service Broker, which defaults to port TCP 4022. Intrasite communication between the SQL Server database engine and various Configuration Manager site system roles default to port TCP 1433. Warning Configuration Manager does not support dynamic ports. Because SQL Server named instances by default use dynamic ports for connections to the database engine, when you use a named instance, you must manually configure the static port that you want to use for intrasite communication. The following site system roles communicate directly with the SQL Server database: Application Catalog web service point Enrollment point role Management point Site server Reporting services point SMS Provider SQL Server --> SQL Server

When a SQL Server hosts a database from more than one site, each database must use a separate instance of SQL Server, and each instance must be configured with a unique set of ports. If you have a firewall enabled on the SQL Server computer, ensure that it is configured to allow the ports in use by your deployment, and at any locations on the network between computers that communicate with the SQL Server. For an example of how to configure SQL Server to use a specific port, see How to: Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager) in the SQL Server TechNet library.

External Connections made by Configuration Manager

Configuration Manager clients or site systems can make the following external connections: Asset Intelligence Synchronization Point &lt; -- &gt; Microsoft Endpoint Protection Point -- &gt; Internet Client -- &gt; Global Catalog Domain Controller Configuration Manager Console -- &gt; Internet Management Point -- &gt; Domain Controller Site Server -- &gt; Domain Controller Software Update Point -- &gt; Internet
2511

Software Update Point -- &gt; Upstream WSUS Server

Installation Requirements for Site Systems that Support InternetBased Clients

Management points and distribution points that support internet-based clients, the software update point, and the fallback status point use the following ports for installation and repair: Site server --> site system: RPC endpoint mapper using UDP and TCP port 135. Site server --> site system: RPC dynamic TCP ports. Site server < --> site system: Server message blocks (SMB) using TCP port 445. Site server --> distribution point: RPC endpoint mapper using UDP and TCP port 135. Site server --> distribution point: RPC dynamic TCP ports

Application and package installations on distribution points require the following RPC ports:

Use IPsec to help secure the traffic between the site server and site systems. If you must restrict the dynamic ports that are used with RPC, you can use the Microsoft RPC configuration tool (rpccfg.exe) to configure a limited range of ports for these RPC packets. For more information about the RPC configuration tool, see How to configure RPC to use certain ports and how to help secure those ports by using IPsec. Important Before you install these site systems, ensure that the remote registry service is running on the site system server and that you have specified a Site System Installation Account if the site system is in a different Active Directory forest without a trust relationship.

Ports Used by Configuration Manager Client Installation

The ports that are using during client installation depend on the client deployment method. See Ports Used During Configuration Manager Client Deployment in the Windows Firewall and Port Settings for Client Computers in Configuration Manager topic for a list of ports for each client deployment method. For information about how to configure Windows Firewall on the client for client installation and post-installation communication, see Windows Firewall and Port Settings for Client Computers in Configuration Manager.

Ports Used by Windows Server

The following table lists some of the key ports that Windows Server uses and their respective functions. For a more complete list of Windows Server services and network ports requirements, see Service overview and network port requirements for the Windows Server system.
Description UDP TCP

Domain Name System (DNS) Dynamic Host Configuration

53 67 and 68

53 -2512

Description

UDP

TCP

Protocol (DHCP) NetBIOS Name Resolution NetBIOS Datagram Service NetBIOS Session Service 137 138 ---139

See Also
Technical Reference for Site Administration in Configuration Manager

Technical Reference for Accounts Used in Configuration Manager

Use the following information to identify the Windows groups and the accounts that are used in System Center 2012 Configuration Manager, how they are used, and any requirements.

Windows Groups That Configuration Manager Creates and Uses

Configuration Manager automatically creates and in many cases, automatically maintains the following Windows groups: Note When Configuration Manager creates a group on a computer that is a domain member, the group is a local security group. If the computer is a domain controller, the group is a domain local group that is shared among all domain controllers in the domain.

ConfigMgr_CollectedFilesAccess
This group is used by Configuration Manager to grant access to view files collected by software inventory. The following table lists additional details for this group:
Detail More information

Type and location

This group is a local security group created on the primary site server. Note
2513

Detail

More information

When you uninstall a site, this group is not automatically removed and must be manually deleted. Membership Configuration Manager automatically manages the group membership. Membership includes administrative users that are granted the View Collected Files permission to the Collection securable object from an assigned security role. By default, this group has Read permission to the following folder on the site server: %path%\Microsoft Configuration Manager\sinv.box\FileCol.

Permissions

ConfigMgr_DViewAccess
This group is a local security group created on the site database server or database replica server by System Center 2012 Configuration Manager and is not currently used. This group is reserved for future use by Configuration Manager.

ConfigMgr Remote Control Users

This group is used by Configuration Manager remote tools to store the accounts and groups that you configure in the permitted viewers list that are assigned to each client. The following table lists additional details for this group:
Detail More information

Type and location

This group is a local security group created on the Configuration Manager client when the client receives policy that enables remote tools. Important After you disable remote tools for a client, this group is not automatically removed and must be manually deleted this from each client computer.

Membership

By default, there are no members in this group. When you add users to the Permitted Viewers list, they are automatically added to this group. Tip
2514

Detail

More information

Use the Permitted Viewers list to manage the membership of this group instead of adding users or groups directly to this group. In addition to being a Permitted Viewer, an administrative user must have the Remote Control permission to the Collection object. You can assign this permission by using the Remote Tools Operator security role. Permissions By default, this group does not have permissions to any locations on the computer, and is used only to hold the list of Permitted Viewers.

SMS Admins
This group is used by Configuration Manager to grant access to the SMS Provider, through WMI. Access to the SMS Provider is required to view and modify objects in the Configuration Manager console. Note The role-based administration configuration of an administrative user determines which objects they can view and manage when using the Configuration Manager console. The following table lists additional details for this group:
Detail More information

Type and location

This group is a local security group created on each computer that has a SMS Provider. Note When you uninstall a site, this group is not automatically removed and must be manually deleted.

Membership

Configuration Manager automatically manages the group membership. By default, each administrative user in a hierarchy and the site server computer account are members of the SMS Admins group on each SMS Provider computer in a site.
2515

Detail

More information

Permissions

SMS Admins rights and permissions are set in the WMI Control MMC snap-in. By default, the SMS Admins group is granted Enable Account and Remote Enable on the Root\SMS namespace. Authenticated Users has Execute Methods, Provider Write, and Enable Account Note Administrative users who will use a remote Configuration Manager console require Remote Activation DCOM permissions on both the site server computer and the SMS Provider computer. It is a best practice to grant these rights to the SMS Admins to simplify administration instead of granting these rights directly to users or groups. For more information, see the Configure DCOM Permissions for Remote Configuration Manager Console Connections section in the Manage Site and Hierarchy Configurations topic.

SMS_SiteSystemToSiteServerConnection_MP_<sitecode>
This group is used by Configuration Manager management points that are remote from the site server to connect to the site database. This group provides a management point access to the inbox folders on the site server and the site database. The following table lists additional details for this group:
Detail More information

Type and location

This group is a local security group created on each computer that has a SMS Provider. Note When you uninstall a site, this group is not automatically removed and must be manually deleted.
2516

Detail

More information

Membership

Configuration Manager automatically manages the group membership. By default, membership includes the computer accounts of remote computers that have a management point for the site. By default, this group has Read, Read & execute, and List folder contents permission to the %path%\Microsoft Configuration Manager\inboxes folder on the site server. Additionally, this group has the additional permission of Write to various subfolders below the inboxes to which the management point writes client data.

Permissions

SMS_SiteSystemToSiteServerConnection_SMSProv_<sitecode>
This group is used by Configuration Manager SMS Provider computers that are remote from the site server to connect to the site server. The following table lists additional details for this group:
Detail More information

Type and location

This group is a local security group created on the site server. Note When you uninstall a site, this group is not automatically removed and must be manually deleted.

Membership

Configuration Manager automatically manages the group membership. By default, membership includes the computer account or the domain user account that is used to connect to the site server from each remote computer that has installed a SMS Provider for the site. By default, this group has Read, Read & execute, and List folder contents permission to the %path%\Microsoft Configuration Manager\inboxes folder on the site server. Additionally, this group has the additional
2517

Permissions

Detail

More information

permission of Write or the permissions of Write and Modify to various subfolders below the inboxes to which the SMS Provider requires access. This group also has Read, Read & execute, List folder contents, Write, and Modify permissions to the folders below %path%\Microsoft Configuration Manager\OSD\boot and Read permission to the folders below %path%\Microsoft Configuration Manager\OSD\Bin on the site server.

SMS_SiteSystemToSiteServerConnection_Stat_<sitecode>
This group is used by the File Dispatch Manager on Configuration Manager remote site system computers to connect to the site server. The following table lists additional details for this group:
Detail More information

Type and location

This group is a local security group created on the site server. Note When you uninstall a site, this group is not automatically removed and must be manually deleted.

Membership

Configuration Manager automatically manages the group membership. By default, membership includes the computer account or the domain user account that is used to connect to the site server from each remote site system computer that runs the File Dispatch Manager. By default, this group has Read, Read & execute, and List folder contents permission to the %path%\Microsoft Configuration Manager\inboxes folder and various subfolders below that location on the site server. Additionally, this group has the
2518

Permissions

Detail

More information

additional permissions of Write and Modify to the %path%\Microsoft Configuration Manager\inboxes\statmgr.box folder on the site server.

SMS_SiteToSiteConnection_<sitecode>
This group is used by Configuration Manager to enable file-based replication between sites in a hierarchy. For each remote site that directly transfers files to this site, this group contains the following accounts: Accounts configured as a Site Address Account, from Configuration Manager sites with no service pack Accounts configured as a File Replication Account, from Configuration Manager SP1 sites Note For Configuration Manager SP1 only, the File Replication Account replaces the Site Address Account. The following table lists additional details for this group:
Detail More information

Type and location

This group is a local security group created on the site server. When you install a new site as a child of another site, Configuration Manager automatically adds the computer account of the new site to the group on the parent site server, and the parent sites computer account to the group on the new site server. If you specify another account for file-based transfers, add that account to this group on the destination site server. Note When you uninstall a site, this group is not automatically removed and must be manually deleted.

Membership

Permissions

By default, this group has full control to the %path%\Microsoft Configuration Manager\inboxes\despoolr.box\receive
2519

Detail

More information

folder.

Accounts That Configuration Manager Uses

You can configure the following accounts for Configuration Manager:

Active Directory Group Discovery Account

The Active Directory Group Discovery Account is used to discover local, global, and universal security groups, the membership within these groups, and the membership within distribution groups from the specified locations in Active directory Domain Services. Distribution groups are not discovered as group resources. This account can be a computer account of the site server that runs discovery, or a Windows user account. It must have Read access permission to the Active Directory locations that are specified for discovery.

Active Directory System Discovery Account

The Active Directory System Discovery Account is used to discover computers from the specified locations in Active Directory Domain Services. This account can be a computer account of the site server that runs discovery, or a Windows user account. It must have Read access permission to the Active Directory locations that are specified for discovery.

Active Directory User Discovery Account

The Active Directory User Discovery Account is used to discover user accounts from the specified locations in Active Directory Domain Services. This account can be a computer account of the site server that runs discovery, or a Windows user account. It must have Read access permission to the Active Directory locations that are specified for discovery.

Active Directory Forest Account

The Active Directory Forest Account is used to discovery network infrastructure from Active Directory forests, and is also used by central administration sites and primary sites to publish site data to the Active Directory Domain Services of a forest. Note Secondary sites always use the secondary site server computer account to publish to Active Directory.

2520

Note Active Directory Forest Account must be a global account to discover and publish to untrusted forests. If you do not use the computer account of the site server, you can only select a global account. This account must have Read permissions to each Active Directory forest where you want to discover network infrastructure. This account must have Full Control permissions to the System Management container and all its child objects in each Active Directory forest where you want to publish site data.

AMT Provisioning and Discovery Account

The AMT Provisioning and Discovery Account is functionally equivalent to the AMT Remote Admin Account and resides in the Management Engine BIOS extension (MEBx) of Intel AMTbased computers. This account is used by the server that runs the out of band service point role to manage some network interface features of AMT, by using the out of band management feature. If you specify an AMT Provisioning and Discovery Account in Configuration Manager, it must match the AMT Remote Admin Account name and password that is specified in the BIOS extensions in the AMT-based computers. Note For more information about whether to specify an AMT Provisioning and Discovery Account, see Step 5: Configuring the Out of Band Management Component in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. The account is stored in the Management Engine BIOS extensions of the AMT-based computer and does not correspond to any account in Windows.

AMT Provisioning Removal Account

The AMT Provisioning Removal Account can remove AMT provisioning information if you have to recover the site. You might also be able to use it when a Configuration Manager client was reassigned and the AMT provisioning information was not removed from the computer in the old site. To successfully remove the AMT provisioning information by using the AMT Provisioning Removal Account, all the following must be true: The AMT Provisioning Removal Account is configured in the out of band management component properties. The account that is configured for the AMT Provisioning Removal Account was configured as an AMT User Account in the out of band management component properties when the AMTbased computer was provisioned or updated. The account that is configured for the AMT Provisioning Removal Account must be a member of the local Administrators group on the out of band service point computer.
2521

The AMT auditing log is not enabled.

Because this is a Windows user account, specify an account with a strong password that does not expire.

AMT Remote Admin Account

The AMT Remote Admin Account is the account in the Management Engine BIOS extension (MEBx) of Intel AMT-based computers that is used by the server running the out of band service point role to manage some network interface features of AMT in Configuration Manager, by using the out of band management feature. Configuration Manager automatically sets the remote admin account password for computers that it provisions for AMT, and this is then used for subsequent authenticated access to the AMT firmware. This account is functionally equivalent to the Configuration Manager AMT Provisioning and Discovery Account. The account is stored in the Management Engine BIOS extensions of the AMT-based computer and does not correspond to any account in Windows.

AMT User Accounts

AMT User Accounts control which Windows users or groups can run management functions in the Out of Band Management console. The configuration of the AMT User Accounts creates the equivalent of an access control list (ACL) in the AMT firmware. When the logged on user attempts to run the Out of Band Management console, AMT uses Kerberos to authenticate the account and then authorizes or denies access to run the AMT management functions. Configure the AMT User Accounts before you provision the AMT-based computers. If you configure AMT User Accounts after computers are provisioned for AMT, you must manually update the AMT memory for these computers so that they are reconfigured with the new settings. Because the AMT User Accounts use Kerberos authentication, the user accounts and security groups must exist in an Active Directory domain.

Asset Intelligence Synchronization Point Proxy Server Account

The Asset Intelligence Synchronization Point Proxy Server Account is used by the Asset Intelligence synchronization point to access the Internet via a proxy server or firewall that requires authenticated access. Security Specify an account that has the least possible permissions for the required proxy server or firewall.

2522

Capture Operating System Image Account

The Capture Operating System Image Account is used by Configuration Manager to access the folder where captured images are stored when you deploy operating systems. This account is required if you add the step Capture Operating System Image to a task sequence. The account must have Read and Write permissions on the network share where the captured image is stored. If the password the account is changed in Windows, you must update the task sequence with the new password. The Configuration Manager client will receive the new password when it next downloads client policy. If you use this account, you can create one domain user account with minimal permissions to access the required network resources and use it for all task sequence accounts. Security Do not assign this account interactive logon permissions. Do not use the Network Access account for this account.

Client Push Installation Account

The Client Push Installation Account is used to connect to computers and install the Configuration Manager client software if you deploy clients by using client push installation. If this account is not specified, the site server account is used to try to install the client software. This account must be a member of the local Administrators group on the computers where the Configuration Manager client software is to be installed. This account does not require Domain Admin rights. You can specify one or more Client Push Installation Accounts, which Configuration Manager tries in turn until one succeeds. Tip To more effectively coordinate account updates in large Active Directory deployments, create a new account with a different name, and then add the new account to the list of Client Push Installation Accounts in Configuration Manager. Allow sufficient time for Active Directory Domain Services to replicate the new account, and then remove the old account from Configuration Manager and Active Directory Domain Services. Security Do not grant this account the right to log on locally.

Enrollment Point Connection Account

The Enrollment Point Connection Account connects the enrollment point to the Configuration Manager site database. By default, the computer account of the enrollment point is used, but you can configure a user account instead. You must specify a user account whenever the enrollment

2523

point is in an untrusted domain from the site server. This account requires Read and Write access to the site database.

Exchange Server Connection Account

The Exchange Server Connection Account connects the site server to the specified Exchange Server computer to find and manage mobile devices that connect to Exchange Server. This account requires Exchange PowerShell cmdlets that provide the required permissions to the Exchange Server computer. For more information about the cmdlets, see How to Manage Mobile Devices by Using the Exchange Server Connector in Configuration Manager.

Exchange Server Connector Proxy Server Account

The Exchange Server Connector Proxy Server Account is used by the Exchange Server connector to access the Internet via a proxy server or firewall that requires authenticated access. Security Specify an account that has the least possible permissions for the required proxy server or firewall.

Endpoint Protection SMTP Server Connection Account

For Configuration Manager with no service pack: The Endpoint Protection SMTP Server Connection Account is used by the site server to send email alerts for Endpoint Protection when the SMTP server requires authenticated access. Security Specify an account that has the least possible permissions to send emails.

Health State Reference Publishing Account

The Health State Reference Publishing Account is used to publish the Network Access Protection (NAP) health state reference for Configuration Manager to Active Directory Domain Services. If you do not configure an account, Configuration Manager attempts to use the site server computer account to publish the health state references. This account requires Read, Write and Create permissions to the Active Directory forest that stores the health state reference. Create the account in the forest that is designated to store the health state references. Assign the least possible permissions to this account and do not use the same account that is specified for the Health State Reference Querying Account, which requires only Read permissions.

Health State Reference Querying Account

The Health State Reference Querying Account is used to retrieve the Network Access Protection (NAP) health state reference for Configuration Manager from Active Directory Domain Services.
2524

If you do not configure an account, Configuration Manager attempts to use the site server computer account to retrieve the health state references. This account requires Read permissions to the Configuration Manager Systems Management container in the Global Catalog. Create the account in the forest that is designated to store the health state references. Do not use the same account for the Health State Reference Publishing Account, which requires more privileges. Security Do not grant this account interactive logon rights.

Management Point Database Connection Account

The Management Point Database Connection Account is used to connect the management point to the Configuration Manager site database so that it can send and retrieve information for clients. By default, the computer account of the management point is used, but you can configure a user account instead. You must specify a user account whenever the management point is in an untrusted domain from the site server. Create the account as a low-rights, local account on the computer that runs Microsoft SQL Server. Security Do not grant this account interactive logon rights.

MEBx Account
The MEBx Account is the account in the Management Engine BIOS extension (MEBx) on Intel AMT-based computers and it is used for initial authenticated access to the AMT firmware on AMT-based computers. The MEBx Account is named admin, and by default, the password is admin. Your manufacturer might provide a customized password, or you might have specified your choice of password in AMT. If the MEBx password is set to a value that is not admin, you must configure an AMT Provisioning and Discovery Account. For more information, see Step 5: Configuring the Out of Band Management Component in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic. The account is stored in the Management Engine BIOS extensions of the AMT-based computer. This account does not correspond to any account in Windows. If the default MEBx password has not been changed before Configuration Manager provisions the computer for AMT, during the AMT provisioning process, Configuration Manager sets the password that you configure.

2525

Multicast Connection Account

The Multicast Connection Account is used by distribution points that are configured for multicast to read information from the site database. By default, the computer account of the distribution point is used, but you can configure a user account instead. You must specify a user account whenever the site database is in an untrusted forest. For example, if your data center has a perimeter network in a forest other than the site server and site database, you can use this account to read the multicast information from the site database. If you create this account, create it as a low-rights, local account on the computer that runs Microsoft SQL Server. Security Do not grant this account interactive logon rights.

Network Access Account

The Network Access Account is used by client computers when they cannot use their local computer account to access content on distribution points. For example, this applies to workgroup clients and computers from untrusted domains. This account might also be used during operating system deployment when the computer installing the operating system does not yet have a computer account on the domain. Note The Network Access Account is never used as the security context to run programs, install software updates, or run task sequences; only for accessing resources on the network. Grant this account the minimum appropriate permissions on the content that the client requires to access the software. The account must have the Access this computer from the network right on the distribution point or other server that holds the package content. Because you can create only one Network Access Account per site, this account must function for all packages and task sequences for which it is required. Warning When Configuration Manager tries to use the computername$ account to download the content and it fails, it automatically tries the Network Access Account again, even if it has previously tried and failed. Create the account in any domain that will provide the necessary access to resources. The Network Access Account must always include a domain name. Pass-through security is not supported for this account. If you have distribution points in multiple domains, create the account in a trusted domain. Tip To avoid account lockouts, do not change the password on an existing Network Access Account. Instead, create a new account and configure the new account in Configuration Manager. When sufficient time has passed for all clients to have received the new
2526

account details, remove the old account from the network shared folders and delete the account. Security Do not grant this account interactive logon rights Do not grant this account the right to join computers to the domain. If you must join computers to the domain during a task sequence, use the Task Sequence Editor Domain Joining Account.

Package Access Account

Package Access Accounts enable you to set NTFS permissions to specify the users and user groups that can access a package folder on distribution points. By default, Configuration Manager grants access only to the generic access accounts Users and Administrators, but you can control access for client computers by using additional Windows accounts or groups. Mobile devices always retrieve package content anonymously, so the Package Access Accounts are not used by mobile device. By default, when Configuration Manager creates the package share on a distribution point, it grants Read access to the local Users group and Full Control to the local Administrators group. The actual permissions required will depend on the package. If you have clients in workgroups or in untrusted forests, those clients use the Network Access Account to access the package content. Make sure that the Network Access Account has permissions to the package by using the defined Package Access Accounts. Use accounts in a domain that can access the distribution points. If you create or modify the account after the package is created, you must redistribute the package. Updating the package does not change the NTFS permissions on the package. You do not have to add the Network Access Account as a Package Access Account, because membership of the Users group adds it automatically. Restricting the Package Access Account to only the Network Access Account does not prevent clients from accessing the package.

Reporting Services Point Account

The Reporting Services Point Account is used by SQL Server Reporting Services to retrieve the data for Configuration Manager reports from the site database. The Windows user account and password that you specify are encrypted and stored in the SQL Server Reporting Services database.

Remote Tools Permitted Viewer Accounts

The accounts that you specify as Permitted Viewers for remote control are a list of users who are allowed to use remote tools functionality on clients.

2527

Site System Installation Account

The Site System Installation Account is used by the site server to install, reinstall, uninstall, and configure site systems. If you configure the site system to require the site server to initiate connections to this site system, Configuration Manager also uses this account to pull data from the site system computer after the site system and any site system roles are installed. Each site system can have a different Site System Installation Account, but you can configure only one Site System Installation Account to manage all site system roles on that site system. This account requires local administrative permissions on the site systems that they will install and configure. Additionally, this account must have Access this computer from the network in the security policy on the site systems that they will install and configure. Tip If you have many domain controllers and these accounts will be used across domains, verify that the accounts have replicated before you configure the site system. When you specify a local account on each site system to be managed, this configuration is more secure than using domain accounts, because it limits the damage that attackers can do if the account is compromised. However, domain accounts are easier to manage, so consider the trade-off between security and effective administration.

SMTP Server Connection Account

For Configuration Manager SP1 only: The SMTP Server Connection Account is used by the site server to send email alerts when the SMTP server requires authenticated access. Security Specify an account that has the least possible permissions to send emails.

Software Update Point Connection Account

The Software Update Point Connection Account is used by the site server for the following two software updates services: WSUS Configuration Manager, which configures settings such as product definitions, classifications, and upstream settings. WSUS Synchronization Manager, which requests synchronization to an upstream WSUS server or Microsoft Update.

The Site System Installation Account can install components for software updates, but cannot perform software updates-specific functions on the software update point. If you cannot use the site server computer account for this functionality because the software update point is in an untrusted forest, you must specify this account in addition to the Site System Installation Account. This account must be a local administrator on the computer where WSUS is installed, and be part of the local WSUS Administrators group.

2528

Software Update Point Proxy Server Account

The Software Update Point Proxy Server Account is used by the software update point to access the Internet via a proxy server or firewall that requires authenticated access. Security Specify an account that has the least possible permissions for the required proxy server or firewall.

Source Site Account

The Source Site Account is used by the migration process to access the SMS Provider of the source site. This account requires Read permissions to site objects in the source site to gather data for migration jobs. If you upgrade Configuration Manager 2007 distribution points or secondary sites that have colocated distribution points to System Center 2012 Configuration Manager distribution points, this account must also have Delete permissions to the Site class to successfully remove the distribution point from the Configuration Manager 2007 site during the upgrade. Note Both the Source Site Account and Source Site Database Account are identified as Migration Manager in the Accounts node of the Administration workspace in the Configuration Manager console.

Source Site Database Account

The Source Site Database Account is used by the migration process to access the SQL Server database for the source site. To gather data from the SQL Server database of the source site, the Source Site Database Account must have the Read and Execute permissions to the source site SQL Server database. Note If you use the System Center 2012 Configuration Manager computer account, ensure that all the following are true for this account: It is a member of the security group Distributed COM Users in the domain where the Configuration Manager 2007 site resides. It is a member of the SMS Admins security group. It has the Read permission to all Configuration Manager 2007 objects. Note Both the Source Site Account and Source Site Database Account are identified as Migration Manager in the Accounts node of the Administration workspace in the Configuration Manager console.

2529

Task Sequence Editor Domain Joining Account

The Task Sequence Editor Domain Joining Account is used in a task sequence to join a newly imaged computer to a domain. This account is required if you add the step Join Domain or Workgroup to a task sequence, and then select Join a domain. This account can also be configured if you add the step Apply Network Settings to a task sequence, but it is not required. This account requires the Domain Join right in the domain that the computer will be joining. Tip If you require this account for your task sequences, you can create one domain user account with minimal permissions to access the required network resources and use it for all task sequence accounts. Security Do not assign this account interactive logon permissions. Do not use the Network Access Account for this account.

Task Sequence Editor Network Folder Connection Account

The Task Sequence Editor Network Folder Connection Account is used by a task sequence to connect to a shared folder on the network. This account is required if you add the step Connect to Network Folder to a task sequence. This account requires permissions to access the specified shared folder and must be a user domain account. Tip If you require this account for your task sequences, you can create one domain user account with minimal permissions to access the required network resources and use it for all task sequence accounts. Security Do not assign this account interactive logon permissions. Do not use the Network Access Account for this account.

Task Sequence Run As Account

The Task Sequence Run As Account is used to run command lines in task sequences and use credentials other than the local system account. This account is required if you add the step Run Command Line to a task sequence but do not want the task sequence to run with Local System account permissions on the managed computer. Configure the account to have the minimum permissions required to run the command line that specified in the task sequence. The account requires interactive login rights, and it usually requires the ability to install software and access network resources. Security
2530

Do not use the Network Access account for this account. Never make the account a domain administrator. Never configure roaming profiles for this account. When the task sequence runs, it will download the roaming profile for the account, which leaves the profile vulnerable to access on the local computer. Limit the scope of the account. For example, create different Task Sequence Run As Accounts for each task sequence so that if one account is compromised, only the client computers to which that account has access are compromised. If the command line requires administrative access on the computer, consider creating a local administrator account solely for the Task Sequence Run As Account on all computers that will run the task sequence, and delete the account as soon as it is no longer needed.

See Also
Technical Reference for Site Administration in Configuration Manager

Scenarios and Solutions Using System Center 2012 Configuration Manager

The Scenarios and Solutions for System Center 2012 Configuration Manager guide provides documentation that presents example customer scenarios that are solved by using Microsoft System Center 2012 Configuration Manager. For information about technical scenarios for other Microsoft System Center products, see the Technical Scenarios page in the System Center TechCenter.

Scenarios and Solutions Topics

Use the following topics to read example customer scenarios and their Configuration Manager solutions: Example Scenarios for Planning a Simplified Hierarchy with Configuration Manager Example Scenario for Deploying and Managing Configuration Manager Clients on Windows Embedded Devices How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager Example Scenario for Managing Applications by Using Configuration Manager Example Scenario for Using Configuration Manager to Deploy and Monitor the Security Software Updates Released Monthly by Microsoft Example Scenario for PXE-Initiated Operating System Deployment by Using Configuration Manager
2531

How to Provision Windows To Go in Configuration Manager How to Create a PXE-Initiated Windows 8 Deployment for UEFI-Based or BIOS-Based Computers in Configuration Manager Example Scenario for Software Metering in Configuration Manager Example Scenario for Implementing Out of Band Management in Configuration Manager Example Scenarios for Using Out of Band Management in Configuration Manager Example Scenario for Compliance Settings in Configuration Manager Example Scenario for User Data and Profiles Management in Configuration Manager Example Scenario for Protecting Computers From Malware by Configuring Endpoint Protection in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Documentation Library for System Center 2012 Configuration Manager

Example Scenarios for Planning a Simplified Hierarchy with Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. The following scenarios provide examples of how you can implement System Center 2012 Configuration Manager to solve typical business requirements and simplify your overall hierarchy design.

Scenario 1: Remote Office Optimization

The remote office optimization scenario demonstrates an implementation of System Center 2012 Configuration Manager that reduces the administrative overhead required for managing information flow across the network.

Current Situation
The customer has a simple Configuration Manager 2007 hierarchy of one primary site with two secondary sites that include a warehouse and a remote district office location. The customer has 5,015 clients across four locations as shown in the following table.

2532

Location

Site type

Deployment details

Connection to headquarters

Headquarters

Primary

3,000 clients Two standard distribution points, one management point, and one software update point 500 clients One standard distribution point 1,500 clients One standard distribution point, one proxy management point, and one software update point 15 clients Use of Windows BranchCache

Not Applicable

Warehouse

Secondary

Slow Network

District Office

Secondary

Slow Network

Sales Office

None

Well Connected

Business Requirements
The System Center 2012 Configuration Manager hierarchy must support the following business requirements:
Business requirement Configuration Manager Information

The data transferred over the network must not use excessive bandwidth. Minimize the number of servers used.

Slow network connections must support bandwidth control. Install the minimum number of site system servers possible. Clients must regularly submit their hardware inventory data, status messages, and discovery information. Content must be available to clients, including large packages for operating system images.

Produce reports that provide current information about devices.

Deploy applications, software updates, and operating system deployments on a daily basis.

2533

Planning Decisions
Design of the System Center 2012 Configuration Manager hierarchy includes the following planning considerations:
Challenges Options and considerations

The transfer of deployment content from the primary site to remote locations represents the largest effect to the network and must be managed.

Content transmission to remote locations can be managed by: Distribution points enabled for bandwidth control Prestage for distribution points Windows BranchCache A local site to manage the network bandwidth used during site-to-site transfers

The flow of client information from large numbers of clients can slow down network.

Each remote location must be evaluated for network capacity, balancing the client settings, the number of clients at the location, and the available network bandwidth. Options include the following: A local primary or secondary site to manage the network bandwidth during siteto-site transfers. No site at the location allowing clients to transfer their data unmanaged across the network to an assigned primary site.

Steps Taken
After evaluation of requirements and options, client locations, and available network bandwidth, the following decisions are made:
Decision Details

A stand-alone primary site is deployed at the Headquarters location.

A System Center 2012 Configuration Manager primary site replaces the existing primary site as there are no administrative or content management benefits gained by the use of a central administration site for this environment. A primary site can support up to 100,000 clients. There is no planned expansion that could require additional primary sites to manage
2534

Decision

Details

large numbers of clients across slow network connections.

A distribution point enabled for bandwidth control is deployed to the warehouse location.

The effect of client information flowing up from the warehouse location will not overwhelm the available network bandwidth. In place of a secondary site, the locations needs can be m et by the use of a distribution point enabled for bandwidth control deployed from the primary site to manage the downward flow of deployment content. This decision does not reduce the number of servers in use but does remove the requirement to manage an additional site. The current client activity is not sufficient to require management of upward-flowing client data. Only downward-flowing content requires management to avoid effect to the slow network connection. In the future, the distribution point can be replaced by a secondary site that can manage network traffic in both directions if it is needed.

A secondary site is deployed to the District Office Location.

After evaluation of the effect from the local clients, it is decided that a secondary site with the same configuration previously used will be required. 1,500 clients generate enough client information to exceed the available network connection to the primary site. A primary site is not required as there is no administrative benefit to be provided by a primary site, and the hierarchys combined client total is easily handled by the primary site at the Headquarters location.
2535

Decision

Details

The use of Windows BranchCache is maintained at the Sales Office location.

Because this location services only 15 clients and has a fast network connection to the Headquarters location, the current use of Windows BranchCache as a content deployment solution remains the best option.

Business Benefits
By using a single distribution point that is enabled for bandwidth control to replace a secondary site and its distribution point, the customer meets the business requirement for managing content across slow networks. Additionally, this change decreases the administrative workload and the time it takes for the site to receive client information.

Scenario 2: Infrastructure Reduction and Management of Client Settings

The infrastructure reduction and client settings scenario demonstrates an implementation of System Center 2012 Configuration Manager that reduces infrastructure in use while continuing to manage clients with customized client settings.

Current Situation
In this example, a company manages 25,000 clients across two physical locations by using a single Configuration Manager 2007 hierarchy that consists of one central site and three primary child sites. The central site and one primary site are located in Chicago, and two primary sites are located in London. The primary sites at each geographic location reside on the same physical network and have well-connected network links. However, there is limited bandwidth between Chicago and London. Current deployment details:
Location Type of site Deployment details

Chicago Headquarters

Primary central site

19,200 clients that are configured for the companys standard configuration for client agent settings.

2536

Location

Type of site

Deployment details

Chicago Headquarters

Primary child of central

300 clients on computers used by people in the Human Resources division. The site is configured for a custom remote control client agent setting. 5,000 desktop clients that are configured for the companys standard configuration of client agent settings. 500 server clients that are configured for a custom hardware inventory client agent setting.

London Offices

Primary child of central

London Offices

Primary child of central

Business Requirements
The Configuration Manager hierarchy must meet the following business requirements:
Business requirements Configuration Manager information

Maintain centralized management of the hierarchy in Chicago.

Central administration from Chicago requires that content and client information is sent over the network for the 5,500 clients in London. The standard configuration for client settings must be available for all clients.

Assign a standard client configuration to all clients unless specific business requirements dictate otherwise. Employees in the human resource division must not have the Remote Control client agent enabled on their computers. Servers that are located in London must run hardware inventory no more than once a month.

These custom client settings must be assigned to the computers that are used by the employees in the human resource division. These custom client settings must be assigned to the clients on servers in London.

Control the network bandwidth when The slow network connection requires transferring data between Chicago and London. bandwidth control. Minimize the number of servers. Avoid installing site system servers where possible to reduce administrative tasks and infrastructure costs.

2537

Planning Decisions
The System Center 2012 Configuration Manager hierarchy design includes the following planning considerations:
Challenges Options and considerations

Central administration in Chicago.

Options for this requirement include the following: Deploy a stand-alone primary site in Chicago to manage clients at both network locations: The amount of client information from London that must be transferred over the slow network must be carefully assessed.

Deploy a primary site at each location, and a central administration site in Chicago: Central administration sites cannot have clients assigned to them. Central administration sites are required if there are two or more primary sites in the hierarchy.

The transfer of content from Chicago to London will consume a lot of network bandwidth and this data transfer must be controlled.

The transfer of content down the hierarchy can be managed by the following methods: Distribution points that are enabled for bandwidth control. Windows BranchCache. A London site that is configured to manage the network bandwidth for site-to-site transfers.

The requirement to manage the network bandwidth when client information is sent from London.

Assess the London location for the available network bandwidth and how this will be reduced by the data that is generated by the 5,500 clients. Options include the following: Allow clients to transfer their data unmanaged across the network to an assigned primary site at Chicago. Deploy a secondary site or primary site in London to manage the network bandwidth during site-to-site transfers to Chicago.

A standard set of client settings must be

A default set of Client Agent Settings are

2538

Challenges

Options and considerations

available at all locations. Two groups that contain employees from Human Resources and servers in London, require client settings that are different than the standard configuration.

specified for the hierarchy. Collections are used to assign custom client settings.

Steps Taken
After an evaluation of the business requirements, the network structure, and the requirements for client settings, a central administration site is deployed in Chicago with one child primary site in Chicago and one child primary site in London. The following table explains these design choices.
Decision Details

A central administration site is deployed in Chicago.

This meets the centralized administration requirement by providing a centralized location for reporting and hierarchy-wide configurations. Because the central administration site has access to all client and site data in the hierarchy and is a direct parent of both primary sites, it is ideally located to host the content for all locations. A primary site is required to manage clients at the Chicago location because the central administration site cannot have clients assigned to it. A local primary site is required to locally manage the 14,800 clients. Sites in System Center 2012 Configuration Manager are not used to configure client settings, which allows all clients at a location to be assigned to the same site. Site to site address configurations can control the network bandwidth when transferring content from the central administration site in Chicago. Sites in System Center 2012 Configuration Manager are not used to configure client settings, which allows all
2539

One primary site is required in Chicago.

One primary site is deployed in London.

Decision

Details

clients at a location to be assigned to the same site. A local primary site is deployed to manage the 5,500 local clients so that the clients do not send their information and client policy requests across the network to Chicago. A primary site ensures that future growth in London can be managed with the hierarchy design they implement today. Note The decision to deploy a primary site or secondary site can include consideration of the following: A standard configuration for client settings is applied to each client in the hierarchy. Assessing the available hardware for a site server The current number of clients at a location Expectations for additional clients in the future Political reasons Local point of administrative contact

Default Client Agent Settings are configured and applied to every client in the hierarchy, which results in a consistent configuration for every client. This collection is configured with custom client settings that disable Remote Control. These settings modify the hierarchy-wide defaults and provide the collection members with the customized client settings that are required for Human Resource employees. Because this collection is dynamically updated, new employees in Human Resources automatically receive the customized client settings. Because collections are shared with all sites, these customizations are applied to Human Resource employees at any location in the hierarchy without having to consider which site their computer is
2540

A collection is created to contain the user accounts for the employees that work in the Human Resource division. This collection is configured to update regularly so that new accounts can be added to the collection soon after they are created.

Decision

Details

assigned to. A collection is configured to contain the servers located in London. This collection is configured with custom client settings, so that the servers are configured with custom settings for hardware inventory.

Business Benefits
By using custom client settings in System Center 2012 Configuration Manager, the business requirements are met as follows: The infrastructure requirements are reduced by removing sites that were used only to provide custom client settings to subsets of clients. Administration is simplified because the central administration site applies a standard configuration for client settings to all clients in the hierarchy. Two collections of clients are configured for the required customized client settings. Network bandwidth is controlled when transferring data between Chicago and London.

See Also
Planning for Configuration Manager Sites and Hierarchy

Example Scenario for Deploying and Managing Configuration Manager Clients on Windows Embedded Devices
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. Note This topic appears in the Deploying Clients for System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. This scenario demonstrates how you can manage write-filter-enabled Windows Embedded devices by using System Center 2012 Configuration Manager SP1. If you have Configuration Manager with no service pack, Configuration Manager cannot automatically disable and reenable the write filters and you must take additional steps to do this before and after you install software. If your embedded devices do not support write filters, they behave as standard
2541

Configuration Manager clients and you do not have to take the steps in this scenario that are required to manage write filters. Coho Vineyard & Winery is opening a visitor center and is interested in kiosks that run Windows Embedded to run interactive presentations. The building for the new visitor center is not close to the IT department, so it is important that the kiosks can be managed remotely. In addition to installing the software that runs the interactive presentations, these devices must run up-to-date antimalware protection software to comply with the company security policies. To make sure that the interactive presentations are always available for visitors, the kiosks must run 7 days a week, with no downtime while the visitor center is open. Coho Vineyard & Winery already runs Configuration Manager SP1 to manage devices on their network. Configuration Manager is configured to run Endpoint Protection, and install software updates and applications. However, because the IT team has not managed Windows Embedded devices before, Jane, the Configuration Manager administrator, runs a pilot to manage two kiosks that are in the companys reception lobby. If the pilot is successful in remotely managing these devices, the purchase order for the visitor center kiosks can be approved. To manage these Windows Embedded devices that are write-filter-enabled, Jane performs the following steps to install the Configuration Manager client, protect the client by using Endpoint Protection, and install the interactive presentation software.
Process Reference

Jane reads how Windows Embedded devices uses write filters, and how Configuration Manager SP1 can make this easier by automatically disabling and then re-enabling the writer filters, to persist a software installation. Before she installs the Configuration Manager client, Jane creates a new query-based device collection for the Windows Embedded devices. Because the company uses standard naming formats to identify their computers, Jane can uniquely identify Windows Embedded devices by the first six letters of the computer name: WEMDVC. She uses the following WQL query to create this collection: select SMS_R_System.NetbiosName from SMS_R_System where SMS_R_System.NetbiosName like "WEMDVC%" This collection allows her to manage the Windows Embedded devices with different configuration options from the other devices.

The Deploying the Configuration Manager Client to Windows Embedded Devices section in the Introduction to Client Deployment in Configuration Manager topic

How to Create Collections in Configuration Manager

2542

Process

Reference

She will use this collection to control restarts, deploy Endpoint Protection with client settings, and deploy the interactive presentation application. Jane configures the collection for a How to Use Maintenance Windows in maintenance window to ensure that restarts Configuration Manager that might be required for installing the presentation application and any upgrades do not occur during opening hours for the visitor center. Opening hours will be 09:00 through 18:00, Monday through Sunday. She configures the maintenance window for every day, 18:30 through 06:00. Jane then configures a custom device client setting to install the Endpoint Protection client by selecting Yes for the following settings, and then deploys this custom client setting to the Windows Embedded device collection: Install Endpoint Protection client on client computers For Windows Embedded devices with write filters, commit Endpoint Protection client installation (requires restart) Allow Endpoint Protection client installation and restart to be performed outside maintenance windows Step 5: Configure Custom Client Settings for Endpoint Protection in How to Configure Endpoint Protection in Configuration Manager

When the Configuration Manager client is installed, these settings install the Endpoint Protection client and ensure that it is persisted in the operating system as part of the installation, rather than written to the overlay only. The company security policies require that the antimalware software is always installed and Jane does not want to run the risk of the kiosks being unprotected for even a short period of time if they restart. Note The restarts that are required to install the Endpoint Protection client are a one-time occurrence, which happen
2543

Process

Reference

during the setup period for the devices and before the visitor center is operational. Unlike the periodic deployment of applications or software definition updates, the next time the Endpoint Protection client is installed on the same device will probably be when the company upgrades to the next version of Configuration Manager. With the configuration settings for the client now in place, Jane prepares to install the Configuration Manager clients. Before she can install the clients, she must manually disable the write filter on the Windows Embedded devices. She reads the OEM documentation that accompanies the kiosks and follows their instructions to disable the write filters. Jane renames the device so it uses the company standard naming format, and then installs the client manually by running CCMSetup with the following command from a mapped drive that holds the client source files: CCMSetup.exe /MP:mpserver.cohovineyardandwinery.com SMSSITECODE=CO1 This command installs the client, assigns the client to the management point that has the intranet FQDN of mpserver.cohovineyardandwinery.com , and assigns the client to the primary site named CO1. Jane knows that it always takes a while for clients to install and send back their status to the site. So she waits before she confirms that the clients successfully install, assign to the site, and appear as clients in the collection that she created for Windows Embedded devices. As additional confirmation, on the Windows Embedded devices, she checks the properties of Configuration Manager in Control Panel and
2544

How to Install Clients on Windows-Based Computers in Configuration Manager How to Assign Clients to a Site in Configuration Manager

Process

Reference

compares them to standard Windows computers that are managed by the site. For example, on the Components tab, the Hardware Inventory Agent displays Enabled, and on the Actions tab, there are 11 available actions, which include Application Deployment Evaluation Cycle and Discovery Data Collection Cycle. Confident that the clients are successfully installed, assigned, and receiving client policy from the management point, Jane then manually enables the write filters by following the instructions from the OEM. Now that the Configuration Manager client is How to Manage Clients in Configuration installed on the Windows Embedded devices, Manager Jane confirms that she can manage them in the same way as she manages the standard Windows clients. For example, from the Configuration Manager console, she can remotely manage them by using remote control, initiate client policy for them, and view client properties and hardware inventory. Because these devices are joined to an Active Directory domain, she does not have to manually approve them as trusted clients and confirms from the Configuration Manager console that they are approved. To install the interactive presentation software, Jane runs the Deploy Software Wizard and configures a required application. On the User Experience page of the wizard, in the Write filter handling for Windows Embedded devices section, she accepts the default option that selects Commit changes at deadline or during a maintenance window (requires restarts). Jane keeps this default option for write filters to ensure that the application persists after a restart, so that it is always available to the visitors using the kiosks. The daily maintenance
2545

How to Deploy Applications in Configuration Manager

Process

Reference

window provides a safe period during which the restarts for installation and any updates can occur. Jane deploys the application to the Windows Embedded devices collection. To configure definition updates for Endpoint Protection, Jane uses software updates and runs the Create Automatic Deployment Rule Wizard. She selects the Definition Updates template to prepopulate the wizard with settings that are appropriate for Endpoint Protection. These settings include the following on the User Experience page of the wizard: Deadline behavior: The Software Installation check box is not selected. Write filter handling for Windows Embedded devices: The Commit changes at deadline or during a maintenance window (requires restarts) check box is not selected. Step 3: Configure Configuration Manager Software Updates to Deliver Definition Updates to Client Computers in How to Configure Endpoint Protection in Configuration Manager

Jane keeps these default settings. Together, these two options with this configuration allow any software update definitions for Endpoint Protection to be installed in the overlay during the day and not wait to be installed and committed during the maintenance window. This configuration best meets the company security policy for computers to run up-to-date antimalware protection. Note Unlike software installations for applications, software update definitions for Endpoint Protection can occur very frequently, even multiple times a day. They are often small files. For these types of security-related deployments, it can often be beneficial to always install to the overlay rather than wait until the maintenance window. The Configuration Manager
2546

Process

Reference

client will quickly re-install the software definition updates if the device restarts because this action initiates an evaluation check and does not wait until the next scheduled evaluation. Jane selects the Windows Embedded devices collection for the automatic deployment rule. Jane decides to configure a maintenance task that periodically commits all changes on the overlay. This task is to support the software update definitions deployment, to reduce the number of updates that accumulate and must be installed again, each time the device restarts. In her experience, this helps the antimalware programs run more efficiently. Note These software update definitions would be automatically committed to the image if the embedded devices ran another management task that supported committing the changes. For example, installing a new version of the interactive presentation software would also commit the changes for software update definitions. Or, installing standard software updates every month that install during the maintenance window could also commit the changes for software update definitions. However, in this scenario, where standard software updates do not run and the interactive presentation software is unlikely to be updated very often, it might be months before the software definition updates are automatically committed to the image. Jane first creates a custom task sequence that has no settings other than the name. She runs the Create Task Sequence Wizard: 1. On the Create a New Task Sequence
2547

How to Manage Task Sequences in Configuration Manager

Process

Reference

page, she selects Create a new custom task sequence, and then clicks Next. 2. On the Task Sequence Information page, she enters Maintenance task to commit changes on embedded devices for the task sequence name, and then clicks Next. 3. On the Summary page, she selects Next, and completes the wizard. Jane then deploys this custom task sequence to the Windows Embedded devices collection, and configures the schedule to run every month. As part of the deployment settings, she selects the Commit changes at deadline or during a maintenance window (requires restarts) check box to persist the changes after a restart. To configure this deployment, she selects the custom task sequence that she just created, and then on the Home tab, in the Deployment group, she clicks Deploy to start the Deploy Software Wizard: 1. On the General page, she selects the Windows Embedded devices collection, and then clicks Next. 2. On the Deployment Settings page, she selects the Purpose of Required, and then clicks Next. 3. On the Scheduling page, she clicks New to specify a weekly schedule during the maintenance window, and then clicks Next. 4. She completes the wizard without any further changes. For the kiosks to run automatically, Jane writes a script to configure the devices for the following settings: Automatically log on, using a guest account that has no password. Automatically run the interactive presentation software on startup. Packages and Programs in Configuration Manager

Jane uses packages and programs to deploy this script to the Windows Embedded devices collection. When she runs the Deploy Software
2548

Process

Reference

Wizard, she again selects the Commit changes at deadline or during a maintenance window (requires restarts) check box to persist the changes after a restart. The following morning, Jane checks the Windows Embedded devices. She confirms the following: The kiosk is automatically logged on by using the guest account. The interactive presentation software is running. The Endpoint Protection client is installed and has the latest software update definitions. That the device restarted during the maintenance window. How to Monitor Endpoint Protection in Configuration Manager How to Monitor Applications in Configuration Manager

Jane monitors the kiosks and reports the successful management of them to her manager. As a result, 20 kiosks are ordered for the visitor center. To avoid the manual installation of the Configuration Manager client, which requires manually disabling and then enabling the write filters, Jane ensures that the order includes a customized image that already includes the installation and site assignment of the Configuration Manager SP1 client. In addition, the devices are named according to the company naming format. The kiosks are delivered to the visitor center a week before it opens. During this time, the kiosks are connected to the network, all device management for them is automatic, and no local administrator is required. Jane confirms that the kiosks are functioning as required: The clients on the kiosks complete site assignment and download the trusted root key from Active Directory Domain Services. The clients on the kiosks are automatically added to the Windows Embedded devices collection and configured with the maintenance window. The Endpoint Protection client is installed and has the latest software update definitions for antimalware protection. The interactive presentation software is installed and runs automatically, ready for visitors.

After this initial setup, any restarts that might be required for updates occur only when the visitor center is closed.

See Also
Technical Reference for Client Deployment in Configuration Manager
2549

How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. Note This topic appears in the Deploying Clients for System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. System Center 2012 Configuration Manager SP1 lets you manage Windows Phone 8, Windows RT, iOS, and Android devices by using the Windows Intune service over the Internet. Although you use the Windows Intune service, management tasks are completed by using the Configuration Manager console. You can use the Windows Intune connector site system role in the Configuration Manager console to connect to the Windows Intune service. Many employees do work-related tasks, such as viewing their email, on their personal mobile devices. This trend is referred to as Bring Your Own Device (BYOD). Bring your own device is a scenario where employees perform work-related tasks on their user-owned mobile devices. Companies that embrace bringing your own device can provide more than just email for mobile devices. Companies can now provide and manage mobile apps to let employees perform workrelated tasks. While providing apps to user-owned devices, companies can protect company data by exercising control over mobile device enrollment and security settings. With Configuration Manager SP1, you have control over which users can enroll their mobile devices and which users can access your companys data and apps. Use the following sections to help you manage mobile devices by using the Windows Intune connector. Actions Available to Users Management Options Available to Administrators Prerequisites The Windows Intune Subscription The Windows Intune Connector Site System Role Mobile Device Enrollment Device Life-cycle Management Compliance Settings for Mobile Devices App Management for Mobile Devices Hardware Inventory

2550

For a checklist about how to configure Configuration Manager to manage mobile devices, see Administrator Checklist: Configuring Configuration Manager to Manage Mobile Devices by Using Windows Intune.

Actions Available to Users

When employees use their own devices they expect to have some control over the apps they download, in addition to privacy for their personal data. The Bring Your Own Device scenario lets you balance employee concerns with company constraints. Users can manage their devices by using the company portal. The company portal is a self-service portal that lets users control what apps are installed on their devices. Also, the company portal is customized for that platform so that users will only see apps available for their device type. The following table lists what actions users can control on their devices by using the company portal.
Company portal actions available to users From Windows RT From Windows Phone 8 From iOS From Android

Enroll device. Retire local device. Wipe mobile devices remotely. Install line-ofbusiness apps.

Yes Yes

Yes Yes

Yes No

No No

Yes

No

No

No

Yes

Yes

Yes

Yes

Install apps from Yes the store that the device connects to for Windows Store, Windows Phone Store, App Store, or Google Play.

Yes

Yes

Yes

Management Options Available to Administrators

The Windows Intune connector gives administrators the ability to manage apps, compliance settings, and device life cycle. Before you can install the Windows Intune connector, you first have to subscribe to the Windows Intune service and configure your Windows Intune subscription. Your subscription lets
2551

you choose which user collection can enroll mobile devices. Also, your subscription lets you configure a portal that will host your company apps and then lets users manage their devices. You use the subscription to publish your privacy statement so that your employees understand what is being monitored on their mobile devices. The company portal lets users view and download the apps that your company provides. After you have configured the subscription, you can install the Windows Intune connector. The Windows Intune connector lets you deploy apps to mobile devices by using a distribution point hosted by the Windows Intune service. This distribution point, manage.microsoft.com, is available after you install the Windows Intune connector. When you deploy an app by using the Windows Intune connector, the app appears in the company portal where users can view and download the app. You can either deploy a link to an app that exists in an app store or you can deploy a line-of-business app by using sideloading. Sideloading lets you distribute an app directly to a device without using the Windows Store, Windows Phone Store, App Store, or Google Play. You can sideload an app for Windows Phone 8, Windows RT, iOS, and Android. The Windows Intune connector also lets you manage compliance settings and collect inventory on Windows Phone 8, Windows RT, and iOS devices. You can manage the life cycle of mobile devices, which includes actions such as wipe, retire, and block. The Windows Intune service uses the management client that is built into the Windows RT and Windows Phone 8 platforms. For mobile devices that run iOS, Windows Intune uses the iOS APIs for management. The following table lists the kinds of management tasks that are available for each mobile device platform.
Management tasks Windows RT Windows Phone 8 iOS Android

Device life cycle Yes management such as the ability to retire, wipe, remote wipe, remove, and block devices. Compliance settings that include settings for password settings, email management, security, roaming, encryption, and wireless communication. Line-of-business app management. App installation from the store that the Yes

Yes

Yes

No

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes
2552

Management tasks

Windows RT

Windows Phone 8

iOS

Android

device connects to (Windows Store, Windows Phone Store, App Store, Google Play). Hardware inventory. Yes Yes Yes No

Prerequisites
Use the following information to determine the prerequisites for managing mobile devices.

Dependencies External to Configuration Manager

External dependencies More information

Sign up for a Windows Intune organizational account.

Sign up for an account at Windows Intune. For more information, see Windows Intune organizational account and Acceptable Use Policy for Windows Intune in the Documentation Library for Windows Intune. All user accounts must have a publicly registered UPN that can be verified by Windows Intune. Before you synchronize the Active Directory user account, you must verify that user accounts have a public domain UPN. For more information, see Add User Principal Name Suffixes in the Active Directory documentation library.

Add a public company domain.

Verify users have a public domain UPN.

Deploy and configure directory synchronization. Directory synchronization lets you populate Windows Intune with synchronized user accounts. The synchronized users and security groups are added to Windows Intune. For more information, see Configure directory synchronization in the Active Directory documentation library. For single sign-on you must deploy AD FS. For more information, see Configure single sign-on
2553

External dependencies

More information

in the Active Directory documentation library. Create a DNS alias. Create a DNS alias (CNAME record type). You have to configure a CNAME in DNS that redirects EnterpriseEnrollment.<company domain name>.com to manage.microsoft.com. For example, if Melissa's email address is [email protected], you have to create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to manage.microsoft.com. The CNAME record is used as part of the enrollment process. Obtain certificates or keys. For more information, see Obtain Certificates or Keys to Meet Prerequisites per Platform in this topic.

Obtain Certificates or Keys to Meet Prerequisites per Platform

The following table lists the certificates or keys that you must have to enroll mobile platforms.
Platform Certificates or keys How you obtain certificates or keys

Windows Phone 8

Code signing certificate: All sideloaded apps must be code-signed. Sideloading keys: Windows RT devices have to be provisioned with sideloading keys to enable the installation of sideloaded apps. All sideloaded apps must be code-signed.

Buy a code signing certificate from Symantec.

Windows RT

Buy sideloading keys from Microsoft. All apps must be code-signed by using your companys certification authority or an external certification authority.

iOS

Apple Push Notification service certificate.

Request an Apple Push Notification service certificate from Apple. For more information, see the Prerequisites for Enrolling iOS
2554

Platform

Certificates or keys

How you obtain certificates or keys

Devices in this topic. Android None. Not applicable.

Prerequisites for Enrolling Windows Phone 8 Devices

To manage Windows Phone 8 devices, you have to deploy the Windows Phone 8 company portal app. The company portal app must be code-signed with a certificate that is trusted by the Windows Phone 8 devices. 1. Obtain a Windows Phone Dev Center Publisher ID from the Windows Phone Dev Center. 2. Retrieve a certificate from the Symantec website by using your Publisher ID. 3. Download the Windows Phone 8 company portal app. 4. Download the SignTool app from the Windows Phone 8 SDK. To deploy an app to -users, the app must be signed by a certification authority that is trusted by Windows Phone 8 devices. Use the SignTool app to sign your apps with the Symantec certificate. 5. Sign the company portal app by using the SignTool app and the certificate that you downloaded from Symantec. 6. Deploy the Windows Phone 8 company portal app to the manage.microsoft.com distribution point. For more information, see To deploy an application to mobile devices in this topic. 7. Sign all apps that you plan to deploy to Windows Phone 8.

Prerequisites for Enrolling Windows RT Devices

To configure app management on a mobile device that runs iOS, you must follow these steps. 1. Obtain sideloading keys. Before you can run sideloaded line-of-business apps on Windows RT, you must obtain and activate sideloading keys from Microsoft. For more information about sideloading product activation keys, see Microsoft Volume Licensing. 2. Sign all apps. For sideloaded apps to run on Windows RT, you must use a certificate to sign all apps.

Prerequisites for Enrolling iOS Devices

To enroll iOS devices, you must follow these steps. 1. Download a Certificate Signing Request from Windows Intune. This certificate signing request lets you apply to Apples certification authority for an Apple Push Notification service certificate. 2. Request an Apple Push Notification service certificate from the Apple website. To Download a Certificate Signing Request from Windows Intune
2555

1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and click Windows Intune Subscriptions. 3. On the Home tab, in the Create group, click Create APNs certificate request. 4. In the Request Apple Push Notification Service Certificate Signing Request dialog box, click Browse to specify a location to download the Certificate Signing Request, specify your choice of file name, and then click Download. 5. On the Windows Intune sign in page, enter your organizational account and password. After you sign in, the certificate signing request is downloaded to the location that you specified. To Request an Apple Push Notification Service Certificate 1. Connect to the Apple Push Certificates Portal. 2. Sign in and complete the wizard. Note Make sure that you use a company account to obtain the Apple Push Notification service certificate. When you have to go back to the site to renew the certificate, make sure that you use the same account. 3. Upload the Certificate Signing Request that you downloaded from Windows Intune.

Dependencies in Configuration Manager

Dependencies in Configuration Manager More information

Create the Windows Intune subscription.

For more information, see The Windows Intune Subscription in this topic. For more information, see The Windows Intune Connector Site System Role in this topic.

Add the Windows Intune connector.

The Windows Intune Subscription

The Windows Intune subscription lets you specify your configuration settings for the Windows Intune service; this includes specifying which users can enroll their devices and defining which mobile device platforms to manage. When you have created your subscription, you can then install the Windows Intune connector site system role, which lets you connect to the Windows Intune service. This connector site system role will push settings and applications to the Windows Intune service. Windows Intune will then make apps available to users on their mobile devices by using the company portal. The Windows Intune subscription performs the following actions:
2556

Retrieves the certificate that the Windows Intune connector requires to connect to the Windows Intune service. Defines the user collection that enables users to enroll mobile devices. Defines and configures the mobile platforms that you want to support. To create the Windows Intune subscription 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and click Windows Intune Subscriptions. 3. On the Home tab, in the Create group, click Create Windows Intune Subscription. 4. On the Introduction page of the Create Windows Intune Subscription Wizard, review the text and click Next. 5. On the Subscription page, click Sign in and sign in by using your Windows Intune organizational account. Select the Allow the Configuration Manager console to manage this subscription check box. When you select this setting, you will only be able to manage mobile devices by using the Configuration Manager console. To continue with your subscription, you must select this option. 6. Click the privacy links to review them, and then click Next. 7. On the General page, specify the following options, and then click Next. Collection: Specify a user collection that contains users who will enroll their mobile devices. Note If a user is removed from the collection, the users device will continue to be managed for up to 24 hours until the user record is removed from the user database. Company name: Specify your company name. URL to company privacy documentation: If you publish your company privacy information to a link that is accessible from the Internet, provide the link so that users can access it from the company portal. Privacy information can clarify what information users are sharing with your company. Color scheme for company portal: Optionally, change the default color of blue for the company portals. Configuration Manager site code: Specify a site code for a primary site to manage the mobile devices. Although you can change the site code at any time, if you do this, existing users will have to retire their mobile devices and then re-enrolled to the new site.

8. On the Platforms page, select the device types that you want to manage and review the platform requirements, and then click Next. For each device type that you selected, you must configure additional options. Use the following procedures for more information. After you have configured these additional options, click Next and complete the wizard.
2557

iOS Devices
On the iOS page, click Browse to specify the Apple Push Notification service certificate that you received from Apple. For more information about how to obtain an Apple Push Notification service certificate, see the Prerequisites for Enrolling iOS Devices section in this topic.

Windows Phone 8 Devices

On the Windows Phone 8 page, specify the code-signing certificate to use for all Windows Phone apps and then specify the location of the signed Windows Phone 8company portal app.

For more information about how to obtain the certificate, see the Prerequisites for Enrolling Windows Phone 8 Devices section in this topic.

Windows RT Devices
Windows RT devices require that all sideloaded apps be signed with a trusted code-signing certificate. 1. On the Windows RT Configuration page, if you have a certificate from your companys certification authority, click Browse to specify the code-signing certificate that you want to use for all Windows 8 apps. Note All apps must be code-signed. This field is for your companys certificate. If you have purchased a certificate from an external certification authority, you can leave this field blank. 2. Click Add to enter your sideloading keys. For more information about how to obtain the certificate, see the Prerequisites for Enrolling Windows RT Devices section in this topic.

The Windows Intune Connector Site System Role

The Windows Intune connector sends settings and software deployment information to Windows Intune and retrieves status and inventory messages from mobile devices. The Windows Intune service acts as a gateway that communicates with mobile devices and stores settings.

To configure the Windows Intune Connector role 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles. 3. Add the Windows Intune Connector role to a new or existing site system server by using the associated step:
2558

New site system server: On the Home tab, in the Create group, click Create Site System Server to start the Create Site System Server Wizard. Existing site system server: Click the server on which you want to install the Windows Intune connector role. Then, on the Home tab, in the Server group, click Add Site System Roles to start the Add Site system Roles Wizard.

4. On the System Role Selection page, select Windows Intune Connector, and click Next. 5. Complete the wizard.

Mobile Device Enrollment

Enrollment establishes a relationship between the user, the device, and the Windows Intuneservice. Users enroll their own mobile devices. Android devices are not enrolled, but can be managed by using the Exchange Server connector. The following sections describe enrollment for Windows Phone 8, Windows RT, and iOS.

Windows Phone 8 Enrollment

For Windows Phone 8, users start enrollment from the Windows Phone 8 device by going to system settings and selecting company apps. The following processes then occur: 1. Users are asked to provide their Active Directory credentials for service. Users enroll their own mobile devices. Android devices are not enrolled, but can be managed by using the Exchange Server connector. The following sections describe enrollment for r authentication. When authentication is successful, Windows Intune establishes a relationship between the user and the Windows Phone 8 device. 2. A certificate is installed on the device for authentication between the device and the Windows Intune service. 3. Users must select Install company app or Hub to let their device be managed. Important If users do not select this option, they cannot download the company portal. If the Windows Phone 8 company portal is not installed during enrollment, or if users uninstall the company portal, users must retire their mobile device and re-enroll it. Or, you can make the company portal file available by sending users a link in an email. 4. The company portal is installed on the device. Inventory is collected; management settings are applied, and users now have access to line-of-business apps that you make available to them.

Windows RT Enrollment
For Windows RT, users start enrollment from the Windows RT device. The following processes occur: 1. On the Windows RT device, users select Start, and type System Configuration, and open the Company Apps dialog box.
2559

2. The users enter their company credentials and are authenticated. A relationship between the users, the Windows RT device and the Windows Intune service is established. 3. Windows Intune collects inventory and applies management settings. Users now have access to line-of-business apps and direct links to the app store through the company portal.

iOS Enrollment
For iOS, enrollment is as follows: 1. You begin enrollment by sending an email invitation to the user. The email invitation includes a link to the enrollment portal, manage.microsoft.com. 2. The users are asked for their company credentials to begin the enrollment process. 3. As soon as authentication is successful, a relationship between the user, the iOS device and the Windows Intune service is established. 4. Windows Intune collects inventory and applies management settings. The user now has access to line-of-business apps and direct links to the app store through the company portal.

Device Life-cycle Management

You can retire, block, wipe, or delete devices. The following table lists the management functions for each platform and compares these to the management functions that the Exchange Server connector supports. Because you cannot enroll Android devices by using the Windows Intune connector, you must use the Exchange Server connector to remove, block, wipe, or delete these devices. For more information about how to manage mobile devices by using the Exchange Server connector, see How to Manage Mobile Devices by Using the Exchange Server Connector in Configuration Manager.
Management function Windows Phone 8 Windows RT iOS Exchange Server connector

Retire: Removes the device from Configuration Manager and leaves personal settings and data unchanged on the device.

Yes Line-of-business apps are uninstalled, which includes the company portal app. User settings are retained.

Yes Removes the Windows RT sideloading keys. Without the sideloading keys, sideloaded apps will no longer run. User settings are retained. Note When an RT

Yes Installed apps will still run.

Yes Installed apps will still run. User settings are removed.

2560

Management function

Windows Phone 8

Windows RT

iOS

Exchange Server connector

device is retired, users can still use company apps until the next update. The update occurs every 24 hours for Windows RT devices. Block: Blocks the client from communicating with the hierarchy. Clients can be unblocked. Wipe: Deletes all data, and reverts to the manufacturers defaults. You can issue a remote wipe command by using the Configuration Manager console. Or, the user can wipe the device by using the Application Catalog or any company portal except the Windows Phone 8 company portal. Yes Yes Yes Not available

Yes

Not available

Yes

Exchange ActiveSync mailbox removal only

Delete: Deletes the Yes mobile device permanently from the hierarchy so that the device is no

Yes

Yes

Not available

2561

Management function

Windows Phone 8

Windows RT

iOS

Exchange Server connector

longer managed. No data is removed from the device. After the device is deleted, the user has to re-enroll.

To retire, block, or wipe a mobile device 1. In the Configuration Manager console, click Assets and Compliance and select Devices. 2. Select a device and then select the action that you want to take.

Compliance Settings for Mobile Devices

You can control compliance settings, such as password policy, for mobile devices by using the Windows Intune connector.

Applying Compliance Settings by Using the Windows Intune Connector

Create configuration items to define configurations that you want to manage and assess for compliance on mobile devices. The steps you have to take to manage compliance settings are as follows.
Step Description

Step 1: Create a configuration item for mobile devices.

To create configuration items for mobile devices that you enroll by using the Windows Intune connector, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager. For more information about how to create the configuration baseline, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager. After a configuration baseline is created, you can apply it to a user or device collection. If you
2562

Step 2: Create a configuration baseline.

Step 3: Deploy the configuration baseline.

Step

Description

apply the settings to a user collection, the compliance settings are applied to all the enrolled devices for those users. For more information, see How to Deploy Configuration Baselines in Configuration Manager.

Compliance Settings for Devices That Are Enrolled by the Windows Intune Connector
You can ensure that users comply with basic security settings by using compliance settings. The following table lists the compliance settings available to Windows Phone 8, Windows RT, and iOS devices. For Android devices, you can use the Exchange server connector for basic security settings.
Compliance setting Windows Phone 8 Windows RT iOS

Require password settings on mobile devices Minimum password length (characters) Idle time before mobile device is locked Number of passwords remembered Password expiration in days Password complexity Number of failed logon attempts before device is wiped Removable storage Camera File encryption on mobile device

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes Yes

No Yes

Yes Yes

Yes No Yes

No No No

No Yes No

2563

App Management for Mobile Devices

Mobile apps that you deploy appear in the company portal. Users can decide whether to download the apps to their devices. Use the information in the following sections to help you create and deploy applications to mobile devices.

Create an application for Windows Phone 8 devices

For Windows Phone 8 devices, you can deploy apps or you can deploy links to apps in the Windows Phone Store. To deploy apps to Windows Phone 8, you must select Windows Phone 8 devices when you configure the Windows Intune subscription. To create an application for a line-of-business app for Windows Phone 8 devices 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type drop-down list, select Windows Phone app package (*.xap file). 6. Click Browse to select the Windows Phone app package you want to import, and then click Next. 7. On the General Information page of the wizard, enter the descriptive text and category information that you want users to see in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace. To create an application containing a link to the Windows Phone Store for Windows Phone 8 devices 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type drop-down, select Windows Phone app package (in the Windows Phone Store) 6. Click Browse to open the Windows Phone Store, select the app you want to include, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal.
2564

8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace.

Create an application for Windows RT devices

For Windows RT devices, you can deploy line-of-business apps or you can deploy links to apps in the Windows Store. To deploy apps to Windows RT devices, you must specify Windows RT devices in the Create Windows Intune Subscription Wizard. To create an application for sideloading a line-of-business app for Windows RT 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type drop-down, select Windows app package (*.appx file). 6. Click Browse, select the signed .appx program file that you want to include, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace.

Create an application containing a link to the Windows Store for Windows RT devices
To create a link to the Windows Store for Windows RT, the app must be installed on a Windows 8 computer. You must first configure WinRM for HTTPS on the Windows 8 computer. Configure WinRM for HTTPS for the Windows 8 computer that has the app installed 1. Create an HTTPS-based listener by running winrm qc Transport:HTTPS. 2. Run the command enable-psremoting to allow PowerShell remoting. 3. Run the command winrm delete winrm/config/Listener?Address=*+Transport=HTTP to remove the HTTP-based listener that was automatically created by the enablepsremoting command. 4. Open Windows Firewall and add an inbound rule for port 5986, which is the default HTTPS port for Windows Remote Management (WinRM).

2565

To create an application containing a link to the Windows Store for Windows RT 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type dropdown, select Windows app package (in the Windows Store) 6. Click Browse and then, in the Browse Windows App Packages dialog box, connect to a computer that runs Windows 8 and that has the required app installed, select the app, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace.

Create an application for iOS devices

For devices that run iOS, you can deploy line-of-business apps or you can deploy links to apps on the App store. To create an application for sideloading a line-of-business app for iOS devices 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, select Create group, and then click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type drop-down list, select App Package for iOS (*.ipa file). 6. Click Browse, select the signed application (*.ipa) file that you want to include, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace. To create an application containing a link to the App Store for iOS devices

2566

1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type dropdown, select App Package for iOS from App Store . 6. Click Browse, select the app you want to include, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace.

Create an application for Android devices

For Android devices, you can deploy apps or you can deploy links to Google Play by using the company portal. To create an application for sideloading a line-of-business app for Android devices 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type drop-down, select App Package for Android (*.apk file). 6. Click Browse, select the .apk program file you want to include, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal. Note If you create more than one deployment type for the same app, only the deployment type with the highest priority will be displayed in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace. To create an application containing a link to Google Play 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click
2567

Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type drop-down, select App Package for Android in Google Play. 6. Click Browse, select the app you want to include, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace.

Supercedence
Supersedence works the same for mobile apps as it does for other apps. For more information about superseding applications, see How to Use Application Supersedence in Configuration Manager. Note For Windows Phone 8 devices, if you update the company portal app, you must update to the most recent company portal app in the Windows Subscription Wizard after you supersede the older version of the company portal with a new version.

Approval for Apps

A user can only request approval to download an app from a Windows-based computer or a Windows RT device. If you deploy an app that requires approval from an administrative user, the user must request approval from the Application Catalog on a Windows-based computer. As soon as the user requests approval, the app appears in the company portal.

Requirement Rules
Requirements rules specify conditions that must be met before a deployment type can be installed on a client device. The requirements that are specific to mobile devices are listed in the following table:
Platform Requirements available

Windows Phone 8 Windows RT

Not available Windows 8 operating system version and language requirements are supported. Important
2568

Platform

Requirements available

If you create a deployment type for a Windows app package (*.appx file) file with any additional requirements, you will not be able to deploy the app to Windows RT devices. iOS iOS operating system, language requirements, and chassis (iPad or iPhone) are supported. Not available

Android

For more information about requirements, see the Step 6: Specify Requirements for the Deployment Type section in the How to Create Deployment Types in Configuration Manager topic.

Deploying an Application to Mobile Devices

After you have created a deployment type, you can deploy the app to mobile devices. Deploying the app will make the app available to users on the company portal. To deploy an application to mobile devices 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Applications list, select the application that you want to deploy, on the Home tab, in the Deployment group, click Deploy. 4. On the General page of the Deploy Software Wizard, specify the following information: a. Software To display the applications that you want to deploy. You can click Browse to select a different application to deploy. b. Collection Click Browse and select the collection that you selected for enablement in the Windows Intune Subscription Wizard. Important Selecting the device collection All Mobile Devices will not deploy apps to iOS, Android, Windows Phone 8, or Windows RT. You must select the same user collection or a subset of the user collection that you selected in the Windows Intune Subscription Wizard. 5. Click Next. 6. On the Content page of the wizard, select Manage.Microsoft.com as your distribution point. Click Next. 7. On the Deployment Settings page of the Deploy Software Wizard, specify the following information:
2569

a. Action From the drop-down list, select Install to install the application. b. Purpose From the drop-down list, select Available. When you manage mobile devices by using the Windows Intune connector, apps must be configured as Available and do not support Required. 8. Complete the wizard by specifying your preferred setting for the alerts and scheduling pages. The User Experience page is not relevant to mobile devices.

Expired Certificates for Mobile Device Apps

On iOS, Windows Phone 8, and Windows RT, if the certificate that is used to sign apps expires, apps are no longer available for users to download.
Platform Expired certificate consequences Resolution

iOS

Users can no longer install apps

Renew the APNs certificate and locate the Windows Intune Subscription iOS page to upload the new certificate. The new certificate must be created by using the same ID as the original certificate or devices have to be enrolled again.

Windows Phone 8

Users can no longer install apps

Renew the code signing certificate and go the Windows Intune Subscription page to upload the certificate. All apps signed with the previous certificate and the new certificate will run. Renew the code signing certificate and open the Windows Intune Subscription Wizard Windows RT page to upload the new certificate.

Windows RT

Users can no longer install apps

Hardware Inventory
You can inventory the following hardware properties by using the Windows Intune connector. For information about how to configure hardware inventory, see How to Configure Hardware Inventory in Configuration Manager.
2570

Hardw are Invent ory Class

Windows Phone 8

Windows RT

iOS

Avail able by usin g the Exch ange Serv er conn ector

Name

Device_ComputerSyste m.DeviceName Device_ComputerSyste m.DeviceClientID

Device_ComputerSystem. DeviceName Device_ComputerSystem. DeviceName

Device_ComputerSystem. DeviceName Device_ComputerSystem. UDID

Yes

Uniqu e Devic e ID Serial Numb er Email Addre ss Opera ting Syste m Type Opera ting Syste m Versio n Build Versio n Servic

Yes

Not applicable

Not applicable

Device_ComputerSystem. SerialNumber

No

Device_Email.OwnerE mailAddress

Device_Email.OwnerEmai lAddress

Device_Email.OwnerEmail Address

Yes

Device_OSInformation. Platform

CCM_OperatingSystem .SystemType

Not applicable

Yes

Device_ComputerSyste m.SoftwareVersion

Win32_OperatingSystem. Version

evice_OSInformation.OSV ersion

Yes

Not applicable

Win32_OperatingSystem. BuildNumber

Not applicable

No

Not applicable

Win32_OperatingSystem.

Not applicable

No
2571

Hardw are Invent ory Class

Windows Phone 8

Windows RT

iOS

Avail able by usin g the Exch ange Serv er conn ector

e Pack Major Versio n Servic e Pack Minor Versio n Opera ting Syste m Langu age Not applicable

ServicePackMajorVersion

Win32_OperatingSystem. ServicePackMinorVersion

Not applicable

Yes

Device_OSInformation. Language

Not applicable

Not applicable

No

Total Not applicable Storag e Space Free Not applicable Storag e Space Intern Not applicable ational Mobile Equip

Win32_PhysicalMemory.C Device_Memory.DeviceCa apacity pacity

No

Win32_OperatingSystem. FreePhysicalMemory

Device_Memory.Available DeviceCapacity

No

Not applicable

Device_ComputerSystem.I Yes MEI

2572

Hardw are Invent ory Class

Windows Phone 8

Windows RT

iOS

Avail able by usin g the Exch ange Serv er conn ector

ment Identit y or IMEI (IMEI) Mobile Not applicable Equip ment Identifi er (MEID ) Manuf acture r Model Device_ComputerSyste m.DeviceManufacturer Not applicable Device_ComputerSystem. MEID No

Win32_ComputerSystem. Manufacturer

Not applicable

No

Device_ComputerSyste m.DeviceModel Not applicable

Win32_ComputerSystem. Model Not applicable

ModelName

Yes

Phone Numb er Subsc riber Carrie r Cellul ar Techn ology

Device_ComputerSystem. PhoneNumber

Yes

Not applicable

Not applicable

Device_ComputerSystem. SubscriberCarrierNetwork

Yes

Not applicable

Not applicable

Device_ComputerSystem. CellularTechnology

No

2573

Hardw are Invent ory Class

Windows Phone 8

Windows RT

iOS

Avail able by usin g the Exch ange Serv er conn ector

Wi-Fi MAC

Not applicable

Win32_NetworkAdapter.M ACAddress

Device_WLAN.WiFiMAC

No

See Also
Operations and Maintenance for Client Deployment in Configuration Manager

Example Scenario for Managing Applications by Using Configuration Manager

Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. This topic provides an example scenario for how you can use System Center 2012 Configuration Manager to manage applications in your enterprise. It covers the lifecycle of the application deployment: The initial creation and testing to deploy the application; updating the deployed application to a later version; and the removal of the application from computers on the production network. John is the Configuration Manager administrator at Woodgrove Bank who must deploy the latest version of Microsoft Visio to 200 users, according to the following requirements: He must install the application only to computers that run Windows 7. For performance reasons, only computers with more than 4 GB of RAM must install this application. If computers have less than 4 GB RAM, they must run the virtual version of the application. A company specific application, Woodgrove.msi, must be installed on all company computers before installing the application.
2574

If the application is installed on a computer that is not the users primary computer, a virtual version of the application must be installed. Computers that run Windows Server must not install Microsoft Visio and the Woodgrove.msi application. The application must also be made available to users to install on-demand to other computers in the organization.

The following sections in this topic provide example steps for how to use Configuration Manager to create, deploy, and manage applications in your organization: Preparation Step 1: Create and deploy the Woodgrove.msi application Step 2: Create an application for Microsoft Visio Step 3: Create multiple deployment types for the Microsoft Visio application Step 4: Test the application by using a simulated deployment Step 5: Deploy the Microsoft Visio application Step 6: Supersede the Microsoft Visio application Step 7: Remove the Microsoft Visio application

Preparation
Before John can manage applications by using Configuration Manager, he takes the actions outlined in the following table.
Process Reference

John reviews the available information about the basic concepts for application management in Configuration Manager. John reviews and implements the required prerequisites to deploy applications.

For overview information about application management, see Introduction to Application Management in Configuration Manager. For information about the prerequisites for application management, see Prerequisites for Application Management in Configuration Manager. For information about how to configure the Application Catalog and Software Center, see Configuring the Application Catalog and Software Center in Configuration Manager.

John configures and tests the Application Catalog and Software Center, which allow users to browse for and install software.

2575

Step 1: Create and deploy the Woodgrove.msi application

The application named Woodgrove.msi must be installed on all computers in the company, except for servers. To create this application in Configuration Manager, John takes the actions outlined in the following table.
Process Reference

From the Configuration Manager console, John runs the Create Application Wizard.

For information about how to start the Create Application Wizard, see the Step 1: Start the Create Application Wizard section in the How to Create Applications in Configuration Manager topic. For information about how to automatically detect information about the application from the application installation files, see the To automatically detect application information section in the How to Create Applications in Configuration Manager topic.

To automatically populate the wizard with information about the Woodgrove.msi installation file, John selects the installation file type Windows Installer (Native). He then reviews the information that has been read from the application installation file and provides further information on the General page of the Create Application Wizard. John names the application Woodgrove Business Application. John completes the wizard. The new application and a deployment type (named Woodgrove MSI) for the application is created and displayed in the Applications node of the Software Library workspace. John starts the Distribute Content Wizard in order to copy the application content to the required distribution points in the Woodgrove Bank hierarchy. He uses the Content Status node in the Monitoring workspace to confirm that the content for the application has been successfully distributed.

For information about the Distribute Content Wizard, see the Distribute Content on Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager topic. For information about how to monitor the distribution of application content, see the Content Status Monitoring section in the Operations and Maintenance for Content Management in Configuration Manager topic. For information about how to create collections, see How to Create Collections in Configuration
2576

John creates a device collection that contains all computers that run a desktop operating

Process

Reference

system in the Woodgrove Bank hierarchy. He names this collection All Desktop and Laptop Computers. John uses the Deploy Software Wizard to deploy the application to the All Desktop and Laptop Computers collection by using the following parameters: Deployment action - Install Deployment purpose Required

Manager

For information about how to deploy applications, see How to Deploy Applications in Configuration Manager.

John monitors the deployment of Woodgrove.msi to ensure that it is successfully installed on all computers in the All Desktop and Laptop Computers collection.

For more information about how to monitor application deployments, see How to Monitor Applications in Configuration Manager.

Step 2: Create an application for Microsoft Visio

John must now create an application for Microsoft Visio. To create this application in Configuration Manager, John takes the actions outlined in the following table.
Process Reference

From the Configuration Manager console, John runs the Create Application Wizard.

For information about how to start the Create Application Wizard, see the Step 1: Start the Create Application Wizard section in the How to Create Applications in Configuration Manager topic. For information about how to automatically detect information about the application from the application installation files, see the To automatically detect application information section in the How to Create Applications in Configuration Manager topic.

John uses the Create Application Wizard to create a new application named Microsoft Visio (Woodgrove Bank). He selects the option to automatically detect application information from the Windows Installer (.msi) file for Microsoft Visio. John completes the wizard. The new application and a deployment type for the application is created and displayed in the Applications node of the Software Library workspace. John opens the properties for the Microsoft Visio (Woodgrove Bank) application and

For information about deployment type requirements, see the Step 6: Specify
2577

Process

Reference

clicks the Deployment Types tab. He then selects the deployment type that was just created, and clicks Edit. On the Requirements tab of the <deployment type> Properties dialog box, John configures the following requirements: Category: Device, Condition: Total physical memory, Operator: Greater than or equal to, Value (MB): 4000 This requirement ensures that the deployment type can be installed only on computers with more than 4 GB RAM. Category: Device, Condition: Operating system, Operator: One of, Windows 7 This requirement ensures that the deployment type can be installed only on computers that run Windows 7. Note This requirement also prevents the deployment type from installing on computers that run Windows Server. Category: User, Condition: Primary Device, Operator: Equals, Value: True This requirement ensures that the Windows Installer deployment type can run only on the user's primary device.

Requirements for the Deployment Type section in the How to Create Deployment Types in Configuration Manager topic.

On the Dependencies tab of the <deployment type> Properties dialog box, John configures the following dependency: Dependency group name Woodgrove Visio Applications. Application Woodgrove Business Application Supported Deployment Types Woodgrove MSI

For more information about dependencies, see the Step 7: Specify Dependencies for the Deployment Type section in the How to Create Deployment Types in Configuration Manager topic.

John also selects the Auto Install check box to ensure that the Woodgrove.msi business application will automatically install on any computer, if required, before installing Microsoft
2578

Process

Reference

Visio.

Step 3: Create multiple deployment types for the Microsoft Visio application
For John's business purposes, he requires two deployment types: The MSI deployment type that locally installs the application, and a virtual deployment type. John creates a deployment type for the Microsoft Visio virtual application by taking the actions outlined in the following table.
Process Reference

John uses the Microsoft Application Virtualization (App-V) Sequencer to create a virtual application for Microsoft Visio. John opens the Applications node in the Software Library workspace and selects the Microsoft Visio (Woodgrove Bank) application. Then, on the Home tab, in the Application group, he clicks Create Deployment Type. To automatically populate the wizard with information about the virtual application, John selects the installation file type Microsoft Application Virtualization and then browses to the XML manifest file for the Microsoft Visio virtual application. On the Requirements page of the Create Deployment Type Wizard, John configures the following requirements: Category: Device, Condition: Total physical memory, Operator: Greater than or equal to, Value (MB): 4000 This requirement ensures that the deployment type can be installed only on computers with more than 4 GB RAM. Category: Device, Condition: Operating system, Operator: One of, Windows 7 This requirement ensures that the deployment type can be installed only on

For more information, see the topic How to Sequence a New Application (App-V 4.6) in the Application Virtualization documentation. For more information about how to create deployment types, see How to Create Deployment Types in Configuration Manager.

For information about deployment type requirements, see the Step 6: Specify Requirements for the Deployment Type section in the How to Create Deployment Types in Configuration Manager topic.

2579

Process

Reference

computers that run Windows 7. Note This requirement also prevents the deployment type from installing on computers that run Windows Server. Category: User, Condition: Primary Device, Operator: Equals, Value: False This requirement ensures that the virtual application deployment type will run only on devices that are not the users primary device. For more information about application dependencies, see the Step 7: Specify Dependencies for the Deployment Type section in the How to Create Deployment Types in Configuration Manager topic.

On the Dependencies tab of the <deployment type> Properties dialog box, John configures the following dependency: Dependency group name Woodgrove Visio Applications. Application Woodgrove Business Application Supported Deployment Types Woodgrove MSI

John also selects the Auto Install check box to ensure that the Woodgrove.msi business application will automatically install on any computer, if required, before installing Microsoft Visio. John starts the Distribute Content Wizard to copy the application content to the required distribution points in the Woodgrove Bank hierarchy. He then uses the Content Status node in the Monitoring workspace to confirm that the content for the application has been successfully distributed. For information about the Distribute Content Wizard, see the Distribute Content on Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager topic. For information about how to monitor the distribution of application content, see the Content Status Monitoring section in the Operations and Maintenance for Content Management in Configuration Manager topic.

2580

Step 4: Test the application by using a simulated deployment

Before John deploys the Microsoft Visio application, he wants to test the deployment to find out how many computers will install local and virtual copies of Microsoft Visio. He also wants to determine how many computers do not meet the requirements to install the application. In order to obtain this information, John configures a simulated deployment by taking the actions outlined in the following table.
Process Reference

John creates two new user collections. The first collection is named Required Visio Installation. It contains the names of the 200 users who must have Visio installed. The second collection, named Optional Visio Installation, contains all users. In this second collection, John adds a new exclude collection rule so that the members of the Required Visio Installation collection will be excluded from this collection. John runs the Simulate Application Deployment Wizard. He creates a simulated deployment with an action of Install and deploys it to the Required Visio Installation collection. He then creates a second simulated deployment by using the same parameters to the Optional Visio Installation collection. John examines the status of each simulated deployment in the Deployments node of the Monitoring workspace. These deployments are listed with a purpose of Simulate. He discovers that about ten percent of the computers do not meet the requirements to install Microsoft Visio and he reports this information to his manager.

For more information about how to create user collections, see the To create a user collection section in the How to Create Collections in Configuration Manager topic.

For more information about simulated application deployments, see How to Simulate an Application Deployment in Configuration Manager.

For more information about how to monitor application deployments, see How to Monitor Applications in Configuration Manager.

2581

Step 5: Deploy the Microsoft Visio application

John is now ready to deploy the new Microsoft Visio application. To accomplish this, he takes the actions outlined in the following table.
Process Reference

John uses the Deploy Software Wizard to create two deployments of the Microsoft Visio application: Deployment 1 to the Required Visio Installation collection with an action of Install and a purpose of Required. Deployment 2 to the Optional Visio Installation collection with an action of Install and a purpose of Available.

For information about how to deploy applications, see How to Deploy Applications in Configuration Manager.

John regularly monitors both of these For more information about how to monitor deployments of Microsoft Visio. He can application deployments, see How to Monitor troubleshoot any problems that might occur by Applications in Configuration Manager. using the information in the Deployments node of the Monitoring workspace. John is able to report to his managers at Woodgrove Bank that the Microsoft Visio deployment has been successful.

Step 6: Supersede the Microsoft Visio application

A new version of Microsoft Visio is released and Woodgrove Bank decides to upgrade all installed copies of the software to the new version. To accomplish this task, John takes the actions outlined in the following table.
Process Reference

John deletes the current deployments of the Microsoft Visio application.

For information about how to delete an application deployment, see How to Deploy Applications in Configuration Manager. For more information, see Step 3: Create multiple deployment types for the Microsoft Visio application in this topic.

John creates deployment types for the new versions in the Microsoft Visio application for the full installation of Microsoft Visio and for a virtual installation of Microsoft Visio. John adds two new supersedence relationships: One for the full installation of

For more information about superseding applications, see How to Use Application
2582

Process

Reference

Microsoft Visio and one for the virtual installation. He also selects the option to uninstall the previous versions.

Supersedence in Configuration Manager.

John redeploys the Microsoft Visio application For information about how to deploy an to computers in the Woodgrove Bank hierarchy. application, see How to Deploy Applications in Configuration Manager. John monitors the state of these application deployments and is able to report to his manager that the new version of Microsoft Visio has been successfully deployed. For more information about how to monitor application deployments, see How to Monitor Applications in Configuration Manager.

Step 7: Remove the Microsoft Visio application

Woodgrove Bank decides that they no longer require Microsoft Visio to be installed on computers in their hierarchy. They ask John to remove all copies of the software from computers in the company. To accomplish this, he takes the actions outlined in the following table.
Process Reference

John deletes all deployments of the Microsoft Visio application.

For information about how to delete an application deployment, see How to Deploy Applications in Configuration Manager. For more information about deployment type options, see How to Create Deployment Types in Configuration Manager.

John checks the properties of each deployment type in the Microsoft Visio application. On the Programs tab of the Deployment Properties dialog box, he verifies that an uninstall program has been specified. John then deploys the Microsoft Visio application to all computers with an action of Uninstall and a purpose of Required. John monitors the application deployment and is able to report to his manager that all copies of Microsoft Visio have been removed from the computers at Woodgrove Bank.

For information about how to deploy an application, see How to Deploy Applications in Configuration Manager. For more information about how to monitor application deployments, see How to Monitor Applications in Configuration Manager.

See Also
Technical Reference for Application Management in Configuration Manager
2583

Example Scenario for Using Configuration Manager to Deploy and Monitor the Security Software Updates Released Monthly by Microsoft
Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. This topic provides an example scenario of how you can use software updates in Microsoft System Center 2012 Configuration Manager to deploy and monitor the security software updates that Microsoft releases monthly. In this scenario, John is the Configuration Manager administrator at Woodgrove Bank. John needs to create a software update deployment strategy with the following conditions and requirements: Active software update deployment occurs one week after Microsoft releases the security software updates on the second Tuesday of each month. This event is typically referred to as Patch Tuesday. Software updates are downloaded and staged on distribution points. Then a deployment is tested to a subset of clients before John fully deploys the software updates in his production environment. John must be able to monitor the software updates' compliance by month or by year.

This scenario assumes that the software update point infrastructure has already been implemented. Use the information in the following table to plan for and configure software updates in System Center 2012 Configuration Manager.
Process Reference

Review the key concepts for software updates.

Introduction to Software Updates in Configuration Manager Planning for Software Updates in Configuration Manager

Plan for software updates. This information helps you to plan for capacity considerations, determine the software update point infrastructure, software update point installation, synchronization settings, and client settings for software updates. Configure software updates. This information helps you to install and configure software update points in your hierarchy and helps to

Configuring Software Updates in Configuration Manager

2584

Process

Reference

configure and synchronize software updates. Important John configures the software updates synchronization schedule to occur on the second Wednesday of each month to ensure that he retrieves the latest security software updates from Microsoft.

The following sections in this topic provide example procedural steps to help you to deploy and monitor System Center 2012 Configuration Manager security software updates in your organization: Step 1: Create a Software Update Group for Yearly Compliance Step 2: Create an Automatic Deployment Rule for the Current Month Step 3: Verify That Software Updates Are Ready to Deploy Step 4: Deploy the Software Update Group Step 5: Monitor Compliance for Deployed Software Updates Step 6: Add Monthly Software Updates to the Yearly Update Group

Step 1: Create a Software Update Group for Yearly Compliance

John creates a software update group that he can use to monitor compliance for all of the security software updates that he releases in 2012. He performs the steps in the following table.
Process Reference

From the All Software Updates node in the Configuration Manager console, John adds criteria to display only security software updates that are released or revised in year 2012 that meet the following criteria: Criteria: Date Released or Revised Condition: is greater than or equal to specific date Value: 1/1/2012 Criteria: Update Classification

No additional information

2585

Process

Reference

Value: Security Updates Criteria: Expired Value: No John adds all of the filtered software updates to a new software update group with the following requirements: Name: Compliance Group - Microsoft Security Updates 2012 Description: Software updates For the steps to add software updates to an update group, see the Add Software Updates to an Update Group section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

Step 2: Create an Automatic Deployment Rule for the Current Month

John creates an automatic deployment rule for the security software updates that are released by Microsoft for the current month. He performs the steps in the following table.
Process Reference

John creates an automatic deployment rule with For more information about creating an the following requirements: automatic deployment rule, see the Automatically Deploy Software Updates section 1. On the General tab, John configures the in the Operations and Maintenance for following: Software Updates in Configuration Manager He specifies Monthly Security topic. Updates for the name. He selects a test collection with limited clients. He selects Create a new Software Update Group. He verifies that Enable the deployment after this rule is run is not selected.

2. On the Deployment Settings tab, John selects the default settings. 3. On the Software Updates page, John configures the following property filters and search criteria: Date Released or Revised Last 1 month. Update Classification Security
2586

Process

Reference

Updates. 4. On the Evaluation page, John enables the rule to run on a schedule for the second Thursday of every month. John also verifies that his synchronization schedule is set to run on the second Wednesday of every month. 5. John uses the default settings on the Deployment Schedule, User Experience, Alerts, and Download Settings pages. 6. On the Deployment Package page, John specifies a new deployment package. 7. John uses the default settings on the Download Location and Language Selection pages.

Step 3: Verify That Software Updates Are Ready to Deploy

On the second Thursday of every month, John verifies that the software updates are ready to deploy. He performs the step in the following table.
Process Reference

John verifies that software updates synchronization completed successfully.

For more information about creating an automatic deployment rule, see the Automatically Deploy Software Updates section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

Step 4: Deploy the Software Update Group

After John verifies that the software updates are ready to deploy, he deploys the software updates. He performs the steps in the following table.
Process Reference

John creates two test deployments for the new

For more information about how to deploy

2587

Process

Reference

software update group. He considers the following environments for each deployment: Workstation test deployment: John considers the following for the workstation test deployment: He specifies a deployment collection that contains a subset of workstation clients to verify the deployment. He configures the deployment settings that are appropriate for the workstation clients in his environment.

software updates, see the Deploy Software Updates section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

Server test deployment: John considers the following for the server test deployment: He specifies a deployment collection that contains a subset of server clients to verify the deployment. He configures the deployment settings that are appropriate for the server clients in his environment. For more information about how to monitor a software update deployment, see the Monitor Software Updates section in the Operations and Maintenance for Software Updates in Configuration Manager topic. No additional information

John verifies that the test deployments have successfully deployed.

John updates the two deployments with new collections that include his production workstations and servers.

Step 5: Monitor Compliance for Deployed Software Updates

John monitors compliance of his software update deployments. He performs the step in the following table.
Process Reference

John monitors the software updates deployment status in the Configuration

For the steps to monitor a software update deployment, see the Monitor Software Updates
2588

Process

Reference

Manager console and checks the software update deployment reports available from the console.

section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

Step 6: Add Monthly Software Updates to the Yearly Update Group

John adds the software updates from the monthly software update group to the yearly software update group. He performs the step in the following table.
Process Reference

John selects the software updates from the monthly software update group and adds the software updates to the software updates group that he created for yearly compliance. He tracks the software update compliance and creates various reports for his management.

For the steps to add software updates to an update group, see the Add Software Updates to an Update Group section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

John has successfully completed his monthly deployment for security software updates. He continues to monitor and report on software update compliance to ensure that the clients in his environment are within acceptable compliance levels.

Recurring Monthly Process to Deploy Software Updates

After the first month that John deploys software updates, he performs steps three through six to deploy the monthly security software updates released by Microsoft.

See Also
Technical Reference for Software Updates in Configuration Manager

2589

Example Scenario for PXE-Initiated Operating System Deployment by Using Configuration Manager
Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. The example scenario in this topic describes how to deploy an operating system in System Center 2012 Configuration Manager. In this scenario, Adam, the Configuration Manager administrative user for Trey Research, must upgrade the operating system to Windows 7 on several Windows XP computers. In this scenario, Adam does not have to save the user data from the computers that will receive the new operating system because. Trey Research has a policy to store all user data on network shares.

Deployment Process
To capture and deploy the operating system, Adam follows the process described in the following table.
Process More information

As he plans for the deployment, Adam makes the following decisions: He plans to use PXE to deploy the new operating system. He will install and configure Windows 7 on a computer that has no operating system installed. Then, he will use capture media to capture the operating system image. The capture media will use a USB flash drive to store his capture media. He will use the boot images that are supplied by Configuration Manager. He must distribute the boot images that start the reference computer in order to capture the operating system image and to start the destination computers to install the operating system.

For more information about PXE deployments, see Planning for PXE-Initiated Operating System Deployments in Configuration Manager. For more information about planning how to capture the operating system image, see Planning for Capturing Operating System Images in Configuration Manager For more information about planning boot images deployments, see Planning for Boot Image Deployments in Configuration Manager

Adam obtains a computer that has no operating For more information about planning how to
2590

Process

More information

system installed. He refers to this as a bare metal computer. This is his reference computer, which he configures as follows: He installs and configures Windows 7 to match his company requirements. He does not in